CN117896065B - Remote collaborative anti-leakage office system based on cloud server and kernel technology - Google Patents
Remote collaborative anti-leakage office system based on cloud server and kernel technology Download PDFInfo
- Publication number
- CN117896065B CN117896065B CN202410298215.XA CN202410298215A CN117896065B CN 117896065 B CN117896065 B CN 117896065B CN 202410298215 A CN202410298215 A CN 202410298215A CN 117896065 B CN117896065 B CN 117896065B
- Authority
- CN
- China
- Prior art keywords
- user
- key
- server
- function
- file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000005516 engineering process Methods 0.000 title claims abstract description 21
- 238000000034 method Methods 0.000 claims abstract description 171
- 230000008569 process Effects 0.000 claims abstract description 91
- 238000009795 derivation Methods 0.000 claims abstract description 16
- 238000012544 monitoring process Methods 0.000 claims abstract description 10
- 230000006870 function Effects 0.000 claims description 71
- 238000000605 extraction Methods 0.000 claims description 35
- 239000013598 vector Substances 0.000 claims description 15
- 238000004364 calculation method Methods 0.000 claims description 9
- 108020004999 messenger RNA Proteins 0.000 claims description 9
- 238000004422 calculation algorithm Methods 0.000 claims description 6
- 125000004122 cyclic group Chemical group 0.000 claims description 6
- 239000013307 optical fiber Substances 0.000 claims description 6
- 230000007480 spreading Effects 0.000 claims description 6
- 230000002265 prevention Effects 0.000 claims description 5
- 108091026890 Coding region Proteins 0.000 claims description 3
- 229910002056 binary alloy Inorganic materials 0.000 claims description 3
- 238000013507 mapping Methods 0.000 claims description 3
- 238000012795 verification Methods 0.000 claims description 3
- 230000000694 effects Effects 0.000 description 4
- 230000036962 time dependent Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000005336 cracking Methods 0.000 description 3
- 230000004075 alteration Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
The invention belongs to the technical field of cooperative office, and particularly discloses a remote cooperative anti-leakage office system based on a cloud server and a kernel technology, wherein the system comprises: the system comprises a user management module, a service module, a user terminal module and a kernel driving module. The method uses an enhanced MD5 hash method to process unique identification IDs of the cloud server side and the user terminal, is used for encrypting configuration files and login accounts, has concealment, irreversibility and unique certainty, and protects account information of authorized users; generating a server public key and a server private key by using a key derivation function based on extraction-expansion, encrypting the user login information, and preventing the user login information from being leaked; and the kernel technology is used for monitoring the thread state and the file operation of the user, preventing the user from copying the shared file of the cloud server to the terminal, and optimizing file management.
Description
Technical Field
The invention relates to the technical field of collaborative office, in particular to a remote collaborative anti-leakage office system based on a cloud server and a kernel technology.
Background
Remote collaboration office systems provide centralized office tools that help team members collaborate on and share information at different locations and times. The traditional remote cooperative office system has the technical problems that the data security protection function is weaker, and sensitive data is easy to leak; the leakage-proof effect is relatively weak, and deep protection and protection cannot be provided; the method has the technical problems that the precaution awareness of the user is low, the file is easy to leak, and the file is easy to tamper maliciously.
Disclosure of Invention
Aiming at the problems that the security protection function of data is weak and sensitive data is easy to leak in the traditional technology, the invention uses an enhanced MD5 hash method to process unique identification IDs of a cloud server end and a user terminal for encrypting configuration files and login accounts, has the advantages of hiding property, irreversibility and unique certainty, reduces the risk of key cracking and protects account information of authorized users; aiming at the technical problems that the leakage prevention effect is relatively weak and deep protection and protection cannot be provided, the method and the device for generating the server public key and the server private key based on the extracted-expanded key derivation function are used for encrypting the user login information, so that the method and the device have better safety and randomness and prevent the user login information from being leaked; aiming at the technical problems that the precaution awareness of a user is low, file leakage and malicious file tampering are easy to cause, the kernel technology is used for monitoring the thread state and file operation of the user, the user is prevented from copying the shared file of the cloud server end to the terminal, the file service condition of staff is known, data leakage is prevented, and file management is optimized.
