TWI493950B - Conditional electric document right management system and method - Google Patents

Description

Conditional electronic file permission control system and method

The present invention generally relates to an access control system and method, and more particularly to an access control system and method that can automatically perform rights classification based on content comparison.

With the development of computer technology, modern people use computers as an important tool in their work, study or other applications. Therefore, in modern life, whether it is a family, a school, a government agency, a military, a commercial institution, or other various units, a large number of electronic documents are produced every day. There are many documents containing important secrets, including military secrets, trade secrets, test information and others. Due to the development of the Internet, the development of various wired/wireless networks, and the application of various external storage devices, the confidentiality of these electronic files is rather difficult. Since the operating system of a modern computer can accommodate multiple sets of user accounts or shared by a web server, it is necessary to distinguish between files of different confidentiality levels when multiple users share at the same time. If the level of confidentiality is too low, all people can easily access important information; if the degree of confidentiality is too high, it will easily cause unnecessary trouble. Therefore, in the presence of diverse documents, a diversified electronic document secrecy strategy is also needed. However, many of the above problems have not proposed a good solution in the prior art.

In order to protect digital files from being used by those skilled in the art, a variety of encryption mechanisms have been proposed in the prior art. For example, U.S. Patent No. 6,885,748, "System and Method for Protection of Digital Works", proposes a complex encryption system and method. Used to prevent those who are interested in cracking. But similar to this prior art does not solve the core problem, which is the need to be encrypted in a variety of electronic files? Which one does not need to be encrypted? How to determine the applicable encryption/decryption strategy one by one in a large number of electronic files generated every day? Do different units or agencies apply the same encryption/decryption strategy? In addition, various fake files, renamed files or Trojan horses are used in various files. How to judge and distinguish them is also an important issue. Otherwise, the renamed program will be encrypted, but it may not protect the confidential information that really needs protection.

In summary, the present invention discloses a conditional electronic file permission control system and method to overcome the problems that the prior art cannot overcome and provide other unpredictable effects.

An aspect of the present invention provides a conditional electronic file permission control system, comprising at least one management terminal, comprising a management terminal processing unit for controlling overall operation; and a management terminal setting module coupled to the management terminal for processing The unit includes a management input interface to provide an administrator input scan condition such as a keyword; a management scan module coupled to the management processing unit to provide a keyword scan function; and a management end encryption/decryption module And coupled to the management processing unit to encrypt and classify the electronic file scanned to the keyword; a management storage module coupled to the management processing unit, including the database to provide the file storage function; A management module coupled to the management processing unit to provide further file configuration management functions; a management terminal transmitting a receiving interface coupled to the management processing unit for transmitting or receiving data.

Another aspect of the present invention provides a conditional electronic file permission control system including at least one client, including a client processing unit coupled to the management processing unit for controlling the operation of the user terminal and receiving Management of the management unit processing unit; a client transmitting and receiving interface coupled to the client processing unit to transmit the electronic file to the management terminal, and receiving the encrypted and classified electronic file from the management terminal; a client encryption/decryption module The group is coupled to the client processing unit to decrypt the electronic file encrypted and classified by the management terminal; a client storage module coupled to the client processing unit, including a database for storing the various materials.

Another aspect of the present invention provides a conditional electronic file permission control method, including setting at least one set of conditions and at least one set of scan ranges; and scanning steps for at least one electronic file according to at least one set of conditions and at least one set of scan ranges (ie, content comparison); encrypting and classifying at least one electronic file according to the result of the scanning step to generate at least one encrypted and classified electronic file.

One of the features of the present invention is that the electronic file is scanned by using a keyword, and since the file is regarded as a binary form, characters or graphics in various files can be scanned.

Another feature of the present invention is that the entire encryption/decryption process can be completed in a Transparent Mode, which automatically encrypts/decrypts and classifies electronic files without the user's perception.

