WO2015139571A1 - Data protection - Google Patents

Data protection Download PDF

Info

Publication number
WO2015139571A1
WO2015139571A1 PCT/CN2015/074010 CN2015074010W WO2015139571A1 WO 2015139571 A1 WO2015139571 A1 WO 2015139571A1 CN 2015074010 W CN2015074010 W CN 2015074010W WO 2015139571 A1 WO2015139571 A1 WO 2015139571A1
Authority
WO
WIPO (PCT)
Prior art keywords
file
party application
restricted
current
access
Prior art date
Application number
PCT/CN2015/074010
Other languages
French (fr)
Inventor
Dong Li
Wenwu Sun
Original Assignee
Hangzhou H3C Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co., Ltd. filed Critical Hangzhou H3C Technologies Co., Ltd.
Publication of WO2015139571A1 publication Critical patent/WO2015139571A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/53Network services using third party service providers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/086Access security using security domains
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/30Security of mobile devices; Security of mobile applications
    • H04W12/37Managing security policies for mobile devices or for controlling mobile applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/02Terminal devices

Definitions

  • BYOD Back Your Own Device
  • BYOD means that people may bring their own equipment (such as a PC, a cell phone, a Tablet PC, and so on) to work anywhere, for example, to login business e-mail or online office systems in airports, hotels, coffee shops and other places.
  • BYOD technology may make people work without being constrained by time, location, equipment, personnel, and network environments.
  • FIG. 1 is a flowchart illustrating the procedures of a data protection method according to an example of the present disclosure
  • FIG. 2 is a diagram of network environment for protecting restricted files of third-party applications according to an example of the present disclosure
  • FIG. 3 is a diagram for accessing a restricted file according to an example of the present disclosure
  • FIG. 4 is a diagram for accessing a restricted file according to an example of the present disclosure
  • FIG. 5A is a diagram for erasing a restricted file according to an example of the present disclosure.
  • FIG. 5B is a diagram for erasing a restricted file according to another example of the present disclosure.
  • FIG. 6 is a hardware architecture diagram of a terminal equipment for a data protection logic according to an example of the present disclosure
  • FIG. 7 is a block diagram of a data protection logic according to an example of the present disclosure.
  • FIG. 8 is a flowchart illustrating the procedures of a data protection method according to another example of the present disclosure.
  • FIG. 9 is an example of a diagram for accessing a restricted file shown in FIG. 8.
  • FIG. 10A is an example of a diagram for erasing a restricted file shown in FIG. 8;
  • FIG. 10B is another example of a diagram for erasing a restricted file shown in FIG. 8.
  • FIG. 11 is an example of a block diagram of a data protection logic shown in FIG. 8.
  • File security that involves personal privacy and trade secrets has been widely valued by people.
  • source codes of a computer program wrote by a programmer in a terminal equipment are usually confidential information, and the programmer worries that related files may be accessed by other illegal applications without his authorization.
  • a centralized access control scheme is provided in the present disclosure to improve file access security.
  • such a feature can be implemented by reforming traditional network security access component/programs. New features may be added to the network security access component/programs (hereinafter referred to “security groupware” ) . This may be achieved by developing this feature alone or reforming other components/programs.
  • the security groupware may be a client software installed in a terminal equipment or a Web security certification program installed in a server.
  • the security groupware can be used for achieving security management functions, such as ID authentication, security status evaluation, and/or security principle implementation.
  • the network access client software, acting as the security groupware may be installed in the terminal equipment, in order to maintain local securities of the terminal equipment and secure interaction between the terminal equipment and the server.
  • the data protection method of the present disclosure may include the following blocks.
  • a security groupware marks a file that requires security protection as a restricted file, based on a registration request from a corresponding third-party application in a terminal equipment.
  • the security groupware stores an association relationship between the restricted file and the corresponding third-party application in an association table.
  • the restricted file means: for security protection purposes, restrictions are imposed on the access of the file so that third-party applications that do not have access rights are unable to access the restricted files directly.
  • the security for accessing the restricted files are effectively improved. In this way illegal applications may be prevented from accessing the restricted files.
  • the access to the restricted files may include actions such as read, write, copy, and move contents of the file.
  • the security groupware receives a file access request to a target file from a current third-party application.
  • the “current” third party application is a third party application which is currently requesting a file access, it may be the same as the third party application in block 102 or may be a different third party application.
  • the security groupware determines whether the target file of the file access request is a restricted file. If yes, then go to block 108; otherwise, go to block 110.
  • the security groupware may create an association table containing all restricted files according to the registration status at block 102.
  • the security groupware can determine whether the target file of the file access request is a restricted file based on the searched result whether the target file of the file access request is found in the association table.
  • the security groupware determines whether the current third-party application is associated with the target file. If the current third-party application is associated with the target file, then go to block 110; otherwise, the current third-party application is rejected to access the target file.
  • the current third-party application is allowed to access the target file.
  • the secure management functions of the third-party applications can be separated to reduce development difficulty of third-party applications, such that developers merely need to call the corresponding management functions of the security groupware without the need of independent development.
  • a unified management for all restricted files of various third-party applications can be achieved, in order to prevent the circumstances that security of the restricted files of the third-party applications cannot be guaranteed due to technical differences of application developers.
  • the security groupware by reforming traditional security groupware, the goal of managing access security of the restricted files of various third-party applications can be achieved. Therefore, when ID authentication, security status evaluation, and/or security principle implementation are to be performed upon the terminal equipment, the traditional security management function of the security groupware can be used, which can significantly reduce the workload of duplicated development. In addition, the security groupware achieves the access management upon the restricted files, so that the security management of the terminal equipment can be uniformly managed by the security groupware to reduce management difficulty, which facilitates to troubleshooting and repairing capabilities.
  • a server 10 is located inside a corporate network
  • a terminal equipment 20 uses the “A client software” (acting as the security groupware) to implement a data protection solution of restricted files for BYOD scenarios, and successfully accesses the corporate network and logs in the server 10.