The technical scheme adopted by the invention is as follows: the invention provides a remote collaborative anti-leakage office system based on a cloud server and a kernel technology, which comprises a user management module, a service module, a user terminal module and a kernel driving module, wherein the user management module, the service module and the kernel driving module are arranged at a cloud server end;
The user management module generates a user ID and a configuration file for an authorized user, wherein the configuration file comprises a cloud server IP, a user ID of the authorized user, a login account, an account permission start time, an account permission end time and an account password, and processes a unique identification ID of the cloud server by using an enhanced MD5 hash method to obtain a configuration key and encrypts the configuration file by using the configuration key;
The service module stores the shared file, generates a server private key and a server public key, interacts with the user terminal module to realize verification of the authorized user, the authorized user verifies the encrypted request file after the user terminal module sends the encrypted request file, decrypts the encrypted request file by using the server private key to obtain a user key and a login account, inquires whether the login account is in the configuration file, refuses to request login if the login account is not in the configuration file, otherwise, checks whether the login account is between the account permission starting time and the account permission ending time, refuses to request login if the login account is not in the configuration file, otherwise, encrypts a user ID, the login account, the account permission starting time, the account permission ending time and the account password of the authorized user by using a user key to obtain an encrypted user structure, sends the encrypted user structure to a system disk of the user terminal module, and sends the shared file accessible by the authorized user to a data disk of the authorized user after the authorized user is successfully logged in;
The user terminal module comprises a data disc and a system disc, wherein the system disc stores a shared file and a unique identifier ID of the user terminal module, an authorized user inputs a cloud server IP and a login account number in the system disc, the system disc uses an enhanced MD5 hash method to process the unique identifier ID of the user terminal module to obtain a user key, the user key and the login account number are encrypted by a server public key to obtain an encryption request file, the encryption request file is sent to a service module to request login, after the request login is allowed, the system disc receives an encryption user structure sent by the service module, the user key is used for decrypting the encryption user structure to obtain a login account number and a password, the cloud server is logged in through mstscax.dll of Microsoft, and the data disc receives the shared file sent by the service module;
the kernel driving module monitors the thread state and file operation of the authorized user by using kernel technology, prevents the authorized user from copying the shared file of the cloud server end to a data disk of the user terminal module, and ensures that the thread state of the authorized user is normal.
The system disk in the user management module and the user terminal module processes the unique identifier ID by using an enhanced MD5 hash method to obtain a configuration key and a user key respectively, and the enhanced MD5 hash method specifically comprises the following steps:
step A1: converting the unique identifier ID into binary system to obtain a binary identifier;
Step A2: two base irreducible polynomials are defined and the values of the binary-identified base irreducible polynomials are calculated using the following formula:
,
,
In the formula, is AndIs a non-primitive polynomial of two different classes,Is a binary identification;
Step A3: is that AndCreating binary vectors v1 and v2 respectively;
Step A4: carrying out LFSR iteration for v1 and v2 for 64 times, storing carry of each iteration of v1 in a sequence vector s1, and storing carry of each iteration of v2 in a sequence vector s 2;
Step A5: performing exclusive OR operation on the sequence vector s1 and the sequence vector s2 to obtain an initial key, inputting the initial key into an initial list in DES, and generating a 64-bit intermediate key;
Step A6: generating an MRNA table for recording an mRNA coding sequence by using a Python programming tool, equally dividing the binary identification into blocks, carrying out exclusive OR operation on the binary identification and an intermediate key by each block with 64 bits, and carrying out coding comparison with the MRNA table to obtain a coding result;
Step A7: inputting the coding result into 4 registers of the MD5 algorithm for calculation, and solving the output of the 4 registers of the MD5 algorithm by adopting a fourth-order lattice-base tower method to obtain the identification key.
The service module generates a server public key by using an extraction-based key derivation method, and the extraction-based key derivation method specifically comprises the following steps:
Step B1: setting the length of a public key of a server, randomly selecting a public cyclic subgroup of an elliptic curve group on a finite field of prime numbers P, converting samples on the public cyclic subgroup into a binary form with a fixed length, and forming a sample set by all the samples converted into the binary form with the fixed length;
step B2: defining an extractor function as:
,
In the method, in the process of the invention, Is a function of the extractor and is a function of the extractor,Is an extraction function of the extraction of the extracted data,Is the extraction parameter of the sample,Is a fixed length of the sample in binary form,AndIs a set non-negative integer;
Step B3: inputting the sample set into an extraction function to obtain an initial set, and calculating a statistical distance by using the following formula:
,
In the method, in the process of the invention, Is an element of the initial set and,Is satisfied withIs a combination of the elements of (1),Is the set server public key length,Is thatAndThe distance is counted and the distance is calculated,Is a random finite set of the sets,Is thatIn the presence of an element of the group,Is to satisfy the conditionIs a function of the probability of (1),Is to satisfy the conditionProbability of (2);
Step B4: the security parameters were calculated using the following formula:
,
In the method, in the process of the invention, Is a safety parameter, which is a safety parameter,Is the size of the extraction set and,Is to extract and collect asTime of dayIs used as a reference to the value of (a),Is the size of the sample set and,Is a safe parameter acquisitionThe corresponding intermediate parameter is used for the time-dependent control of the time-,Is a natural number set;
step B5: outputting the meeting condition in the initial set As an extraction set;
Step B6: defining a mapping function as:
,
In the method, in the process of the invention, Is a logical judgment of the fact that,Is an exclusive-or operation,Is a safety parameter ofThe corresponding intermediate parameter is used for the time-dependent control of the time-,Is the element of the extraction set,Is the first in the extraction setAn element;
Step B7: if the set server public key length is greater than And (3) withIf the product of (2) is the error signal, re-executing step B1, otherwise, calculating the extraction key by the formula:
,
In the method, in the process of the invention, Is to extract the key;
step B8: the extracted key is taken as the server public key.