FIG. 1 is a schematic diagram showing the steps of implementation according to an embodiment of the present invention. Under the monitoring of the conditional file permission control system of the present invention, when any file is formed, the system will automatically start 100 immediately; in step 102, the system can set the complex array conditions one, two, three and the like. You can also set the scanning range by yourself. Conditions can be such as "Confidential", Condition 2 can be "Wang Daming", and Condition 3 can be, for example, the name of the organization "Defense". All files can be regarded as binary when scanning. (Binary) form, so the scan range can include, for example, a file name (file name), a title, a summary, a text, a form, a picture file, and the like; in step 104, the system first follows the condition "Keyword". Scan the range of file settings. If the situation is found, the system automatically encrypts the file 106 according to the condition, generates a ciphertext classification 108, and proceeds to step 120 to store and end the step; if in step 104 If the keyword set by the condition 1 is not invented, the system proceeds to step 110, and scans the file according to the keyword set by the condition 2, if it is sent in this step If the situation is met, the system automatically encrypts the file according to condition 2, generates ciphertext classification 2 114, and proceeds to step 120 to store and end the step; if the condition 2 is not found in step 110 For the keyword, the system will scan the file according to the keyword set by the condition three. Because it is a similar step, the condition three or more includes condition four, condition five or other related steps are not displayed in the drawing; After all the conditions have not been found after the search, the system does not encrypt the file according to step 116, so the file will remain in the plain (unencrypted) state 118, and the system will store and End 120.

It can be seen from FIG. 1 how to scan, encrypt and classify electronic files in the embodiment of the present invention, but those skilled in the art should be able to understand, for the purpose of clear explanation, FIG. 1 omits many details. And changes. In fact, in many files, it is possible to have both of the conditions of condition one, condition two or condition three, and that in practice a single file may contain multiple factors and multiple encryptions are required. For example, in FIG. 1, when a file is classified as a ciphertext class one 108 because it is scanned to condition one 106, it does not necessarily contain a keyword set by condition two or condition three. Therefore, in other embodiments of the present invention, the ciphertext classification 108 may be further scanned, detected, or compared according to the keyword set by the second condition. If the condition 2 is still found, the system may This file is also encrypted according to Condition 1 and Condition 2, and is classified into the ciphertext category "one plus two" and stored. If the keyword of condition 2 is not found in the ciphertext classification 108 after scanning, the system can The ciphertext classification 108 is scanned in the next step according to the keyword set by the condition 3. If the invention meets the condition 3, the system can encrypt the file according to the condition 1 and the condition 3, and classify it as The ciphertext is classified as "one plus three" and stored. In this model, the ciphertext classification "one plus two" can be used to scan the keywords of the third condition, or the ciphertext classification "one plus three" can be used to scan the keywords of the fourth condition. So on and so forth. In this step, you can get a multi-encrypted file, such as the cipher text category "one plus two plus three", "one plus two plus four", "one plus three plus five" or other, which can greatly improve the security of the file. Sex, and can be added/decrypted in order according to the set conditions, so it does not impose an additional burden on the administrator.

In addition, in other embodiments of the present invention, the order of execution of steps 100 and 102 in FIG. 1 may be adjusted or adjusted as appropriate. For example, the types of confidential documents in a commercial organization may be similar. The keywords and scan ranges required are roughly the same, so it is not necessary to reset the keywords and scan range at each start. You can use the same settings for a long time only when you set it up for the first time, and you will need to make adjustments until the documents used in this business have changed significantly.

Furthermore, in order to meet the needs of different use institutions or units, it is also one of the features of the present invention to adjust the scan range by itself in the embodiment of the present invention. For example, some public entities, such as the military, may generate a large number of documents every day. These documents may be reports, and the title of the report or the form therein may have a fixed format, so if you set only to scan a fixed range, such as a file. A fixed field in the title or table can greatly reduce the scan time, and since it is applied to a fixed format file, the validity of the scan is not lost. In a large file size and time-critical unit, the rapid and effective generation of file encryption and classification is a very important consideration.

