CN1219260C - Method for controlling storage and access of security file system - Google Patents
Method for controlling storage and access of security file system Download PDFInfo
- Publication number
- CN1219260C CN1219260C CN 03135740 CN03135740A CN1219260C CN 1219260 C CN1219260 C CN 1219260C CN 03135740 CN03135740 CN 03135740 CN 03135740 A CN03135740 A CN 03135740A CN 1219260 C CN1219260 C CN 1219260C
- Authority
- CN
- China
- Prior art keywords
- file
- algorithm
- encryption
- file system
- identifier
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The present invention provides a method for controlling the storage and the access of a security file system, which belongs to the security field of a computer file system and information. The present invention is characterized in that digital signature technique and encryption technique are applied to the file system, and the file is prevented from falsification by carrying out digital signature and implementing original discrimination to the file. According to different security level requirements of file storage, the storage file adopts different encryption algorithms and encryption intensity for encryption; the leakage of the information caused by the stealing of the file is prevented, and the identity identification and the authority control to the file access are carried out. The present invention can be widely used for file systems of the party, government and army organizations, enterprises and institutions, and schools. The present invention which can satisfy the requirements of information safety, security, integrity and authoritarianism has wide application prospects.
Description
Technical field
The present invention proposes primitiveness discriminating, storage encryption and the access control method of a kind of file (any type file), relate to computer file system and field of information security technology, can realize primitiveness discriminating, storage encryption and the access control of file, the information of preventing is stolen, illegally distorts and unauthorized access etc., guarantees security, confidentiality, integrality and the authority of file system.
Background technology
Traditional file systems is not supported the primitiveness identification function of file, can't confirm whether file is distorted.In case file system is invaded by the hacker, the hacker can arbitrarily tamper with a document, and server file system can't perception, and the file of mistake can be misinformated to the user, causes harmful effect.File primitiveness authentication technique of the present invention can be guaranteed primitiveness, integrality and the non repudiation of file content, stops the hacker and illegally changes the baneful influence that file causes, and guarantees the integrality and the authority of file system.
Simultaneously, the file not encrypted of depositing in traditional file system if the hacker invades file system, behind the steal files, just can be obtained the various information in the server, causes information leakage, the social and economic interests of serious threat relevant departments.The file encryption memory technology can require to adopt different cryptographic algorithm and Cipher Strengths that information is encrypted storage among the present invention according to the different security level of information, even if hacker attacks, what obtain also is through information encrypted, can't obtain useful information, thus the security of guarantee information, confidentiality.
In addition, traditional file systems can not carry out strict authentication and access rights control to file access, cause user's unauthorized access easily, file access control method of the present invention, can realize strict authentication, authentication-access authority are carried out in user's visit, if and only if user's visit by file access control after, file system is just understood the request of relative users.
The Chinese patent publication number is the application case of CN1263305A, and the principle of this invention is: the digital data service device is discerned user identity and according to recognition result the encrypted digital data file is offered this user.Weak point is, fails digital signature technology and encryption are merged, and can not solve the problem that file is distorted, and is not suitable for file system on the broad sense to the requirement of security mechanism, and application surface is narrower.
On the whole, the present invention differentiates the primitiveness of file by using digital signature technology, prevents that file from being distorted in storing process, guarantees the integrality and the authority of file; The file branch level of confidentiality that is stored on the server is encrypted storage, prevent that file is stolen and causes information-leakage; In access control to file, at first the user is carried out strict authentication, the Authority Verification that conducts interviews then, to legal request, server sends validated user to after requested file is decrypted.The present invention can be widely used in the structure of the server file system of office of Party, government and army, enterprises and institutions and school etc., can satisfy them to Information Security, confidentiality, integrality and authoritative requirement, has broad application prospects.
Summary of the invention
Secure file system of the present invention is based upon on the traditional file systems basis fully, mechanism such as its file layout on computer disk, I/O method with and file logical organization etc. identical with traditional file system, now do not give unnecessary details.Below only set forth the encryption storage and the access control mechanisms of secure file.