The service module generates a server private key by using an extended key derivation method, and the extended key derivation method specifically comprises the following steps:
step C1: setting the length of a server private key, and defining a pseudo-random expansion function according to ButterKnife frameworks as follows:
,
In the method, in the process of the invention, Is a function of a pseudo-random spread,Is a fixed length in binary form,,Is the expansion coefficient of the optical fiber, and is the expansion coefficient of the optical fiber,;
Step C2: the extraction key and the unique identification ID of the server are input into a pseudo-random expansion function to obtain an expansion set, and the following formula is adopted:
,
In the method, in the process of the invention, Is a unique identification ID of the server,Is an extended set;
Step C3: calculation of The formula used is as follows:
,
In the method, in the process of the invention, Is thatIs used to determine the number of final iterations of the system,The set server private key length;
step C4: calculation of The formula used is as follows:
,
In the method, in the process of the invention, Is thatIs used to determine the number of final iterations of the system,Is the expansion coefficientIs multiplied by the final iteration number of (a);
Step C5: will extract the key Is input into a pseudo-random spreading function for spreading,Is toIterating, andAndExclusive or operation result of (a)The OR operation is performed by using the following formula:
,
In the method, in the process of the invention, Is to extract keyThe result of the expansion;
Step C6: for a pair of AndIterating, repeatedly executing the step C5 until the condition is metWhen (when)And is also provided withWhen the pseudo-random expansion function outputs the result as;
Step C7: the expansion key is calculated using the following formula:
,
In the method, in the process of the invention, Is an extended key;
step C8: the extended key is used as a server private key.
The kernel driver module monitors the thread state and file operation of an authorized user by using a method for constructing a kernel driver based on Microsoft MINIFILTER, and the method for constructing the kernel driver based on Microsoft MINIFILTER specifically comprises the following steps:
Step D1: generating a process monitoring document by utilizing PsSetCreateProcessNotifyRoutine kernel functions, wherein the process monitoring document comprises a process ID and a user ID of a process, and grouping the process IDs according to the user IDs of authorized users to form a user process group;
step D2: when an authorized user uses the clipboard to carry out pasting operation, a GetClipboardOwner system function is utilized to obtain a source window handle of pasting content of the clipboard, if the source window handle is empty, the clipboard is emptied, otherwise, a function GetWindowThreadProcessId is utilized to obtain a process ID of the source window handle, and if the process ID of the source window handle exists in a user process group, the clipboard is forbidden to be emptied;
Step D3: checking GetClipboardOwner whether the system function is hung on an INLINE hook, acquiring a memory address of the GetClipboardOwner system function in a process by using a thread, checking whether the memory address starts with 0xE9, if so, hanging the GetClipboardOwner system function on the INLINE hook, and automatically stopping the process, otherwise, not hanging the GetClipboardOwner system function on the INLINE hook;
step D4: acquiring the initial address start of the memory address of the process and the code length len of the system function of c\windows\systems 32\Kernel32.Dll and User32.Dll, then finding the address value addr of the process, if the initial address start < address value addr < initial address start+code length len is met, the GetClipboardOwner system function is not hung on an INLINE hook, otherwise, the GetClipboardOwner system function is hung on an INLINE hook, and automatically stopping the process.
By adopting the scheme, the beneficial effects obtained by the invention are as follows:
(1) Aiming at the technical problems that the data security protection function is weaker and sensitive data leakage is easy to cause in the traditional technology, the invention uses an enhanced MD5 hash method to process unique identification IDs of a cloud server side and a user terminal, is used for encrypting configuration files and login accounts, has the advantages of hiding property, irreversibility and unique certainty, reduces the risk of key cracking, and protects account information of authorized users;
(2) Aiming at the technical problems that the leakage prevention effect is relatively weak and deep protection and protection cannot be provided, the method and the device for generating the server public key and the server private key based on the extracted-expanded key derivation function are used for encrypting the user login information, so that the method and the device have better safety and randomness and prevent the user login information from being leaked;
(3) Aiming at the technical problems that the precaution awareness of a user is low, file leakage and malicious file tampering are easy to cause, the kernel technology is used for monitoring the thread state and file operation of the user, the user is prevented from copying the shared file of the cloud server end to the terminal, the file service condition of staff is known, data leakage is prevented, and file management is optimized.
Drawings
Fig. 1 is a module connection diagram of a remote collaborative anti-leakage office system based on cloud server and kernel technology.