  • the “A client software” may also accomplish a unified and effective management upon the restricted files of all third-party applications in the terminal equipment 20.
  • FIG. 3 is a diagram for accessing a restricted file according to an example of the present disclosure.
  • the “A client software” acted as the security groupware requests an encryption key from the server 10 and then forwards the encryption key to the current third-party application when the restricted file is initially created by the current third-party application. After that, the current third-party application uses the encryption key and a storage path of the restricted file to generate a combination key according to a predetermined rule, and performs an encryption operation upon contents of the restricted file by using the combination key.
  • the “A client software” requests the decryption key from server 10 and then forwards the decryption key to the current third-party application when the “A client software” determines that the current third-party application has the authorization to access the restricted file.
  • the current third-party application uses the decryption key and a storage path of the restricted file to generate a combination key according to a predetermined rule, and performs a decryption operation upon contents of the restricted file by using the combination key.
  • This example refers to a condition that the current third-party application needs to move or copy a restricted file to other storages.
  • the “A client software” determines that the current third-party application has the authorization to access the restricted file, the “A client software” requests a decryption key from the server 10 and then forwards the decryption key to the current third-party application.
  • the current third-party application uses the decryption key and a storage path of the restricted file to generate a combination key according to a predetermined rule, and performs a decryption operation upon contents of the restricted file by using the combination key.
  • the “A client software” After the restricted file is moved or copied to a new storage, the “A client software” requests a encryption key from the server 10 and then forwards the encryption key to the current third-party application.
  • the current third-party application uses the new encryption key (provided by the “A client software” ) and a new storage path of the restricted file to generate a new combination key according to a predetermined rule, and performs a encryption operation upon contents of the restricted file (being moved or copied to the new storage) by using the combination key.
  • the method for generating the combination key can be determined by the vendor or the user.
  • the combination key can be generated by being arranged in order of the “key” and the “storage path of the restricted file” ; in another example, the combination key can be generated by being arranged in order of the “storage path of the restricted file” and the “key” .
  • other more complex technologies can be adopted to generate the combination key.
  • the security groupware to obtain the key from the server 10
  • the possibility that unauthorized persons illegally acquire the key to access the restricted file can be reduced.
  • the restricted file can not be accessed when the restricted file is moved or copied to other place because its storage path is changed.
  • the security groupware can configure at least one designated storage path for storing all the restricted files of all third-party applications that require security protection. Due to all the restricted files of all third-party applications that require security protection are stored in the designated storage path (such as, SD/A/Document shown in FIG. 3) , which can facilitate unified management of the security groupware.
  • FIG. 4 is a diagram for accessing a restricted file according to an example of the present disclosure.
  • the first third-party application A distributes a call request to the second third-party application B that can access the target restricted file.
  • a trusted call relationship between the first third-party application A and the second third-party application B can be established by a pre-configured or manually-configured method.
  • the method shown in FIG. 3 can be adopted to implement direct access to the restricted file.
  • the second third-party application B After the second third-party application B accesses the restricted file, the second third-party application B will generate a corresponding calling result to be returned to the first third-party application A.
  • the first third-party application A successfully completes an indirect call upon the second third-party application B, which strictly ensures that the association relationships between the third-party applications and the restricted files are not exceeded.
  • FIG. 5A is a diagram for erasing a restricted file for security purposes according to an example of the present disclosure.
  • the procedures for erasing a restricted file include the following blocks.
  • the security groupware When receiving a predetermined control command from the server 10, the security groupware parses the ID information of a target restricted file out of the predetermined control command, and then generates and sends a directional erase command to the corresponding third-party application; and the third-party application directionally erases the corresponding restricted file.
  • the predetermined control command may correspond to one or more target restricted files.
  • the plurality of restricted files may correspond to a single third-party application or a number of different third-party applications.
  • the predetermined control command of the server 10 may be automatically distributed by the server 10 if the sever 10 determines that the corresponding terminal equipment is in an unsafe status, or the predetermined control command may be correspondingly generated after the server 10 receives the erase request from the user. For example, if the terminal equipment is lost, the user may access the network through other equipment and distribute a corresponding erase request to the sever 10.
  • FIG. 5B is a diagram for erasing a restricted file for security purposes according to another example of the present disclosure.
  • the procedures for erasing a restricted file include the following blocks.
  • the communication module 30 (e.g., a Modem) of the terminal equipment receives the directional erase command sent from the security groupware, the communication module 30 sends it to the corresponding third-party application, such that the third-party application may directionally erase the corresponding restricted file.
  • the user may use other equipment to send the abovementioned directional erase command to the security groupware of the terminal equipment, which can be achieved by adopting messages, MMS, e-mail and other means.
  • a verified password can be inserted into the carriage of the directional erase command, therefore, the network access security groupware may generate the corresponding directional erase command if the password is correct and otherwise no generate the erase command, so as to avoid malicious erase operations of other users.
  • a data protection logic is provided in the present disclosure.
  • FIG. 6 it is a hardware architecture diagram of a terminal equipment for a data protection logic according to an example of the present disclosure.
  • the terminal equipment may include a processor 61, a storage 62, and an interface 63 for receiving and transmitting data, wherein the processor 61, the storage 62, and the interface 63 are connected via the internal bus 64.
  • the data protection logic being divided by functions, may include a security groupware instructions set 60 and a third-party application instructions set 70.
  • the processor 61 may implement the following blocks to read the machine readable instructions stored in corresponding modules of the data protection logic.