Its structure of secure file is divided into following three parts (introduce in detail and see also accompanying drawing 1 explanation):
1) file T comprises six parts: file identifier, digest algorithm identifier, file encryption algorithm identifier, encryption key algorithm identifier, signature algorithm identifier symbol and access rights identifier;
2) file encryption key K ' and file content M (ciphertext);
3) signed data E.
When source document is carried out digital signature and encrypts storage, the content of the head part that at first fills up a document comprises: file identifier, digest algorithm identifier, file encryption algorithm identifier, encryption key algorithm identifier, signature algorithm identifier symbol and access rights identifier.Secure file system produces summary and encrypts formation signature (detail operations sees also accompanying drawing 2 explanations) with the private key of oneself file header and source document then, then secure file system produces file encryption key at random, source document is encrypted the formation ciphertext, and use the encryption key algorithm that file encryption key is encrypted (detail operations sees also accompanying drawing 3 explanations).Thereby the file encryption key of having encrypted, file cipher text, the signed data that will obtain respectively is attached to the file header back and forms a secure file then.
When visiting the file of process digital signature and encryption, at first extract file header by secure file system, according to encryption key algorithm wherein, private key with oneself decrypts file encryption key, re-use the file encryption key that obtains and the file encryption algorithm of appointment the secure file ciphertext is decrypted, obtain document text.Decrypt summary from signed data, utilize the digest algorithm of appointment to recomputate the summary that makes new advances to file header and document text again, the two is compared, judge whether file is distorted, the primitiveness of finishing file is differentiated (detail operations sees also accompanying drawing 4 explanations).The proof of identification and the authority that provide according to the user prove the access control (detail operations sees also accompanying drawing 5 explanations) of carrying out file.
In order to describe principle of the present invention and feature in detail, be described in detail below in conjunction with accompanying drawing.
Before explanation, for simplicity, define following symbol:
1) K
PV: the private key of secure file system.
2) K
PB: the PKI of secure file system.
Remarks: K
PV, K
PBBe pair of secret keys, as RSA key, K
PV, K
PBMust under the environment of safety, produce, and must properly preserve.
3) (D, k): expression utilizes algorithm P to P, and key k carries out cryptographic calculation to information D.
4) (D, k): expression utilizes algorithm P to P ', and key k is decrypted computing to information D.
5)+: the character string concatenation operation.
Description of drawings
Fig. 1 is the secure file storage form.
Fig. 2 is the file signature data creation method.
Fig. 3 is a file encrypting method.
Fig. 4 is that file primitiveness is differentiated disposal route.
Fig. 5 is the secure file system access control mechanisms.
Attention: in institute's drawings attached, hypographous block diagram shows that the data in the block diagram are ciphertexts.
Embodiment
Fig. 1 is the secure file storage form.
The secure file storage form is as follows:
1) file identifier F
Character string is indicated as the secure file type.
2) digest algorithm identifier A
h
Character string, the digest algorithm that the expression secure file uses.Can adopt summary generating algorithm commonly used at present both at home and abroad, as MD5, SHA-1 etc.
3) file encryption algorithm identifier A
f
Character string, the symmetric encipherment algorithm that the expression secure file uses can adopt symmetric encipherment algorithm commonly used both at home and abroad, as: DES, 3-DES, IDEA, AES etc.
4) encryption key algorithm identifier A
k
Character string encrypts 3) in the rivest, shamir, adelman of " file encryption algorithm identifier ".Can adopt rivest, shamir, adelman commonly used both at home and abroad, as: RSA, DSA, ECC and DH etc.
5) signature algorithm identifier symbol A
s
Character string, the rivest, shamir, adelman that uses when carrying out digital signature.Can adopt rivest, shamir, adelman commonly used both at home and abroad, as: RSA, DSA, ECC and DH etc.