In other embodiments of the present invention, the encrypted and classified files may be further configured according to the above content. For example, a large number of documents generated by the above-mentioned military units are quickly scanned by the steps of the present invention to generate a series of classified encrypted files, such as the ciphertext classification 108 and the ciphertext classification II 114 shown in FIG. Others, etc. Wherein the ciphertext classification 108 may be configured as a weapon, and the ciphertext classification 114 may be a personnel or food configuration, the invention further includes recording and analyzing the weapon configuration and personnel configuration by time or unit, sorting into a table and The same encrypted classification encrypts this form and further sends it to the relevant officer or unit head. Therefore, the conditional file permission control system and method of the present invention not only can classify and encrypt files, but also includes management means for files.

2 is a block diagram showing the function of a system according to an embodiment of the present invention. In order to achieve the above functions, the management terminal 200 and the client terminal 250 are displayed in the figure, wherein the management terminal 200 includes a management terminal processing unit 202, a management terminal setting module 204, a management terminal scanning module 206, and a management side encryption/decryption module. 208, the management side storage module 210, the management end management module 212 and other modules 214, etc., the module is coupled to the management end processing unit 202, and the overall operation is controlled by the management end processing unit 202; wherein the management end 200 as a whole can be An electronic computer, such as a personal computer, a notebook computer, a workstation, a server, or the like, may also be a mobile electronic device such as a mobile phone, a Personal Digital Assistant (PDA), or the like; The unit 202 can be a processor, a microprocessor, a chip or the like, and has the operation and processing capability to control different modules in the drawing, and includes other common components such as memory in the computer, and provides temporary Save the function to speed up the processing. The modules in FIG. 2 respectively correspond to the functions mentioned in FIG. 1. For example, the management terminal setting module 202 can include a management input interface, and provides administrators to input various parameters, including various conditions and scans. The scope and the like, that is, corresponding to the content described in step 102; the management-side scanning module 206 provides the mappings 104, 110 and other scanning functions in the corresponding FIG. 1; the management-side encryption/decryption module 208 is included in the corresponding FIG. Steps 106, 112, and the like, to provide different ways of encryption and classification for the scan result, and to decrypt some of the encrypted files for further processing; the management storage module 210 corresponds to step 120 in FIG. It usually contains a hard disk or other various storage devices to store the above generated data, and is provided with a database to store and store the stored data and provide a common function of the further database; the management management module 212 Corresponding to the above management functions, such as analysis, tabulation, delivery or other; the other modules of the management terminal 214 are used to provide other common electronic materials not specified Computer functions, and the above analysis, tabulation, delivery and other modules are included. In addition, the management processing unit 202 is further coupled to a management terminal transmission receiving interface 216 for transmitting the generated encrypted and classified data to the plurality of user terminals 250.

The client 250 includes a client delivery interface 260 coupled to the client processing unit 252; when any file is generated in the client 250, it will automatically be in a transparent mode (Transparent Mode) that the user (user) does not perceive. The file is transmitted to the management terminal 200 for transparent encryption and decryption (Transparent Encryption/Decryption) processing, that is, the foregoing steps, and then processed by the management terminal 200 to the client terminal 250 and overwrite the original file file; that is, when a user After adding a file, the file will be scanned and classified immediately through the various steps described above. If the file has a keyword that needs to be encrypted, it will be transparently encrypted (encrypted by the user without notice) into ciphertext. The client processing unit 252 is coupled to the client encryption/decryption module 254, the client storage module 256, and other client modules 258. The client 202 can also be a personal computer, a notebook computer, a workstation, a server, and a mobile device. Telephone, personal digital assistant or other electronic device. After receiving the encrypted data, if the user has the authority to further process the data, the data is automatically decrypted by the user encryption/decryption module 254, that is, the user can have the right authority according to the user. This data can be opened, copied, accessed, printed, read-only, unrestricted, and/or otherwise processed. However, depending on the needs, the transparent decryption action can also be set to manually decrypt the user; The group 256 can be an implementation similar to the management management module 212, and is used to store various data of the user terminal, and can include a database; the other modules of the user terminal 258 are used to provide other various details of the user terminal. The common functions of electronic computers.