  • a file is marked as a restricted file based on a registration request received from a corresponding third-party application in a terminal equipment, and an association relationship between the restricted file and the corresponding third-party application is stored in an association table.
  • a file access request to a target file is received from a current third-party application, and whether the target file of the access request is a restricted file is determined. If the target file is a restricted file then whether the current third-party application is associated with the target file is determined.
  • the current third-party application is associated with the target file, then the current third-party application is allowed to access the target file; or otherwise, the current third-party application is rejected to access the target file.
  • the processor may implement the following blocks by reading the machine readable instructions stored in corresponding modules of the data protection logic.
  • the third-party application instructions set 70 receives a key from the server, and uses the key and a storage path of the target file to generate a combination key according to a predetermined rule;
  • the third-party application instructions set 70 performs encryption and/or decryption operations upon contents of the target file by using the combination key.
  • the processor may implement the following blocks by reading the machine readable instructions stored in corresponding modules of the data protection logic.
  • the third-party application instructions set 70 distributes a call request to the corresponding third-party application of the target file, and , and allowing the third party application associated with target file to access the target file.
  • the third-party application instructions set 70 can achieve indirect access to the restricted file by applying indirect calling requests. In addition to allowing access to the restricted files, this also ensures that the association relationships between the third-party applications and the restricted files are not exceeded.
  • the processor may implement the following blocks by reading the machine readable instructions stored in corresponding modules of the data protection logic.
  • At least one designated storage path is configured for the restricted files, such that all third-party applications may store their associated restricted files in the designated storage path;
  • a directional erase command is sent to the corresponding third-party application to delete the corresponding restricted file.
  • FIG. 8 is a flowchart illustrating the procedures of a data protection method according to another example of the present disclosure.
  • the security groupware directly executes the corresponding access based on the checksum contained in the target file access request. Therefore, the third-party application can be completely isolated from the restricted file to further enhance the security of the restricted file. Also, the third-party application simply needs to send the file access request and receive the corresponding access result without concerning about the concrete process for accessing the restricted file, which can reduce the development difficulty of the third-party applications.
  • the method may include the following blocks.
  • a file requiring security protection is marked as a restricted file based on a registration request from a third-party application in a terminal equipment, and a unique checksum that corresponds to the restricted file and the corresponding third-party application is returned.
  • the information of the restricted file (such as, file name, storage path, and file size, etc. ) and the information of the corresponding third-party application (such as, application name, version number, and developer information, etc. ) can be used when generating the checksum, so the checksum can establish a unique association relationship between the restricted file and the corresponding third-party application.
  • the file access request of the current third-party application is received, wherein the file access request contains the checksum.
  • a certified third-party application can append the checksum into the file access request to show his/her demand for accessing the corresponding restricted file and his/her corresponding access authorization.
  • the corresponding restricted file is searched based on the checksum contained in the file access request, and a corresponding access is performed upon finding the restricted file and then an access result is returned.
  • the security groupware requires a key from the server and uses the key and a storage path (such as, SD/A/Document shown in FIG. 8) of the restricted file to generate a combination key according to a predetermined rule, and performs an encryption or decryption operation upon contents of the restricted file by using the combination key so as to complete the corresponding access of the restricted file and return the access result to the third-party application.
  • a storage path such as, SD/A/Document shown in FIG. 8
  • FIG. 9 is an example of a diagram for accessing a restricted file shown in FIG. 8.
  • the “A client software” acting as the security groupware, receives the access request from a certified third-party application, the “A client software” parses the checksum from the access request and then determines the target restricted file that the current third-party application want to access based on the checksum. After that, the “A client software” requires a key from the server 10, and uses the key and a storage path of the restricted file (such as, “SD/A/Document” shown in FIG. 8) to generate a combination key and performs an encryption and/or decryption operation upon contents of the restricted file by using the combination key.
  • a storage path of the restricted file such as, “SD/A/Document” shown in FIG. 8
  • FIG. 10A is an example of a diagram for erasing a restricted file shown in FIG. 8.
  • the security groupware receives a predetermined erase control command from the server 10
  • the security groupware parses the ID information of the target restricted file from the predetermined erase control command, and then directionally erases the corresponding restricted file.
  • FIG. 10B is another example of a diagram for erasing a restricted file shown in FIG. 8. After the communication module 30 of the terminal equipment receives the predetermined erase control command from the security groupware, the terminal equipment directionally erases the corresponding restricted file.
  • FIG. 11 is another example of a block diagram of a data protection logic of the present disclosure.
  • the hardware architecture of the terminal equipment for the data protection logic is the same as the hardware architecture shown in FIG. 7, and also includes a processor, a storage, a non-volatile memory interface, and an internal bus for connecting these components.
  • the processor may implement the following blocks to read the machine readable instructions of corresponding modules stored in the data protection logic.
  • a corresponding file is marked as a restricted file based on a registration request from a third-party application in the terminal equipment, and a unique checksum that corresponds to the restricted file and the corresponding third-party application is returned.
  • a file access request is received from a current third-party application, wherein the file access request contains a current checksum.
  • the corresponding restricted file is determined based on the checksum of the file access request, and a corresponding access operation is performed upon the restricted file and an access result is returned.
  • the processor may further implement the following blocks to read the machine readable instructions stored in corresponding modules of the data protection logic.
  • the figures are merely illustrations of an example, wherein the units or procedure shown in the figures are not necessarily essential for implementing the disclosure.
  • the units in the device in the example can be arranged in the device in the examples as described, or can be alternatively located in one or more devices different from that in the examples.
  • the units in the examples described can be combined into one module or further divided into a plurality of sub-units.