6) access rights identifier R
Character string is to required user identity, the corresponding authority of secure file visit.The gradable control of authority.Can set authority by group according to actual conditions, carry out authority setting and safeguard a huge permissions list at each user avoiding.
7) file encryption key K '
During binary string (ciphertext), secure file are described 3) the specified used key of symmetric encipherment algorithm, key must be deposited after the rivest, shamir, adelman of this document appointment is encrypted.
8) file content M
Deposit the ciphertext that source document obtains after encrypting.
9) signed data E
Binary string is deposited the signed data of file header and file content.
When creating secure file, at first fill up a document (the 1st~6 part among Fig. 1) for information about of head, as file identifier, digest algorithm identifier, file encryption algorithm identifier, encryption key algorithm identifier, signature algorithm identifier symbol, access rights identifier etc.; Wherein file signature data field (the 9th part among Fig. 1) generates according to the method for Fig. 2, and file encryption key, file content (the 7th~8 part among Fig. 1) generate according to the method for Fig. 3.
Fig. 2 is the file signature data creation method.
The generation step of file signature data is as follows:
1. use digest algorithm A
h, file header T and document text C are carried out hash operations, obtain digest value D, that is: a D=A
h(T+C);
2. adopt signature algorithm A
s, with the private key K of secure file system
PVEncrypt D, obtain file signature data E, that is: E=A
s(D, K
PV);
3. file signature data E is write the signed data part of secure file.
After file header and file original contents are carried out digital signature, can guarantee that data are not wherein illegally distorted.If the description in textual content or the file header is modified, all will cause the greatest differences of signed data, can't be by the digital signature authentication of back, thus guaranteed the primitiveness of data.Simultaneously,, can guarantee that raw data is provided by secure file system, have non repudiation because what adopt is that the private key of secure file system is signed.
Fig. 3 is a file encrypting method.
File encryption is guaranteed the confidentiality of file, prevents that file is stolen and causes information leakage.Its concrete steps are as follows:
1. produce file encryption key K at random, with file encryption algorithm A
f, document text C is carried out cryptographic calculation, obtain ciphertext M, that is: M=A
f(C, K);
2. adopt encryption keys algorithm A
k, with the PKI K of secure file system
PBEncrypt K, that is:
K′=A
k(K,K
PB)
3. will encrypt gained encrypt data M and write the file content part of secure file.
4. the file encryption key K ' after will encrypting writes the file encryption key part of secure file.
After using the method encrypt file, the encryption key that must obtain file earlier could be deciphered; And the encryption key of file adopts the PKI of high strength encrypting algorithm and secure file system to encrypt, and has guaranteed safety of files and confidentiality.
Fig. 4 is that file primitiveness is differentiated disposal route.
For preventing that file from being distorted, must when file safe in utilization, carry out file primitiveness and differentiate, to guarantee the integrality and the authority of file.The step that file primitiveness is differentiated is as follows:
1. obtain encryption keys algorithm A from file header T
k, with the private key K of secure file system
PVEncrypted file encryption key K ' is decrypted, obtains file encryption key K, that is: K=A
k' (K ', K
PV);
2. use the file encryption algorithm A among the T
f, with file encryption key K secure file ciphertext M is decrypted, obtain document text C, that is: C=A
f' (M, K);
3. to signed data E, use signature algorithm A
s, with the PKI K of secure file system
PBSummary D is obtained in deciphering,
That is: D=A
s' (E, K
PB);
4. according to file header T and document text C, use digest algorithm A
h, calculate summary D ', that is:
D′=A
h(T+C);
5. D and D ' are compared, if D=D ', then file primitiveness is differentiated successfully; Otherwise differentiate failure.
Fig. 5 is the secure file system access control mechanisms.
When the user conducts interviews to secure file, must provide oneself proof of identification (as certificate X.509), authority to prove (as ownership certificate) etc. to secure file system, after receiving, realizes secure file system the access control of file as follows:
1. the proof of identification that resolving the user provides obtains user identity ID.