The accompanying drawings are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate the invention and together with the embodiments of the invention, serve to explain the invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all embodiments of the invention; all other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Embodiment one: referring to fig. 1, the embodiment provides a remote collaborative anti-leakage office system based on a cloud server and a kernel technology, where the remote collaborative anti-leakage office system based on the cloud server and the kernel technology includes a user management module, a service module, a user terminal module and a kernel driving module, and the user management module, the service module and the kernel driving module are set at a cloud server end;
The user management module generates a user ID and a configuration file for an authorized user, wherein the configuration file comprises a cloud server IP, a user ID of the authorized user, a login account, an account permission start time, an account permission end time and an account password, and processes a unique identification ID of the cloud server by using an enhanced MD5 hash method to obtain a configuration key and encrypts the configuration file by using the configuration key;
The service module stores the shared file, generates a server private key and a server public key, interacts with the user terminal module to realize verification of the authorized user, the authorized user verifies the encrypted request file after the user terminal module sends the encrypted request file, decrypts the encrypted request file by using the server private key to obtain a user key and a login account, inquires whether the login account is in the configuration file, refuses to request login if the login account is not in the configuration file, otherwise, checks whether the login account is between the account permission starting time and the account permission ending time, refuses to request login if the login account is not in the configuration file, otherwise, encrypts a user ID, the login account, the account permission starting time, the account permission ending time and the account password of the authorized user by using a user key to obtain an encrypted user structure, sends the encrypted user structure to a system disk of the user terminal module, and sends the shared file accessible by the authorized user to a data disk of the authorized user after the authorized user is successfully logged in;
The user terminal module comprises a data disc and a system disc, wherein the system disc stores a shared file and a unique identifier ID of the user terminal module, an authorized user inputs a cloud server IP and a login account number in the system disc, the system disc uses an enhanced MD5 hash method to process the unique identifier ID of the user terminal module to obtain a user key, the user key and the login account number are encrypted by a server public key to obtain an encryption request file, the encryption request file is sent to a service module to request login, after the request login is allowed, the system disc receives an encryption user structure sent by the service module, the user key is used for decrypting the encryption user structure to obtain a login account number and a password, the cloud server is logged in through mstscax.dll of Microsoft, and the data disc receives the shared file sent by the service module;
the kernel driving module monitors the thread state and file operation of the authorized user by using kernel technology, prevents the authorized user from copying the shared file of the cloud server end to a data disk of the user terminal module, and ensures that the thread state of the authorized user is normal.
Embodiment two: referring to fig. 1, the embodiment is based on the above embodiment, and the system disk in the user management module and the user terminal module processes the unique ID by using an enhanced MD5 hash method to obtain a configuration key and a user key, where the enhanced MD5 hash method specifically includes the following steps:
step A1: converting the unique identifier ID into binary system to obtain a binary identifier;
Step A2: two base irreducible polynomials are defined and the values of the binary-identified base irreducible polynomials are calculated using the following formula:
,
,
In the formula, is AndIs a non-primitive polynomial of two different classes,Is a binary identification;
Step A3: is that AndCreating binary vectors v1 and v2 respectively;
Step A4: carrying out LFSR iteration for v1 and v2 for 64 times, storing carry of each iteration of v1 in a sequence vector s1, and storing carry of each iteration of v2 in a sequence vector s 2;
Step A5: performing exclusive OR operation on the sequence vector s1 and the sequence vector s2 to obtain an initial key, inputting the initial key into an initial list in DES, and generating a 64-bit intermediate key;
Step A6: generating an MRNA table for recording an mRNA coding sequence by using a Python programming tool, equally dividing the binary identification into blocks, carrying out exclusive OR operation on the binary identification and an intermediate key by each block with 64 bits, and carrying out coding comparison with the MRNA table to obtain a coding result;
Step A7: inputting the coding result into 4 registers of the MD5 algorithm for calculation, and solving the output of the 4 registers of the MD5 algorithm by adopting a fourth-order lattice-base tower method to obtain the identification key.
Through the operation, aiming at the technical problems that the security protection function of the data is weaker and sensitive data is easy to leak in the traditional technology, the method uses an enhanced MD5 hash method to process unique identification IDs of a cloud server side and a user terminal, is used for encrypting configuration files and login accounts, has the advantages of hiding property, irreversibility and unique certainty, reduces the risk of key cracking, and protects account information of authorized users.