Abstract

A security groupware registers a file as a restricted file based on a registration request from a corresponding third-party application in a terminal equipment and stores an association relationship between the restricted file and the corresponding third-party application. The security groupware receives a file access request from a current third-party application and determines whether a target file of the file access request is a restricted file. If the target file is a restricted file then the security groupware determines whether the current third-party application is associated with the target file. If the current third-party application is associated with the target file, the security groupware allows the current third-party application to access the target file; otherwise, the security groupware rejects the request from the current third-party application to access the target file.

Description

DATA PROTECTION Background
With the development of mobile communication technology, people are more willing to store various personal or company files and data in their own terminal equipment, so as to facilitate data interactions and data processing anytime and anywhere. Based on this, BYOD (Bring Your Own Device) technology came into being. BYOD means that people may bring their own equipment (such as a PC, a cell phone, a Tablet PC, and so on) to work anywhere, for example, to login business e-mail or online office systems in airports, hotels, coffee shops and other places. In other words, BYOD technology may make people work without being constrained by time, location, equipment, personnel, and network environments.
Brief Description of Drawings
Features of the present disclosure are illustrated by way of an example and not limited in the following figure (s) , in which like numerals indicate like elements, in which:
FIG. 1 is a flowchart illustrating the procedures of a data protection method according to an example of the present disclosure;
FIG. 2 is a diagram of network environment for protecting restricted files of third-party applications according to an example of the present disclosure;
FIG. 3 is a diagram for accessing a restricted file according to an example of the present disclosure;
FIG. 4 is a diagram for accessing a restricted file according to an example of the present disclosure;
FIG. 5A is a diagram for erasing a restricted file according to an example of the present disclosure;
FIG. 5B is a diagram for erasing a restricted file according to another example of the present disclosure;
FIG. 6 is a hardware architecture diagram of a terminal equipment for a data protection logic according to an example of the present disclosure;
FIG. 7 is a block diagram of a data protection logic according to an example of the present disclosure;
FIG. 8 is a flowchart illustrating the procedures of a data protection method according to another example of the present disclosure;
FIG. 9 is an example of a diagram for accessing a restricted file shown in FIG. 8;
FIG. 10A is an example of a diagram for erasing a restricted file shown in FIG. 8;
FIG. 10B is another example of a diagram for erasing a restricted file shown in FIG. 8; and
FIG. 11 is an example of a block diagram of a data protection logic shown in FIG. 8.
Detailed Description
For simplicity and illustrative purposes, a disclosure is described by referring mainly to an example thereof. In the following description, numerous specific details are set forth in order to provide a thorough understanding of the disclosure of the application. It will be readily apparent however, that the disclosure may be practiced without limitation to these specific details. In other instances, some methods and structures have not been described in detail so as not to unnecessarily obscure the disclosure. As used herein, the terms “a” and “an” are intended to denote at least one of a particular element, the term “includes” means  includes but not limited to, the term “including” means including but not limited to, and the term “based on” means based at least in part on.
File security that involves personal privacy and trade secrets has been widely valued by people. For example, source codes of a computer program wrote by a programmer in a terminal equipment are usually confidential information, and the programmer worries that related files may be accessed by other illegal applications without his authorization. In an example, a centralized access control scheme is provided in the present disclosure to improve file access security. In this example, such a feature can be implemented by reforming traditional network security access component/programs. New features may be added to the network security access component/programs (hereinafter referred to “security groupware” ) . This may be achieved by developing this feature alone or reforming other components/programs.
In this example, the security groupware may be a client software installed in a terminal equipment or a Web security certification program installed in a server. The security groupware, can be used for achieving security management functions, such as ID authentication, security status evaluation, and/or security principle implementation. For example, the network access client software, acting as the security groupware, may be installed in the terminal equipment, in order to maintain local securities of the terminal equipment and secure interaction between the terminal equipment and the server.
As shown in FIG. 1, in an example, the data protection method of the present disclosure may include the following blocks.
At block 102, a security groupware marks a file that requires security protection as a restricted file, based on a registration request from a corresponding third-party application in a terminal equipment. The security groupware stores an  association relationship between the restricted file and the corresponding third-party application in an association table.
Herein, the restricted file means: for security protection purposes, restrictions are imposed on the access of the file so that third-party applications that do not have access rights are unable to access the restricted files directly. Through registration management for the restricted files of the third-party applications, the security for accessing the restricted files are effectively improved. In this way illegal applications may be prevented from accessing the restricted files. In different examples, the access to the restricted files may include actions such as read, write, copy, and move contents of the file.
At block 104, the security groupware receives a file access request to a target file from a current third-party application. The “current” third party application is a third party application which is currently requesting a file access, it may be the same as the third party application in block 102 or may be a different third party application.
At block 106, the security groupware determines whether the target file of the file access request is a restricted file. If yes, then go to block 108; otherwise, go to block 110.
In an example, the security groupware may create an association table containing all restricted files according to the registration status at block 102. The security groupware can determine whether the target file of the file access request is a restricted file based on the searched result whether the target file of the file access request is found in the association table.
At block 108, if the target file is a restricted file then the security groupware determines whether the current third-party application is associated with the target file. If the current third-party application is associated with the target file,  then go to block 110; otherwise, the current third-party application is rejected to access the target file.
In this example, due to the security groupware stored the association relationship between the restricted file and the corresponding third-party application at block 102, it’s determined that the current third-party application has authorization to access the restricted file when the association relationship between the restricted file and the corresponding third-party application can be found in the association table.
At block 110, the current third-party application is allowed to access the target file.
In the present disclosure, by using the separate security groupware to manage the restricted files, the secure management functions of the third-party applications can be separated to reduce development difficulty of third-party applications, such that developers merely need to call the corresponding management functions of the security groupware without the need of independent development. On the other hand, a unified management for all restricted files of various third-party applications can be achieved, in order to prevent the circumstances that security of the restricted files of the third-party applications cannot be guaranteed due to technical differences of application developers.
Hereinafter, the network access security groupware, access to a restricted file, and erasing of a restricted file of the present disclosure are further described.
1. Security groupware.
In the example of the present disclosure, by reforming traditional security groupware, the goal of managing access security of the restricted files of various third-party applications can be achieved. Therefore, when ID authentication, security status evaluation, and/or security principle implementation are to be  performed upon the terminal equipment, the traditional security management function of the security groupware can be used, which can significantly reduce the workload of duplicated development. In addition, the security groupware achieves the access management upon the restricted files, so that the security management of the terminal equipment can be uniformly managed by the security groupware to reduce management difficulty, which facilitates to troubleshooting and repairing capabilities.