2. resolve the authority proof and obtain the corresponding authority X of user;
3. R '=(ID X), compares R ' and access rights identifier R in the file header;
4. if there is not act in excess of authority to take place, then allow the user capture file; Otherwise denied access.
Claims (1)
1. the storage of a secure file system and access control method, the structure of this secure file is divided into following three parts:
1) file header comprises six parts: file identifier, digest algorithm identifier, file encryption algorithm identifier, encryption key algorithm identifier, signature algorithm identifier symbol and access rights identifier;
2) file encryption key and file content;
3) signed data;
Its storage and access control may further comprise the steps:
The generation step of file signature data comprises:
Use digest algorithm that file header and source document are carried out hash operations, obtain the step of digest value;
Utilize the private key of secure file system that digest value is signed and obtain the step of signed data;
Step to file is encrypted comprises:
Produce file encryption key at random, utilize cryptographic algorithm, source document is encrypted the step of back storage;
The file encryption key that produces at random carried out the step of storing behind the asymmetric encryption;
File primitiveness is differentiated the step of handling, and comprising:
By deciphering, obtain the step of document text;
Describe and document text by file header, utilize corresponding digest algorithm to calculate the step of corresponding digest value;
From the file signature data, obtain the step of original digest value;
Two digest value are compared the step of determining file discriminating success or not;
The step that secure file system conducts interviews and controls comprises:
User's identity, authority proof and file access requested permissions are compared the step of judging that the file access request is whether legal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 03135740 CN1219260C (en) | 2003-09-02 | 2003-09-02 | Method for controlling storage and access of security file system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 03135740 CN1219260C (en) | 2003-09-02 | 2003-09-02 | Method for controlling storage and access of security file system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1567255A CN1567255A (en) | 2005-01-19 |
| CN1219260C true CN1219260C (en) | 2005-09-14 |
Family
ID=34470325
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 03135740 Expired - Fee Related CN1219260C (en) | 2003-09-02 | 2003-09-02 | Method for controlling storage and access of security file system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1219260C (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113806785A (en) * | 2021-10-11 | 2021-12-17 | 北京晓航众芯科技有限公司 | Method and system for carrying out safety protection on electronic document |
Families Citing this family (32)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101625717B (en) * | 2005-01-28 | 2012-07-25 | 日本电气株式会社 | Information leak analysis system |
| CN101753539B (en) * | 2008-12-01 | 2012-06-06 | 北京大学 | Network data storage method and server |
| CN102567230B (en) * | 2010-12-23 | 2014-11-26 | 普天信息技术研究院有限公司 | Smart card and method for safely managing same |
| CN102034062B (en) * | 2010-12-31 | 2012-08-08 | 飞天诚信科技股份有限公司 | Method and device for generating security file |
| CN102752111A (en) * | 2011-04-20 | 2012-10-24 | 中国移动通信集团黑龙江有限公司 | Method and system for preventing electronic signature from being tampered of work form system |
| CN102737176A (en) * | 2011-09-23 | 2012-10-17 | 新奥特(北京)视频技术有限公司 | Data security prevention and control file analysis method and device |
| CN102693374A (en) * | 2011-09-23 | 2012-09-26 | 新奥特(北京)视频技术有限公司 | File analysis method, user equipment, server and system for data security monitoring and controlling |