An embodiment III, referring to FIG. 1, is based on the foregoing embodiment, and the service module generates a server public key by using an extraction-based key derivation method, where the extraction-based key derivation method specifically includes the following steps:
Step B1: setting the length of a public key of a server, randomly selecting a public cyclic subgroup of an elliptic curve group on a finite field of prime numbers P, converting samples on the public cyclic subgroup into a binary form with a fixed length, and forming a sample set by all the samples converted into the binary form with the fixed length;
step B2: defining an extractor function as:
,
In the method, in the process of the invention, Is a function of the extractor and is a function of the extractor,Is an extraction function of the extraction of the extracted data,Is the extraction parameter of the sample,Is a fixed length of the sample in binary form,AndIs a set non-negative integer;
Step B3: inputting the sample set into an extraction function to obtain an initial set, and calculating a statistical distance by using the following formula:
,
In the method, in the process of the invention, Is an element of the initial set and,Is satisfied withIs a combination of the elements of (1),Is the set server public key length,Is thatAndThe distance is counted and the distance is calculated,Is a random finite set of the sets,Is thatIn the presence of an element of the group,Is to satisfy the conditionIs a function of the probability of (1),Is to satisfy the conditionProbability of (2);
Step B4: the security parameters were calculated using the following formula:
,
In the method, in the process of the invention, Is a safety parameter, which is a safety parameter,Is the size of the extraction set and,Is to extract and collect asTime of dayIs used as a reference to the value of (a),Is the size of the sample set and,Is a safe parameter acquisitionThe corresponding intermediate parameter is used for the time-dependent control of the time-,Is a natural number set;
step B5: outputting the meeting condition in the initial set As an extraction set;
Step B6: defining a mapping function as:
,
In the method, in the process of the invention, Is a logical judgment of the fact that,Is an exclusive-or operation,Is a safety parameter ofThe corresponding intermediate parameter is used for the time-dependent control of the time-,Is the element of the extraction set,Is the first in the extraction setAn element;
Step B7: if the set server public key length is greater than And (3) withIf the product of (2) is the error signal, re-executing step B1, otherwise, calculating the extraction key by the formula:
,
In the method, in the process of the invention, Is to extract the key;
step B8: the extracted key is taken as the server public key.
Fourth embodiment, referring to fig. 1, the embodiment is based on the above embodiment, where the service module generates a server private key by using an extended key derivation method, and the extended key derivation method specifically includes the following steps:
step C1: setting the length of a server private key, and defining a pseudo-random expansion function according to ButterKnife frameworks as follows:
,
In the method, in the process of the invention, Is a function of a pseudo-random spread,Is a fixed length in binary form,,Is the expansion coefficient of the optical fiber, and is the expansion coefficient of the optical fiber,;
Step C2: the extraction key and the unique identification ID of the server are input into a pseudo-random expansion function to obtain an expansion set, and the following formula is adopted:
,
In the method, in the process of the invention, Is a unique identification ID of the server,Is an extended set;
Step C3: calculation of The formula used is as follows:
,
In the method, in the process of the invention, Is thatIs used to determine the number of final iterations of the system,The set server private key length;
step C4: calculation of The formula used is as follows:
,
In the method, in the process of the invention, Is thatIs used to determine the number of final iterations of the system,Is the expansion coefficientIs multiplied by the final iteration number of (a);
Step C5: will extract the key Is input into a pseudo-random spreading function for spreading,Is toIterating, andAndExclusive or operation result of (a)The OR operation is performed by using the following formula:
,
In the method, in the process of the invention, Is to extract keyThe result of the expansion;
Step C6: for a pair of AndIterating, repeatedly executing the step C5 until the condition is metWhen (when)And is also provided withWhen the pseudo-random expansion function outputs the result as;
Step C7: the expansion key is calculated using the following formula:
,
In the method, in the process of the invention, Is an extended key;
step C8: the extended key is used as a server private key.
Through the operation, aiming at the technical problems that the leakage prevention effect is relatively weak and deep protection and protection cannot be provided, the method and the device for generating the server public key and the server private key based on the extracted-expanded key derivation function are used for encrypting the user login information, have better safety and randomness, and prevent the user login information from being leaked.
An embodiment five, referring to fig. 1, based on the foregoing embodiment, the kernel driver module uses a method for constructing a kernel driver based on microsoft MINIFILTER to monitor a thread state and a file operation of an authorized user, where the method for constructing a kernel driver based on microsoft MINIFILTER specifically includes the following steps:
Step D1: generating a process monitoring document by utilizing PsSetCreateProcessNotifyRoutine kernel functions, wherein the process monitoring document comprises a process ID and a user ID of a process, and grouping the process IDs according to the user IDs of authorized users to form a user process group;
step D2: when an authorized user uses the clipboard to carry out pasting operation, a GetClipboardOwner system function is utilized to obtain a source window handle of pasting content of the clipboard, if the source window handle is empty, the clipboard is emptied, otherwise, a function GetWindowThreadProcessId is utilized to obtain a process ID of the source window handle, and if the process ID of the source window handle exists in a user process group, the clipboard is forbidden to be emptied;
Step D3: checking GetClipboardOwner whether the system function is hung on an INLINE hook, acquiring a memory address of the GetClipboardOwner system function in a process by using a thread, checking whether the memory address starts with 0xE9, if so, hanging the GetClipboardOwner system function on the INLINE hook, and automatically stopping the process, otherwise, not hanging the GetClipboardOwner system function on the INLINE hook;
step D4: acquiring the initial address start of the memory address of the process and the code length len of the system function of c\windows\systems 32\Kernel32.Dll and User32.Dll, then finding the address value addr of the process, if the initial address start < address value addr < initial address start+code length len is met, the GetClipboardOwner system function is not hung on an INLINE hook, otherwise, the GetClipboardOwner system function is hung on an INLINE hook, and automatically stopping the process.