As shown in FIG. 2, in an example, assume that a server 10 is located inside a corporate network, and a terminal equipment 20 uses the “A client software” (acting as the security groupware) to implement a data protection solution of restricted files for BYOD scenarios, and successfully accesses the corporate network and logs in the server 10.
In this example, by reforming and expanding traditional security management functions of the “A client software” , then in addition to accomplishing functions of authentication, security status evaluation, and/or security principle implementation, the “A client software” may also accomplish a unified and effective management upon the restricted files of all third-party applications in the terminal equipment 20.
2. Access to a restricted file.
FIG. 3 is a diagram for accessing a restricted file according to an example of the present disclosure.
When security protection is necessary for a restricted file, the “A client software” acted as the security groupware requests an encryption key from the server 10 and then forwards the encryption key to the current third-party application when the restricted file is initially created by the current third-party application. After that, the current third-party application uses the encryption key and a storage  path of the restricted file to generate a combination key according to a predetermined rule, and performs an encryption operation upon contents of the restricted file by using the combination key.
Under a condition that the current third-party application needs to access a restricted file, the “A client software” requests the decryption key from server 10 and then forwards the decryption key to the current third-party application when the “A client software” determines that the current third-party application has the authorization to access the restricted file. After that, the current third-party application uses the decryption key and a storage path of the restricted file to generate a combination key according to a predetermined rule, and performs a decryption operation upon contents of the restricted file by using the combination key.
This example refers to a condition that the current third-party application needs to move or copy a restricted file to other storages. When the “A client software” determines that the current third-party application has the authorization to access the restricted file, the “A client software” requests a decryption key from the server 10 and then forwards the decryption key to the current third-party application. After that, the current third-party application uses the decryption key and a storage path of the restricted file to generate a combination key according to a predetermined rule, and performs a decryption operation upon contents of the restricted file by using the combination key. After the restricted file is moved or copied to a new storage, the “A client software” requests a encryption key from the server 10 and then forwards the encryption key to the current third-party application. The current third-party application uses the new encryption key (provided by the “A client software” ) and a new storage path of the restricted file to generate a new combination key according to a predetermined rule, and performs a encryption  operation upon contents of the restricted file (being moved or copied to the new storage) by using the combination key.
The method for generating the combination key can be determined by the vendor or the user. For example, in an example, the combination key can be generated by being arranged in order of the “key” and the “storage path of the restricted file” ; in another example, the combination key can be generated by being arranged in order of the “storage path of the restricted file” and the “key” . In other examples, other more complex technologies can be adopted to generate the combination key.
In this example, by using the security groupware to obtain the key from the server 10, the possibility that unauthorized persons illegally acquire the key to access the restricted file can be reduced. Additionally, by associating the combination key with the storage path of the restricted file, the restricted file can not be accessed when the restricted file is moved or copied to other place because its storage path is changed. Hence, by means of the technologies of the combination key, security of the restricted file can be significantly improved.
In another example, the security groupware can configure at least one designated storage path for storing all the restricted files of all third-party applications that require security protection. Due to all the restricted files of all third-party applications that require security protection are stored in the designated storage path (such as, SD/A/Document shown in FIG. 3) , which can facilitate unified management of the security groupware.
FIG. 4 is a diagram for accessing a restricted file according to an example of the present disclosure.
Under a condition that the “A client software” acted as the security groupware reject the first third-party application 1 to access the target restricted file,  the first third-party application A distributes a call request to the second third-party application B that can access the target restricted file. A trusted call relationship between the first third-party application A and the second third-party application B can be established by a pre-configured or manually-configured method. When the second third-party application B receives the call request for the restricted file from the first third-party application A, the method shown in FIG. 3 can be adopted to implement direct access to the restricted file. After the second third-party application B accesses the restricted file, the second third-party application B will generate a corresponding calling result to be returned to the first third-party application A. The first third-party application A successfully completes an indirect call upon the second third-party application B, which strictly ensures that the association relationships between the third-party applications and the restricted files are not exceeded.
3. Erasing of a restricted file.
FIG. 5A is a diagram for erasing a restricted file for security purposes according to an example of the present disclosure. The procedures for erasing a restricted file include the following blocks.
When receiving a predetermined control command from the server 10, the security groupware parses the ID information of a target restricted file out of the predetermined control command, and then generates and sends a directional erase command to the corresponding third-party application; and the third-party application directionally erases the corresponding restricted file.
In an example, the predetermined control command may correspond to one or more target restricted files. When a plurality of restricted files need to be erased simultaneously, the plurality of restricted files may correspond to a single third-party application or a number of different third-party applications.
Be noted that, the predetermined control command of the server 10 may be automatically distributed by the server 10 if the sever 10 determines that the corresponding terminal equipment is in an unsafe status, or the predetermined control command may be correspondingly generated after the server 10 receives the erase request from the user. For example, if the terminal equipment is lost, the user may access the network through other equipment and distribute a corresponding erase request to the sever 10.
FIG. 5B is a diagram for erasing a restricted file for security purposes according to another example of the present disclosure. The procedures for erasing a restricted file include the following blocks.
After the communication module 30 (e.g., a Modem) of the terminal equipment receives the directional erase command sent from the security groupware, the communication module 30 sends it to the corresponding third-party application, such that the third-party application may directionally erase the corresponding restricted file. For example, under a condition that the terminal equipment is lost, the user may use other equipment to send the abovementioned directional erase command to the security groupware of the terminal equipment, which can be achieved by adopting messages, MMS, e-mail and other means. Herein a verified password can be inserted into the carriage of the directional erase command, therefore, the network access security groupware may generate the corresponding directional erase command if the password is correct and otherwise no generate the erase command, so as to avoid malicious erase operations of other users.
In accordance with the data protection methods in the abovementioned examples, a data protection logic is provided in the present disclosure.
As shown in FIG. 6, it is a hardware architecture diagram of a terminal equipment for a data protection logic according to an example of the present  disclosure. The terminal equipment may include a processor 61, a storage 62, and an interface 63 for receiving and transmitting data, wherein the processor 61, the storage 62, and the interface 63 are connected via the internal bus 64. As shown in FIG. 7, the data protection logic, being divided by functions, may include a security groupware instructions set 60 and a third-party application instructions set 70. In an example, when data protection is desired, the processor 61 may implement the following blocks to read the machine readable instructions stored in corresponding modules of the data protection logic.
A file is marked as a restricted file based on a registration request received from a corresponding third-party application in a terminal equipment, and an association relationship between the restricted file and the corresponding third-party application is stored in an association table.