| CN102737196A (en) * | 2011-09-23 | 2012-10-17 | 新奥特(北京)视频技术有限公司 | Method for configuring information, user equipment, server and system in data safety prevention and control |
| CN103179086B (en) * | 2011-12-21 | 2016-05-18 | 中国电信股份有限公司 | Remote storage processing method and the system of data |
| CN102572595A (en) * | 2012-02-03 | 2012-07-11 | 深圳市同洲电子股份有限公司 | IPTV upgrade package structure, upgrading method and startup calibration method |
| CN102831341A (en) * | 2012-07-26 | 2012-12-19 | 深圳市赛格导航科技股份有限公司 | Method for protecting electronic transaction file |
| CN103488914B (en) * | 2013-09-16 | 2016-08-17 | 博隆科技有限公司 | A kind of efficient self-adapted Modular Data encryption method and system thereof |
| CN104050423B (en) * | 2014-06-20 | 2018-06-15 | 宇龙计算机通信科技(深圳)有限公司 | A kind of component call method, system and terminal |
| CN104463019B (en) * | 2014-12-29 | 2017-07-25 | 北京致远互联软件股份有限公司 | The encipher-decipher method of electronic document |
| CN104866768B (en) * | 2015-05-15 | 2019-01-11 | 深圳怡化电脑股份有限公司 | ATM os starting control method and device |
| CN105245916B (en) * | 2015-10-08 | 2018-05-15 | 北京时医康科技发展有限公司 | A kind of high intensity high efficiency video-encryption decryption method |
| CN105989311B (en) * | 2016-07-04 | 2018-11-27 | 南京金佰达电子科技有限公司 | A kind of high security external storage method based on document level |
| CN107368749B (en) * | 2017-05-16 | 2020-09-15 | 阿里巴巴集团控股有限公司 | File processing method, device, equipment and computer storage medium |
| CN107087004A (en) * | 2017-05-17 | 2017-08-22 | 深圳乐信软件技术有限公司 | Source file processing method and processing device, source file acquisition methods and device |
| CN107171808B (en) * | 2017-06-14 | 2018-07-20 | 北京市档案局 | A kind of verification method and device of electronic record authenticity |
| CN107451486B (en) | 2017-06-30 | 2021-05-18 | 华为技术有限公司 | Permission setting method and device for file system |
| CN107358118B (en) * | 2017-07-03 | 2020-06-09 | 中兴通讯股份有限公司 | SFS access control method and system, SFS and terminal equipment |
| CN108614711B (en) * | 2018-04-20 | 2021-12-10 | 北京握奇智能科技有限公司 | TA mirror image storage method and device and terminal |
| CN109657497B (en) * | 2018-12-21 | 2023-06-13 | 北京思源理想控股集团有限公司 | Secure file system and method thereof |
| CN110865975A (en) * | 2019-11-13 | 2020-03-06 | 中国科学院电子学研究所 | Method and device for managing document, electronic equipment and storage medium |
| CN110929110B (en) * | 2019-11-13 | 2023-02-21 | 北京北信源软件股份有限公司 | Electronic document detection method, device, equipment and storage medium |
| CN111177784A (en) * | 2019-12-31 | 2020-05-19 | 上海摩勤智能技术有限公司 | Security protection method and device for file system and storage medium |
| CN112668056B (en) * | 2021-01-17 | 2022-04-12 | 复旦大学 | Method for constructing security file system |
| CN113268556A (en) * | 2021-06-09 | 2021-08-17 | 中航材导航技术(北京)有限公司 | Novel storage format and method for chart data file |
| CN113347270B (en) * | 2021-06-25 | 2022-12-23 | 中国银行股份有限公司 | Method and device for preventing horizontal unauthorized network transmission file |
| CN114124557A (en) * | 2021-11-30 | 2022-03-01 | 袁林英 | Information security access control method based on big data |
| CN116910790B (en) * | 2023-09-11 | 2023-11-24 | 四川建设网有限责任公司 | Bid file encryption method with self-integrity checking function |
-
2003
- 2003-09-02 CN CN 03135740 patent/CN1219260C/en not_active Expired - Fee Related
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113806785A (en) * | 2021-10-11 | 2021-12-17 | 北京晓航众芯科技有限公司 | Method and system for carrying out safety protection on electronic document |
| CN113806785B (en) * | 2021-10-11 | 2023-12-08 | 北京晓航众芯科技有限公司 | Method and system for carrying out security protection on electronic document |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1567255A (en) | 2005-01-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1219260C (en) | Method for controlling storage and access of security file system | |
| CN100346249C (en) | Method for generating digital certificate and applying the generated digital certificate | |
| CN108599954B (en) | Identity verification method based on distributed account book | |
| CN1324502C (en) | Method for discriminating invited latent member to take part in group | |
| US20090097657A1 (en) | Constructive Channel Key | |
| CN1689297A (en) | Method of preventing unauthorized distribution and use of electronic keys using a key seed | |
| CN1702999A (en) | A method for backup and recovery of encryption key | |
| CN1283827A (en) | Universal electronic information network authentication system and method | |
| CN1805337A (en) | Secret shared key mechanism based user management method | |
| RU2010100880A (en) | CREATION AND VERIFICATION OF CERTIFICATE OF DOCUMENTS PROTECTED CRYPTOGRAPHICALLY | |
| CN108632251B (en) | Credible authentication method based on cloud computing data service and encryption algorithm thereof | |
| CN1694395A (en) | Data authentication method and agent based system | |
| CN112787996B (en) | Password equipment management method and system | |
| CN106789046B (en) | Method for realizing self-generating key pair | |
| CN109495257B (en) | Data acquisition unit encryption method based on improved SM2 cryptographic algorithm | |
| CN107404476B (en) | Method and device for protecting data security in big data cloud environment | |
| Senthil Kumari et al. | Key derivation policy for data security and data integrity in cloud computing | |
| CN1703003A (en) | Black box technique based network safety platform implementing method | |
| CN1226691C (en) | Method for multiple encryption of file and simultaneous sealing/unsealing | |
| CN1859088A (en) | Method for providing enciphering service and system using said method | |
| CN1801699A (en) | Method for accessing cipher device | |
| CN111541652B (en) | System for improving security of secret information keeping and transmission | |
| CN1607511A (en) | Data protection method and system | |
| KR20030097550A (en) | Authorization Key Escrow Service System and Method | |
| CN1571408A (en) | A safety authentication method based on media gateway control protocol |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| ASS | Succession or assignment of patent right |
Owner name: SICHUAN GREAT TECHNOLOGY CO., LTD. Free format text: FORMER OWNER: SICHUAN UNIVERSITY Effective date: 20100513 |
|
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 610065 NO.24, SOUTH 1ST SECTION, 1ST RING ROAD, CHENGDU CITY, SICHUAN PROVINCE TO: 610041 2/F, COMPLEX BUILDING (FACING THE STREET), CHENGDU KEHUA MIDDLE ROAD PRIMARY SCHOOL, NO.2, CHANGSHOU ROAD, WUHOU DISTRICT, CHENGDU CITY |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20100513 Address after: 610041, Wuhou District, Changshou Road, Chengdu No. 2 Chengdu KELONG Road Primary School Street building two floor Patentee after: Sichuan Gerite Technology Co., Ltd. Address before: 610065 Sichuan, Chengdu, South Ring Road, No. 1, No. 24 Patentee before: Sichuan University |
|
| ASS | Succession or assignment of patent right |
Owner name: CHENGDU GLOBAL CAPSHEAF TECHNOLOGY CO., LTD. Free format text: FORMER OWNER: SICHUAN GREAT TECHNOLOGY CO., LTD. Effective date: 20130402 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20130402 Address after: 610000 C-411 Asia Pacific Plaza, KELONG North Road, Sichuan, Chengdu Patentee after: Chengdu century summit Technology Co., Ltd. Address before: 610000, Sichuan, Wuhou District, Changshou Road, Chengdu No. 2 Chengdu KELONG Road Primary School Street building two floor Patentee before: Sichuan Gerite Technology Co., Ltd. |
|
| DD01 | Delivery of document by public notice |
Addressee: Wang Zhengtao Document name: Notification of Passing Examination on Formalities |
|
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20050914 Termination date: 20150902 |
|
| EXPY | Termination of patent right or utility model |