Through the operation, aiming at the technical problems that the precaution awareness of the user is low, the file leakage is easy to cause and the file is maliciously tampered, the kernel technology is used for monitoring the thread state and the file operation of the user, the user is prevented from copying the shared file of the cloud server to the terminal, the file service condition of staff is known, the data leakage is prevented, and the file management is optimized.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
Although embodiments of the present invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made therein without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.
The invention and its embodiments have been described above with no limitation, and the actual construction is not limited to the embodiments of the invention as shown in the drawings. In summary, if one of ordinary skill in the art is informed by this disclosure, a structural manner and an embodiment similar to the technical solution should not be creatively devised without departing from the gist of the present invention.
Claims (4)
1. The remote cooperative anti-leakage office system based on the cloud server and the kernel technology is characterized by comprising a user management module, a service module, a user terminal module and a kernel driving module, wherein the user management module, the service module and the kernel driving module are arranged at a cloud server end;
The user management module generates a user ID and a configuration file for an authorized user, wherein the configuration file comprises a cloud server IP, a user ID of the authorized user, a login account, an account permission start time, an account permission end time and an account password, and processes a unique identification ID of the cloud server by using an enhanced MD5 hash method to obtain a configuration key and encrypts the configuration file by using the configuration key;
The service module stores the shared file, generates a server private key and a server public key, interacts with the user terminal module to realize verification of the authorized user, the authorized user verifies the encrypted request file after the user terminal module sends the encrypted request file, decrypts the encrypted request file by using the server private key to obtain a user key and a login account, inquires whether the login account is in the configuration file, refuses to request login if the login account is not in the configuration file, otherwise, checks whether the login account is between the account permission starting time and the account permission ending time, refuses to request login if the login account is not in the configuration file, otherwise, encrypts a user ID, the login account, the account permission starting time, the account permission ending time and the account password of the authorized user by using a user key to obtain an encrypted user structure, sends the encrypted user structure to a system disk of the user terminal module, and sends the shared file accessible by the authorized user to a data disk of the authorized user after the authorized user is successfully logged in;
The user terminal module comprises a data disc and a system disc, wherein the system disc stores a shared file and a unique identifier ID of the user terminal module, an authorized user inputs a cloud server IP and a login account number in the system disc, the system disc uses an enhanced MD5 hash method to process the unique identifier ID of the user terminal module to obtain a user key, the user key and the login account number are encrypted by a server public key to obtain an encryption request file, the encryption request file is sent to a service module to request login, after the request login is allowed, the system disc receives an encryption user structure sent by the service module, the user key is used for decrypting the encryption user structure to obtain a login account number and a password, the cloud server is logged in through mstscax.dll of Microsoft, and the data disc receives the shared file sent by the service module;
The kernel driving module monitors the thread state and file operation of the authorized user by using a method for constructing the kernel driving based on Microsoft MINIFILTER, prevents the authorized user from copying the shared file of the cloud server end to a data disk of the user terminal module, ensures the normal thread state of the authorized user, and specifically comprises the following steps of:
Step D1: generating a process monitoring document by utilizing PsSetCreateProcessNotifyRoutine kernel functions, wherein the process monitoring document comprises a process ID and a user ID of a process, and grouping the process IDs according to the user IDs of authorized users to form a user process group;
step D2: when an authorized user uses the clipboard to carry out pasting operation, a GetClipboardOwner system function is utilized to obtain a source window handle of pasting content of the clipboard, if the source window handle is empty, the clipboard is emptied, otherwise, a function GetWindowThreadProcessId is utilized to obtain a process ID of the source window handle, and if the process ID of the source window handle exists in a user process group, the clipboard is forbidden to be emptied;
Step D3: checking GetClipboardOwner whether the system function is hung on an INLINE hook, acquiring a memory address of the GetClipboardOwner system function in a process by using a thread, checking whether the memory address starts with 0xE9, if so, hanging the GetClipboardOwner system function on the INLINE hook, and automatically stopping the process, otherwise, not hanging the GetClipboardOwner system function on the INLINE hook;
step D4: acquiring the initial address start of the memory address of the process and the code length len of the system function of c\windows\systems 32\Kernel32.Dll and User32.Dll, then finding the address value addr of the process, if the initial address start < address value addr < initial address start+code length len is met, the GetClipboardOwner system function is not hung on an INLINE hook, otherwise, the GetClipboardOwner system function is hung on an INLINE hook, and automatically stopping the process.