A file access request to a target file is received from a current third-party application, and whether the target file of the access request is a restricted file is determined. If the target file is a restricted file then whether the current third-party application is associated with the target file is determined.
If the current third-party application is associated with the target file, then the current third-party application is allowed to access the target file; or otherwise, the current third-party application is rejected to access the target file.
In an example, the processor may implement the following blocks by reading the machine readable instructions stored in corresponding modules of the data protection logic.
If the current third-party application is allowed to access the target file, the third-party application instructions set 70 receives a key from the server, and uses the key and a storage path of the target file to generate a combination key according to a predetermined rule; and
the third-party application instructions set 70 performs encryption and/or decryption operations upon contents of the target file by using the combination key.
In another example, the processor may implement the following blocks by reading the machine readable instructions stored in corresponding modules of the data protection logic.
If the current third-party application is rejected to access the target file, the third-party application instructions set 70 distributes a call request to the corresponding third-party application of the target file, and , and allowing the third party application associated with target file to access the target file.
In this example, if the current third-party application cannot directly access the target file, the third-party application instructions set 70 can achieve indirect access to the restricted file by applying indirect calling requests. In addition to allowing access to the restricted files, this also ensures that the association relationships between the third-party applications and the restricted files are not exceeded.
In other examples, the processor may implement the following blocks by reading the machine readable instructions stored in corresponding modules of the data protection logic.
At least one designated storage path is configured for the restricted files, such that all third-party applications may store their associated restricted files in the designated storage path;
after receiving a directional erase command sent from a user or a server, a directional erase command is sent to the corresponding third-party application to delete the corresponding restricted file.
FIG. 8 is a flowchart illustrating the procedures of a data protection method according to another example of the present disclosure. In this example,  regarding to the target file access request sent by a third-party application, the security groupware directly executes the corresponding access based on the checksum contained in the target file access request. Therefore, the third-party application can be completely isolated from the restricted file to further enhance the security of the restricted file. Also, the third-party application simply needs to send the file access request and receive the corresponding access result without concerning about the concrete process for accessing the restricted file, which can reduce the development difficulty of the third-party applications. The method may include the following blocks.
At block 802, a file requiring security protection is marked as a restricted file based on a registration request from a third-party application in a terminal equipment, and a unique checksum that corresponds to the restricted file and the corresponding third-party application is returned.
In an example, the information of the restricted file (such as, file name, storage path, and file size, etc. ) and the information of the corresponding third-party application (such as, application name, version number, and developer information, etc. ) can be used when generating the checksum, so the checksum can establish a unique association relationship between the restricted file and the corresponding third-party application.
At block 804, the file access request of the current third-party application is received, wherein the file access request contains the checksum.
Because the checksum is the unique association relationship between the restricted file and the corresponding third-party application, a certified third-party application can append the checksum into the file access request to show his/her demand for accessing the corresponding restricted file and his/her corresponding access authorization.
At block 806, the corresponding restricted file is searched based on the checksum contained in the file access request, and a corresponding access is performed upon finding the restricted file and then an access result is returned.
In an example, the security groupware requires a key from the server and uses the key and a storage path (such as, SD/A/Document shown in FIG. 8) of the restricted file to generate a combination key according to a predetermined rule, and performs an encryption or decryption operation upon contents of the restricted file by using the combination key so as to complete the corresponding access of the restricted file and return the access result to the third-party application.
As shown in FIG. 9, which is an example of a diagram for accessing a restricted file shown in FIG. 8. When the “A client software” , acting as the security groupware, receives the access request from a certified third-party application, the “A client software” parses the checksum from the access request and then determines the target restricted file that the current third-party application want to access based on the checksum. After that, the “A client software” requires a key from the server 10, and uses the key and a storage path of the restricted file (such as, “SD/A/Document” shown in FIG. 8) to generate a combination key and performs an encryption and/or decryption operation upon contents of the restricted file by using the combination key.
FIG. 10A is an example of a diagram for erasing a restricted file shown in FIG. 8. When the security groupware receives a predetermined erase control command from the server 10, the security groupware parses the ID information of the target restricted file from the predetermined erase control command, and then directionally erases the corresponding restricted file.
FIG. 10B is another example of a diagram for erasing a restricted file shown in FIG. 8. After the communication module 30 of the terminal equipment  receives the predetermined erase control command from the security groupware, the terminal equipment directionally erases the corresponding restricted file.
FIG. 11 is another example of a block diagram of a data protection logic of the present disclosure. The hardware architecture of the terminal equipment for the data protection logic is the same as the hardware architecture shown in FIG. 7, and also includes a processor, a storage, a non-volatile memory interface, and an internal bus for connecting these components. As shown in FIG. 11, the processor may implement the following blocks to read the machine readable instructions of corresponding modules stored in the data protection logic.
A corresponding file is marked as a restricted file based on a registration request from a third-party application in the terminal equipment, and a unique checksum that corresponds to the restricted file and the corresponding third-party application is returned.
A file access request is received from a current third-party application, wherein the file access request contains a current checksum. The corresponding restricted file is determined based on the checksum of the file access request, and a corresponding access operation is performed upon the restricted file and an access result is returned.
In an example, the processor may further implement the following blocks to read the machine readable instructions stored in corresponding modules of the data protection logic.
Create the corresponding restricted file based on the registration request, and store the restricted file in the preconfigured storage designated path.
Require a key from a server when the file access request is received, use the key and the storage path of the corresponding restricted file to generate a combination key according to a predetermined rule, and perform encryption and/or  decryption operations upon contents of the restricted file by using the combination key.
Delete the corresponding restricted file based on a predetermined control command received by the user or from the server.
The figures are merely illustrations of an example, wherein the units or procedure shown in the figures are not necessarily essential for implementing the disclosure. The units in the device in the example can be arranged in the device in the examples as described, or can be alternatively located in one or more devices different from that in the examples. The units in the examples described can be combined into one module or further divided into a plurality of sub-units.
Although the flowcharts described show a specific order of execution, the order of execution may differ from that which is depicted. For example, the order of execution of two or more blocks may be changed relative to the order shown. Also, two or more blocks shown in succession may be executed concurrently or with partial concurrence. All such variations are within the scope of the disclosure.
Throughout the disclosure, the word "comprise" , or variations such as "comprises" or "comprising" , will be understood to imply the inclusion of a stated element, integer, block, or group of elements, integers, block, but not the exclusion of any other element, integer or block, or group of elements, integers or blocks.
Numerous variations and/or modifications may be made to the above-described embodiments, without departing from the broad general scope of the disclosure. The embodiments are, therefore, to be considered in all respects as illustrative and not restrictive.