It should be noted that the foregoing embodiment is only one implementation of the embodiment of the present invention. In fact, other embodiments of the invention may also be embodied in other different embodiments. For example, it is not necessary to transmit the file formed in the client 250 to the management terminal 200 first, and after processing and comparing the encryption and the like, the data is transmitted back to the user terminal 250 to overwrite the original file. That is, in order to reduce the workload of the management terminal 200 and speed up the processing efficiency, various operations performed by using the keywords, such as encryption/decryption and file classification, may be directly performed on the user side. The above various tasks can be processed by using various modules and processing units of the client resources in FIG. In addition, if the confidential/extreme secret file is found after the analysis is compared, the conditional electronic file permission control system of the present invention also provides an automatic backup function, and the backup file path can be set to a certain one on the local end of the user. The directory is also uploaded to a directory on the management terminal via the network. This function can be provided by the storage module.

In Figure 2, a management terminal and a user terminal are used for data transmission via a network interface, which can be through an Internet, a regional network, or a virtual private network (VPN). And/or any other form of wired/wireless network, however, it should be noted that in the practice of the present invention, a management terminal can be connected to a plurality of clients, such as a military unit or a large commercial establishment, possibly with one The management terminal connects hundreds of clients, and multiple management terminals can connect multiple clients. The management terminal can achieve backup, distributed load or other functions, and the backup function needs to be provided by a backup module. In this description, the backup module is included in the other module 214 of the management terminal. In addition, in the smaller business organizations or individual users, the concept of the management terminal and the client terminal can be integrated, that is, the management terminal and the client terminal are integrated in the same electronic computer, and in many electronic computer operating systems. All of them accommodate multiple user accounts, and the mechanism provided by the present invention is also quite needed to achieve the purpose of file rights control.

Another feature of the present invention is that it can solve the problems that cannot be solved in the prior art, that is, in the prior art, the Trojan can not effectively solve the problem of the intruder renaming the file file or creating a fake file, etc., because the present invention provides keywords. The function of scanning, even if the file file is renamed, through the keyword comparison in the text, the suspicious file can still be found to provide the manager for further processing; and the fake file or Trojan can also find the keyword scan. The feature is quickly notified to the manager for further processing.

A further feature of the present invention is that it can solve another problem that cannot be solved in the prior art, that is, in the prior art, the problem that the Universal Serial Bus (USB) file access device is easy to steal data can not be effectively solved. . Because the USB file access device (commonly known as the thumb) has many advantages such as small size and plug-and-play (hot plug), it is easy to steal confidential files through the mind. According to the keyword scanning function provided by the present invention, all the files are divided into different rights according to the setting at the time of formation, and the confidential file cannot be flowed out even by the USB file access device or other methods. The management management module 212 knows all the historical information as a tracking notification manager.

The spirit of the present invention will be better understood from the foregoing detailed description and the accompanying drawings. It should be noted that the various modules or units proposed above are not limited to a specific software, hardware or firmware, and may be a combination of one or more thereof. And the detailed description of the present invention is intended to be illustrative of the invention. Not all of the necessary elements are shown in the drawings of the invention, and other elements for joining may also be present in the connected elements. In order to fully implement the present invention, other elements that are not shown or described may be required, and some of the specific elements in the drawings or the description are not necessarily required for implementation. Therefore, the spirit and scope of the present invention should be The scope of the following claims is defined by the scope of the invention, and any modifications or changes made without departing from the spirit and scope of the invention are also included.

100, 102, 104, 106, 108, 110, 112, 114, 116, 118, 120. . . step

200. . . Management side

202. . . Management unit processing unit

204. . . Management terminal setting module

206. . . Management side scanning module

208. . . Management side encryption/decryption module

210. . . Management storage module

212. . . Management side management module

214. . . Other modules on the management side

216. . . Management terminal transmission receiving interface

250. . . user terminal

252. . . Client processing unit

254. . . Client encryption/decryption module

256. . . Client storage module

258. . . Other modules on the client side

260. . . Client transmitting and receiving interface

Figure 1 shows a schematic diagram of the implementation steps in accordance with an embodiment of the present invention.