2. The remote collaborative leak-proof office system based on cloud server and kernel technology according to claim 1, wherein the system disk in the user management module and the user terminal module processes the unique identification ID by using an enhanced MD5 hash method to obtain a configuration key and a user key, respectively, the enhanced MD5 hash method specifically comprises the following steps:
step A1: converting the unique identifier ID into binary system to obtain a binary identifier;
Step A2: two base irreducible polynomials are defined and the values of the binary-identified base irreducible polynomials are calculated using the following formula:
,
,
In the method, in the process of the invention, And/>Is a non-reduced polynomial of two different bases,/>Is a binary identification;
Step A3: is that And/>Creating binary vectors v1 and v2 respectively;
Step A4: carrying out LFSR iteration for v1 and v2 for 64 times, storing carry of each iteration of v1 in a sequence vector s1, and storing carry of each iteration of v2 in a sequence vector s 2;
Step A5: performing exclusive OR operation on the sequence vector s1 and the sequence vector s2 to obtain an initial key, inputting the initial key into an initial list in DES, and generating a 64-bit intermediate key;
Step A6: generating an MRNA table for recording an mRNA coding sequence by using a Python programming tool, equally dividing the binary identification into blocks, carrying out exclusive OR operation on the binary identification and an intermediate key by each block with 64 bits, and carrying out coding comparison with the MRNA table to obtain a coding result;
Step A7: inputting the coding result into 4 registers of the MD5 algorithm for calculation, and solving the output of the 4 registers of the MD5 algorithm by adopting a fourth-order lattice-base tower method to obtain the identification key.
3. The remote collaborative leakage prevention office system based on cloud server and kernel technology according to claim 2, wherein the service module generates a server public key using an extraction-based key derivation method, the extraction-based key derivation method specifically comprising the steps of:
Step B1: setting the length of a public key of a server, randomly selecting a public cyclic subgroup of an elliptic curve group on a finite field of prime numbers P, converting samples on the public cyclic subgroup into a binary form with a fixed length, and forming a sample set by all the samples converted into the binary form with the fixed length;
step B2: defining an extractor function as:
,
In the method, in the process of the invention, Is an extractor function,/>Is an extraction function,/>Is an extraction parameter,/>Is a fixed length of a sample in binary form,/>And/>Is a set non-negative integer;
Step B3: inputting the sample set into an extraction function to obtain an initial set, and calculating a statistical distance by using the following formula:
,
In the method, in the process of the invention, Is an element in the initial set,/>Is to satisfy/>Element of/>Is the set server public key length,Is/>And/>Statistical distance,/>Is a random finite set,/>Is/>Element in/>Is to satisfy the conditionProbability of/>Is to satisfy the condition/>Probability of (2);
Step B4: the security parameters were calculated using the following formula:
,
In the method, in the process of the invention, Is a security parameter,/>Is the size of the extraction set,/>Is to extract the aggregate as/>Time/>Value of/>Is the size of the sample set,/>Is the security parameter fetch/>Intermediate parameters corresponding to time/>Is a natural number set;
step B5: outputting the meeting condition in the initial set As an extraction set;
Step B6: defining a mapping function as:
,
In the method, in the process of the invention, Is a logical judgment,/>Is an exclusive-or operation,/>Is a security parameter of/>Intermediate parameters corresponding to time/>Is an element of the extraction set,/>Is the/>, in the extraction setAn element;
Step B7: if the set server public key length is greater than And/>If the product of (2) is the error signal, re-executing step B1, otherwise, calculating the extraction key by the formula:
,
In the method, in the process of the invention, Is to extract the key;
step B8: the extracted key is taken as the server public key.