Claims (14)

  1. A method of data protection, comprising:
    registering, by a security groupware, a file as a restricted file based on a registration request from a corresponding third-party application in a terminal equipment, and storing an association relationship between the restricted file and the corresponding third-party application;
    receiving, by the security groupware, a file access request from a current third-party application, and determining whether a target file of the file access request is a restricted file;
    if the target file is a restricted file then determining whether the current third-party application is associated with the target file; and
    if the current third-party application is associated with the target file, then allowing the current third-party application to access the target file; otherwise, rejecting the request from the current third-party application to access the target file.
  2. A method according to claim 1, further comprising:
    if the current third-party application is allowed to access the target file, then requesting a key from a server and forwarding the key to the current third-party application;
    wherein the current third-party application uses the key and a storage path of the target file to generate a combination key according to a predetermined rule, and perform encryption and/or decryption operations upon contents of the target file by using the combination key.
  3. A method according to claim 2, further comprising:
    if the request of the current third-party application to access the target file is rejected, distributing a call request to the corresponding third-party application  associated with the target file, and allowing the third party application associated with target file to access the target file.
  4. A method according to claim 1, further comprising:
    configuring at least one designated storage path for storing the associated restricted files of all third-party applications.
  5. A method according to claim 1, further comprising:
    sending a directional erase command to the corresponding third-party application to delete the corresponding restricted file based on a predetermined control command sent by a user or a server.
  6. A computer readable storage medium on which is stored machine readable instructions for data protection that when executed by a processor cause the processor to:
    mark a file as a restricted file based on a registration request from a corresponding third-party application in a terminal equipment, and store an association relationship between the restricted file and the corresponding third-party application in an association table;
    receive a file access request from a current third-party application, and determine whether a target file of the file access request is a restricted file;
    if the target file is a restricted file then determining whether the current third-party application is associated with the target file; and
    if the current third-party application is associated with the target file, then allow the request from the current third-party application to access the target file; otherwise, reject the current third-party application to access the target file.
  7. The computer readable storage medium according to claim 6, wherein the machine readable instructions are further to cause the processor to:
    if the current third-party application is allowed to access the target file:
    receive, by the current third-party application, a key that security groupware requests from a server;
    use, by the current third-party application, the key and a storage path of the target file to generate a combination key according to a predetermined rule; and
    perform, by the current third-party application, encryption and/or decryption operations upon contents of the target file by using the combination key.
  8. The computer readable storage medium according to claim 7, wherein the machine readable instructions are further to cause the processor to:
    if the request of the current third-party application to access the target file is rejected:
    distribute, by the current third-party application, a call request to the corresponding third-party application associated with the target file, and allowing the third party application associated with target file to access the target file.
  9. The computer readable storage medium according to claim 6, wherein the machine readable instructions are further to cause the processor to:
    configure at least one designated storage path for storing the associated restricted files of all third-party applications.
  10. The computer readable storage medium according to claim 6, wherein the machine readable instructions are further to cause the processor to:
    under the condition that a predetermined control command sent by a user or a server is received:
    send a directional erase command to the corresponding third-party application to delete the corresponding restricted file based on the predetermined control command sent by the user or the server.
  11. A method of data protection, comprising:
    marking, by a security groupware, a file as a restricted file based on a registration request from a corresponding third-party application in a terminal equipment, and returning a unique checksum that corresponds to said restricted file and said third-party application;
    receiving, by a security groupware, a file access request from a current third-party application, wherein the file access request comprises a current checksum; and
    searching, by a security groupware, the corresponding restricted file based on the current checksum of the file access request, and performing a corresponding access upon finding the restricted file and then returning an access result.
  12. A method according to claim 11, further comprising:
    creating the corresponding restricted file based on the registration request, and storing the restricted file in a preconfigured designated storage path.
  13. A method according to claim 11, further comprising:
    requiring a key from a server based on the file access request, using the key and a storage path of the corresponding restricted file to generate a combination key according to a predetermined rule, and performing encryption and/or decryption operations upon contents of the restricted file by using the combination key.
  14. A method according to claim 11, further comprising:
    deleting the corresponding restricted file based on a predetermined control command of a user or a server.
PCT/CN2015/074010 2014-03-21 2015-03-11 Data protection WO2015139571A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410110095.2A CN104935560B (en) 2014-03-21 2014-03-21 A kind of data guard method and its device
CN201410110095.2 2014-03-21

Publications (1)

Publication Number Publication Date
WO2015139571A1 true WO2015139571A1 (en) 2015-09-24

Family

ID=54122533

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/074010 WO2015139571A1 (en) 2014-03-21 2015-03-11 Data protection

Country Status (2)

Country Link
CN (1) CN104935560B (en)
WO (1) WO2015139571A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105681334B (en) * 2016-03-02 2019-03-29 湖南岳麓山数据科学与技术研究院有限公司 A kind of information interaction system and method
CN106503579A (en) * 2016-09-29 2017-03-15 维沃移动通信有限公司 A kind of method and device of access target file

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101131725A (en) * 2007-05-16 2008-02-27 何鸿君 File access control method
CN101213561A (en) * 2005-06-29 2008-07-02 日立软件工程株式会社 Method for protecting confidential file of security countermeasure application and confidential file protection device
CN101925913A (en) * 2008-01-31 2010-12-22 国际商业机器公司 Method and system for encrypted file access
CN102495986A (en) * 2011-12-15 2012-06-13 上海中标凌巧软件科技有限公司 Calling control method for avoiding embezzlement of enciphered data in computer system
WO2013036472A1 (en) * 2011-09-09 2013-03-14 Microsoft Corporation Selective file access for applications

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4854000B2 (en) * 2005-11-02 2012-01-11 株式会社日立ソリューションズ Confidential file protection method
CN101364250B (en) * 2007-08-08 2011-06-08 深圳华为通信技术有限公司 Copyright information processing method and device
CN103065098B (en) * 2011-10-24 2018-01-19 联想(北京)有限公司 Access method and electronic equipment
CN103218576A (en) * 2013-04-07 2013-07-24 福建伊时代信息科技股份有限公司 System and method for preventing electronic files from being copied
CN103246850A (en) * 2013-05-23 2013-08-14 福建伊时代信息科技股份有限公司 Method and device for processing file

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101213561A (en) * 2005-06-29 2008-07-02 日立软件工程株式会社 Method for protecting confidential file of security countermeasure application and confidential file protection device
CN101131725A (en) * 2007-05-16 2008-02-27 何鸿君 File access control method
CN101925913A (en) * 2008-01-31 2010-12-22 国际商业机器公司 Method and system for encrypted file access
WO2013036472A1 (en) * 2011-09-09 2013-03-14 Microsoft Corporation Selective file access for applications
CN102495986A (en) * 2011-12-15 2012-06-13 上海中标凌巧软件科技有限公司 Calling control method for avoiding embezzlement of enciphered data in computer system

Also Published As

Publication number Publication date
CN104935560A (en) 2015-09-23
CN104935560B (en) 2019-06-07

Similar Documents

Publication Publication Date Title
US9805210B2 (en) Encryption-based data access management
US9165139B2 (en) System and method for creating secure applications
US9516066B2 (en) Rights management services integration with mobile device management
US11895096B2 (en) Systems and methods for transparent SaaS data encryption and tokenization
US9367703B2 (en) Methods and systems for forcing an application to store data in a secure storage location
JP2019091480A (en) Image analysis and management
US11290446B2 (en) Access to data stored in a cloud
US10440111B2 (en) Application execution program, application execution method, and information processing terminal device that executes application
JP2017073152A (en) Data management of application having plural operation modes
US20210192062A1 (en) Systems and methods for screenshot mediation based on policy
CN105378749A (en) Data protection for organizations on computing devices
US11841931B2 (en) Systems and methods for dynamically enforcing digital rights management via embedded browser
WO2017112641A1 (en) Dynamic management of protected file access
US10210337B2 (en) Information rights management using discrete data containerization
JP7445358B2 (en) Secure Execution Guest Owner Control for Secure Interface Control
US10726104B2 (en) Secure document management
WO2015139571A1 (en) Data protection
US11450069B2 (en) Systems and methods for a SaaS lens to view obfuscated content
US20170185333A1 (en) Encrypted synchronization
KR102090151B1 (en) Data protection system and method thereof
US9501658B1 (en) Avoiding file content reading using machine information
US20220092193A1 (en) Encrypted file control
KR102005534B1 (en) Smart device based remote access control and multi factor authentication system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15764145

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15764145

Country of ref document: EP

Kind code of ref document: A1