2 shows a block diagram of a system function according to an embodiment of the present invention.

100, 102, 104, 106, 108, 110, 112, 114, 116, 118, 120. . . step

Claims (18)

A conditional electronic file permission control system comprising: at least one management terminal, comprising: a management end processing unit; a management end setting module coupled to the management end processing unit for setting a condition, wherein the condition And at least one set of keywords, wherein the management terminal setting module further includes a management input interface coupled to the management processing unit for providing at least one manager to input the condition and the scan range; An end scan module coupled to the management processing unit for detecting specific information in the scan range of the at least one electronic file according to the condition; and a management end encryption/decryption module coupled to the management end The processing unit encrypts the at least one electronic file that detects the specific information. The conditional electronic file rights control system of claim 1, further comprising at least one user end, comprising a client processing unit coupled to the management processing unit; and a client encryption/decryption module Coupled to the client processing unit for encrypting/decrypting data; a client storage module coupled to the client processing unit for storing data and providing automatic backup data. The conditional electronic file permission control system as claimed in claim 2, wherein The management side scanning module scans or compares at least one electronic file of the at least one user end according to the condition, and then the management side encryption/decryption module encrypts the file according to the scan or content comparison result. / Decrypt and classify to generate at least one encrypted and classified electronic file. The conditional electronic file rights control system of claim 3, wherein the at least one management terminal further comprises a storage module coupled to the management processing unit for storing the at least one encrypted and classified data. And provide automatic backup data. The conditional electronic file rights control system of claim 4, wherein the management terminal management module is further coupled to a dispatch module for dispatching the encrypted and classified data to one of the at least one client or above. The conditional electronic file rights control system of claim 5, wherein the at least one management end further comprises a management end transmission receiving interface, and the at least one user end further comprises a user end transmission receiving interface. The conditional electronic file rights control system of claim 6, wherein the at least one management terminal and the at least one user terminal are integrated in a single electronic device. The conditional electronic file permission control system as claimed in claim 6, wherein The at least one management terminal and the at least one user terminal are respectively disposed in a plurality of electronic devices. The conditional electronic file rights control system of claim 8, wherein the at least one management terminal and the at least one user terminal communicate through the network. The conditional electronic file rights control system of claim 9, wherein the network comprises a wired network, a wireless network, or a combination thereof. The conditional electronic file rights control system of claim 9, wherein the network comprises an internet, a regional network, a virtual private network (VPN), or a combination thereof. The conditional electronic file rights control system of claim 9, wherein the at least one management terminal further comprises a backup module to provide a combination function of the at least one management terminal for mutual backup, distributed load or more. A conditional electronic file permission control method includes: setting at least one set of conditions in an access control system, wherein the at least one set of conditions is at least one set of keywords (Keyword); setting a scan range; and at least one electronic file Scanning, detecting or content matching steps according to the at least one set of conditions; and And encrypting and classifying the at least one electronic file according to the result of the scanning, detecting or content matching step to generate at least one encrypted and classified electronic file. The conditional electronic file rights control method of claim 13, wherein the at least one set of keywords is implemented in a Binary form. The conditional electronic file permission control method of claim 13, wherein the at least one electronic file comprises a text, a graphic, or a combination thereof. The method for controlling the conditional electronic file rights according to claim 13 further comprises the step of overwriting the at least one electronic file that is encrypted and classified to the original at least one electronic file. The conditional electronic file permission control method of claim 13, wherein the scan range includes a file name, a title, a summary, a text, a form, an image file, a combination of the above, or an entire file of the at least one electronic file. The conditional electronic file permission control method of claim 13 further includes the step of automatically backing up the at least one encrypted and classified electronic file.