4. The remote collaborative leakage prevention office system based on cloud server and kernel technology according to claim 3, wherein the service module generates a server private key using an extended key derivation method, the extended key derivation method comprising the steps of:
step C1: setting the length of a server private key, and defining a pseudo-random expansion function according to ButterKnife frameworks as follows:
,
In the method, in the process of the invention, Is a pseudo-random spread function,/>Is a fixed length in binary form,/>,/>Is the expansion coefficient of the optical fiber, and is the expansion coefficient of the optical fiber,;
Step C2: the extraction key and the unique identification ID of the server are input into a pseudo-random expansion function to obtain an expansion set, and the following formula is adopted:
,
In the method, in the process of the invention, Is the unique identification ID of the server,/>Is an extended set;
Step C3: calculation of The formula used is as follows:
,
In the method, in the process of the invention, Is/>Final iteration number of,/>The set server private key length;
step C4: calculation of The formula used is as follows:
,
In the method, in the process of the invention, Is/>Final iteration number of,/>Is the expansion coefficient and/>Is multiplied by the final iteration number of (a);
Step C5: will extract the key Is input into a pseudo-random spreading function for spreading,Is pair/>Iterating, will/>And/>Exclusive or operation result of/>The OR operation is performed by using the following formula:
,
In the method, in the process of the invention, Is to extract key and/>The result of the expansion;
Step C6: for a pair of And/>Iterating, and repeatedly executing the step C5 until the condition/>When/>And/>When the pseudo-random expansion function outputs the result as/>;
Step C7: the expansion key is calculated using the following formula:
,
In the method, in the process of the invention, Is an extended key;
step C8: the extended key is used as a server private key.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410298215.XA CN117896065B (en) | 2024-03-15 | 2024-03-15 | Remote collaborative anti-leakage office system based on cloud server and kernel technology |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410298215.XA CN117896065B (en) | 2024-03-15 | 2024-03-15 | Remote collaborative anti-leakage office system based on cloud server and kernel technology |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117896065A CN117896065A (en) | 2024-04-16 |
| CN117896065B true CN117896065B (en) | 2024-05-10 |
Family
ID=90647663
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410298215.XA Active CN117896065B (en) | 2024-03-15 | 2024-03-15 | Remote collaborative anti-leakage office system based on cloud server and kernel technology |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117896065B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20110035573A (en) * | 2009-09-30 | 2011-04-06 | 주식회사 케이티 | Method for providing safety of virtual machine installation in cloud computing environment |
| CN103685334A (en) * | 2012-09-03 | 2014-03-26 | 许丰 | Intelligent application browser |
| CN106326699A (en) * | 2016-08-25 | 2017-01-11 | 广东七洲科技股份有限公司 | Method for reinforcing server based on file access control and progress access control |
-
2024
- 2024-03-15 CN CN202410298215.XA patent/CN117896065B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20110035573A (en) * | 2009-09-30 | 2011-04-06 | 주식회사 케이티 | Method for providing safety of virtual machine installation in cloud computing environment |
| CN103685334A (en) * | 2012-09-03 | 2014-03-26 | 许丰 | Intelligent application browser |
| CN106326699A (en) * | 2016-08-25 | 2017-01-11 | 广东七洲科技股份有限公司 | Method for reinforcing server based on file access control and progress access control |
Non-Patent Citations (3)
| Title |
|---|
| Docker镜像安全及运行异常检测研究与应用;栗晓晗;《中国优秀硕士学位论文全文数据库信息科技辑》;20240215(第2期);I138-220 * |
| Reduced file hash foot prints for optimized deduplication in cloud platforms;Jyothirmai, M等;《Journal of Theoretical and Applied Information Technology》;20160420;第86卷(第2期);第232-239页 * |
| 张惠娟,翟鸿鸣,周利华.实时协同的调度算法研究.《计算机工程与设计》.2004,全文. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117896065A (en) | 2024-04-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP7295068B2 (en) | Federated key management | |
| KR101974060B1 (en) | Method and system for validating ownership of digital assets using distributed hash tables and peer-to-peer distributed decoys | |
| CN108737442B (en) | A kind of cryptographic check processing method | |
| US9847880B2 (en) | Techniques for ensuring authentication and integrity of communications | |
| US6950523B1 (en) | Secure storage of private keys | |
| CN102426640B (en) | For the fail-safe software product identifiers of Product Validation and activation | |
| CN109766979B (en) | Two-dimensional code generation method, verification method and device | |
| CN109361668A (en) | A kind of data trusted transmission method | |
| CN105024803B (en) | Behavior fingerprint in white box realization | |
| US7395551B2 (en) | Method and apparatus for managing software use | |
| WO2019019887A1 (en) | Server authentication method, apparatus and system for terminal access, server and computer readable storage medium | |
| JP2005537559A (en) | Secure record of transactions | |
| CN103460195A (en) | System and method for secure software update | |
| US20180204004A1 (en) | Authentication method and apparatus for reinforced software | |
| JP2014072843A (en) | One-time password device, system and program | |
| US20140157368A1 (en) | Software authentication | |
| CN112257093B (en) | Authentication method, terminal and storage medium for data object | |
| CN110659457B (en) | Application authorization verification method and device and client | |
| US11546159B2 (en) | Long-lasting refresh tokens in self-contained format | |
| CN110572396A (en) | method and system for controlling function use authorization | |
| CN108933766B (en) | Method and client for improving equipment ID security | |
| WO2013079893A1 (en) | User access control based on a graphical signature | |
| CN110890979B (en) | Automatic deployment method, device, equipment and medium for fort machine | |
| CN117896065B (en) | Remote collaborative anti-leakage office system based on cloud server and kernel technology | |
| CN104392153A (en) | Software protection method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |