WO2022078222A1 - File security management terminal and system - Google Patents

File security management terminal and system Download PDF

Info

Publication number
WO2022078222A1
WO2022078222A1 PCT/CN2021/121874 CN2021121874W WO2022078222A1 WO 2022078222 A1 WO2022078222 A1 WO 2022078222A1 CN 2021121874 W CN2021121874 W CN 2021121874W WO 2022078222 A1 WO2022078222 A1 WO 2022078222A1
Authority
WO
WIPO (PCT)
Prior art keywords
file
directory
encrypted
security management
files
Prior art date
Application number
PCT/CN2021/121874
Other languages
French (fr)
Chinese (zh)
Inventor
肖列
鲍江锭
江晨
Original Assignee
杭州来布科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 杭州来布科技有限公司 filed Critical 杭州来布科技有限公司
Publication of WO2022078222A1 publication Critical patent/WO2022078222A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/16File or folder operations, e.g. details of user interfaces specifically adapted to file systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption

Definitions

  • the present invention relates to the field of file management, and more particularly, to a file security management terminal and system.
  • the technical problem to be solved by the present invention is to provide a file security management terminal and system aiming at the above-mentioned defects of the prior art.
  • the technical solution adopted by the present invention to solve the technical problem is as follows: constructing a file security management terminal, the terminal is installed with multiple application programs and stored with multiple files, and the permissions of the application programs to access the files corresponding to the security file directory are set, so that the The security file directory corresponds to multiple files;
  • the file filter driver installed on the terminal is used to verify the authority of the application program, and the application program with the access authority accesses the file corresponding to the secure file directory after being verified by the file filter driver.
  • the terminal further includes a first identity verification unit for verifying the user account to use the file authority corresponding to the secure file directory, and after the first identity verification unit has passed the verification The user account is allowed to access files corresponding to the secure file directory.
  • the user identity information verified by the first identity verification unit includes user account, user password, user fingerprint, user face information, mobile phone number, e-mail, electronic dog, One or more of USBKey.
  • the authority of each user account to access files in the secure file directory is set.
  • the permission of the application program to access the file corresponding to the secure file directory includes the permission to read the file, the permission to write the file, the permission to create a new file, and the permission to save a file;
  • the application program prohibits access to files other than the secure file directory stored on the terminal.
  • the security file directory is a security folder, and files corresponding to the security file directory are stored in the security folder.
  • the file is an encrypted file
  • the file filter driver is used to decrypt the encrypted file and transmit the decrypted data to the application program;
  • the file filter driver is configured to encrypt the data generated by the application program and save it into the encrypted file.
  • the encrypted file is encrypted using a stream encryption algorithm, and no other information is attached during the encryption process, and the file filtering driver uses the stream encryption algorithm to encrypt and decrypt data. .
  • the terminal further includes a sending unit and a receiving unit;
  • the sending unit is configured to send the encrypted file
  • the receiving unit is configured to receive the encrypted file and store the received encrypted file in the secure file directory.
  • the terminal further includes a first usage recording unit, and the first usage recording unit is used to record all operation records of the file.
  • the application program in the process of accessing the file corresponding to the secure file directory, prohibits one of the cross-application copy operation, the cross-application paste operation, the screen capture operation, and the screen recording operation. species or several.
  • the present invention also provides a file security management system, including a file security server and a plurality of terminals, wherein the security server communicates with each of the terminals respectively;
  • Each of the terminals is installed with multiple applications and stored with multiple files, and the permissions of the applications to access files corresponding to the secure file directory are set, and the secure file directory corresponds to multiple files; the files installed on the terminal are filtered
  • the driver is used to verify the authority of the application program, and the application program with the access authority can access the file corresponding to the safe file directory after being verified by the file filter driver.
  • At least two of the terminals are located in the same local area network, the files are transmitted between the two terminals in the local area network, and the received files are saved in the secure file directory .
  • the terminal sets the management information of the file before sending the file, and simultaneously sends the file and the management information.
  • the file is an encrypted file
  • the file filter driver is used to decrypt the encrypted file and transmit the decrypted data to the application program;
  • the file filter driver is configured to encrypt the data generated by the application program and save it into the encrypted file.
  • the encrypted file is encrypted using a stream encryption algorithm, and no other information is attached during the encryption process, and the file filter driver uses the stream encryption algorithm to encrypt and decrypt data. .
  • the encrypted file is transmitted between the two terminals, and the received encrypted file is saved in the secure file directory.
  • the two terminals are located in the Internet.
  • the terminal sets the management information of the encrypted file before sending the encrypted file, and simultaneously sends the encrypted file and the management information.
  • the management information includes one of a whitelist of usage rights, a blacklist of usage rights, the number of times of use of files, the time of file use, the time of automatic file destruction, and the one-key destruction of files. multiple.
  • the file security server includes a second identity verification unit for verifying the user account using the corresponding file authority of the secure file directory, and the second identity verification unit passes the verification Then, the user account is allowed to access the file corresponding to the secure file directory.
  • the user identity information verified by the second identity verification unit is uploaded to the file security server by the terminal, and the user identity information includes user account, user password, USBKey, user One or more of fingerprints, user face information, and electronic certificates.
  • the file security server includes a second usage recording unit, and the second usage recording unit is used to record all operation records of the file, and the operation records are recorded by the terminal Upload the file to the secure server.
  • the application program in the process of accessing the file corresponding to the security file directory, prohibits one of the cross-application copy operation, the cross-application paste operation, the screen capture operation, and the screen recording operation. species or several.
  • the file security server further includes:
  • An approval request processing unit for approving user requests An approval request processing unit for approving user requests;
  • a usage monitoring unit for monitoring file usage for monitoring file usage
  • an attribute change unit for changing document attribute information for changing document attribute information
  • Destruction instruction delivery unit for delivering file destruction instructions.
  • Implementing a file security management terminal and system of the present invention has the following beneficial effects: the present invention limits the access authority of the application program by defining a safe file directory, and verifies the authority of the application program through the file filter driver to ensure that only authorized only applications can access protected files, improving file security.
  • FIG. 1 is a schematic structural diagram of a file security management terminal provided by an embodiment
  • FIG. 2 is a schematic structural diagram of a file security management terminal provided by an embodiment
  • FIG. 3 is a schematic structural diagram of a file security management terminal provided by an embodiment
  • FIG. 4 is a schematic structural diagram of a file security management system provided by an embodiment.
  • the file security management terminal in this embodiment may be an intelligent terminal such as a desktop computer, a notebook computer, a tablet computer, a smart phone, a smart watch, etc.
  • the intelligent terminal is installed with an operating system, and the operating system can use Windows system, IOS system, Android system system, Linux system, etc.
  • the terminal is installed with multiple application programs (APP) and stored with multiple files, for example, the applications are Office, AutoCAD, UG, SolidWorks, etc.
  • APP application programs
  • a security file directory is set on the terminal, the security file directory corresponds to a plurality of files, and the permission of each application program to access the file corresponding to the security file directory is set, that is, the application program can access the security file directory.
  • files in the files directory include read file permissions, write file permissions, new file permissions, and save file permissions; and the application program prohibits access to files other than the secure file directory stored on the terminal, so that The access scope of the application is strictly limited, and the application can only use the files in the secure file directory.
  • the secure file directory is a secure folder, and files corresponding to the secure file directory are stored in the secure folder, that is, the files in the secure folder are access-restricted files.
  • a file filter driver is installed on the terminal in this embodiment, and the file is used to verify the authority of the application program, and the application program with the access authority accesses the file corresponding to the secure file directory after passing the verification of the file filter driver.
  • the file filter driver in this embodiment is a "safety gate" set between the application program and the file.
  • the permission of the program check whether the application has the permission to access the files in the secure file directory; after verification, if the application has permission to access the files in the secure file directory, the application is allowed to read the file; if the application does not If you have permission to access files in the secure file directory, the application is prohibited from loading the file, and a prompt message will pop up. That is to say, the secure directory does not allow access by programs other than dedicated secure directory management applications and registration applications, and the secure directory cannot be operated through system operations, operations including file and directory move, copy, delete, read, Revise.
  • the access authority of the application program is limited by defining a secure file directory, and the authority of the application program is verified by the file filter driver, so as to ensure that only the authorized application program can access the protected file, and the file security is improved.
  • the file security management terminal of this embodiment further includes a first identity verification unit for verifying the user account using the corresponding file authority of the secure file directory.
  • User identity information needs to be verified when accessing files in the secure file directory, and the first identity verification unit searches whether the user account is a legal account and the authority corresponding to the user account. After verification, if the user account is allowed to access the file corresponding to the secure file directory after the first authentication unit is verified, the user is allowed to use the application to access the files in the secure file directory, but the application still needs to access the files in the secure file directory.
  • the verification authority is driven by the file, and the verification process may refer to the above-mentioned embodiment, which will not be repeated here.
  • the user identity information verified by the first identity verification unit includes but is not limited to user account, user password, user fingerprint, user face information, mobile phone number, e-mail, electronic dog, USBKey, etc., one or more can be selected as required indivual.
  • the file security management terminal of this embodiment can also set permissions for each user account to access files in the secure file directory, that is, set each user account to access some files in the secure file directory, and the permissions for each user account may be different.
  • the permission for each user account to use the application program may be set, that is, the application program that each user account can use and which application programs cannot be used is limited.
  • each user has a corresponding user account.
  • the first identity verification unit verifies the user's identity and user authority. to determine whether the user can access the secure file directory.
  • an authentication unit is set to further ensure the safe use of files.
  • the files in the file security management terminal of this embodiment are encrypted files, and the files are driven by the files set between the application program and the files for encryption. and decryption.
  • the file filter driver is used to decrypt the encrypted file and transmit the decrypted data to the application program; in the process of writing the encrypted file, the file filter driver is used to encrypt the data generated by the application program. and save it to an encrypted file.
  • the encrypted file in this embodiment is encrypted using a stream encryption algorithm, which does not add any other information during the encryption process, and the file filtering driver uses the stream encryption algorithm to encrypt and decrypt data.
  • a stream encryption algorithm which does not add any other information during the encryption process
  • the file filtering driver uses the stream encryption algorithm to encrypt and decrypt data.
  • ordinary encryption algorithms need to add additional information such as file headers, IDs, and control information
  • the stream encryption algorithm of the present application does not add any other information during the encryption process, that is, it is not necessary to add additional information such as file headers, IDs, and control information. , which makes the encrypted file exactly the same size as the original file.
  • Using the file filter driver at the filter driver layer achieves the simplest technology implementation, and achieves the highest encryption and decryption efficiency, so that encrypted files are always in the secure file directory, and there are no unencrypted original files, even if the terminal is violently disassembled , it is still unable to decrypt encrypted files without a file filter driver, thus effectively preventing the problem of file leakage due to violent disassembly of the storage device.
  • the files in the secure file directory are all encrypted files, and the stream encryption algorithm without additional information is used, and the file filter driver is used for encryption and decryption, which further ensures file security and can effectively prevent leakage due to violent disassembly of the storage device. file problem.
  • the file security management terminal of this embodiment further includes a sending unit and a receiving unit, the sending unit is used for sending files under the security file directory, and the receiving unit is used for receiving the security of other terminals. If the file is not stored in the secure file directory, the file cannot be used.
  • the sending unit is used to send the file in the secure file directory, and the receiving unit is used to receive the file in the secure file directory of other terminals, and the received file is stored in the Under the file security directory of the terminal, if the file is not stored in the security file directory, the file cannot be used.
  • the sending unit is configured to send the encrypted file
  • the receiving unit is configured to receive the encrypted file and store the received encrypted file in the secure file directory.
  • the encrypted file is not stored in the secure file directory, the encrypted file cannot be used.
  • files sent between terminals can be sent over a network, or a removable storage device can be used to copy files.
  • the terminal of the present embodiment sets the management information of the encrypted file before sending the encrypted file, and simultaneously sends the encrypted file and the management information, wherein the management information and the encrypted file are an integral file. .
  • the management information includes, but is not limited to, a whitelist of usage rights, a blacklist of usage rights, the number of times the file is used, the usage time of the file, the time of automatic file destruction, and the one-click destruction of the file, where the whitelist of usage rights refers to the right to use the file
  • the use rights blacklist refers to the user accounts that are prohibited from using the file; the number of file usages refers to the maximum number of times the file can be used, after which the file cannot be used; the file usage time refers to once the file is used
  • the time of opening and use when the accumulated time of the file being opened and used reaches the time of use of the file, it will only continue to use the file; the automatic file destruction time means that the file is automatically destroyed at the set destruction time; the one-click file destruction means that the file can be destroyed at the set time. Destroyed when a preset key signal is received. It can be understood that the management information of the encrypted file cannot be listed exhaustively, and the information that can manage the file can be used
  • the received file when transferring files between terminals, the received file needs to be stored in the secure file directory. If the receiving terminal does not have a secure file directory, the received file cannot be used, so as to ensure that the file is still in a controlled state after the transfer, ensuring that File security.
  • the file security management terminal of this embodiment further includes a first usage recording unit, which is used to record all operation records of the file, including but not limited to user account login time, Application operation records, file modification time, file modification content, file moving time, file moving location, file deletion time, file copying time, etc. Administrators have permission to view operation records, while other users do not have permission to view operation records.
  • a first usage recording unit which is used to record all operation records of the file, including but not limited to user account login time, Application operation records, file modification time, file modification content, file moving time, file moving location, file deletion time, file copying time, etc. Administrators have permission to view operation records, while other users do not have permission to view operation records.
  • the file operation record is recorded at any time, so as to facilitate the later checking of the file usage.
  • the application program prohibits cross-application copy operation and cross-application paste operation Operations, screenshot operations, and screen recording operations are file content transfer operations.
  • the cross-application copy operation refers to copying content between different applications
  • the cross-application paste operation refers to pasting content between different applications.
  • This embodiment prohibits the cross-application copy operation, the cross-application paste operation, the screen capture operation, and the screen recording operation file content transfer operation, which can effectively prevent the file content from being moved during the use of the file, and effectively protect the file security.
  • the file security management system of this embodiment includes a file security server and multiple terminals, and the security server communicates with each terminal respectively.
  • the structure and function of the terminals refer to the above-mentioned embodiments and will not be repeated here.
  • Each terminal is installed with multiple applications and stored with multiple files.
  • Set the permission of the application to access the file corresponding to the secure file directory, and the security file directory corresponds to multiple files;
  • the file filter driver installed on the terminal is used to verify the permissions of the application , the application program with access permission can access the file corresponding to the secure file directory after passing the verification of the file filter driver.
  • the access authority of the application program is limited by defining a secure file directory, and the authority of the application program is verified by the file filter driver, so as to ensure that only the authorized application program can access the protected file, and the file security is improved.
  • the file security management terminal in this embodiment, at least two terminals are located in the same local area network or the Internet, and the two terminals transmit files and save the received files in the secure file directory.
  • the file security management terminal in this embodiment further includes a sending unit and a receiving unit, the sending unit is used for sending files in the secure file directory, and the receiving unit is used for receiving files in the secure file directories of other terminals, and sends the received files It is stored in the file security directory of the terminal. If the file is not stored in the security file directory, the file cannot be used.
  • the sending unit is used to send the file in the secure file directory, and the receiving unit is used to receive the file in the secure file directory of other terminals, and the received file is stored in the Under the file security directory of the terminal, if the file is not stored in the security file directory, the file cannot be used.
  • the sending unit is configured to send the encrypted file
  • the receiving unit is configured to receive the encrypted file and store the received encrypted file in the secure file directory.
  • the encrypted file cannot be used.
  • the terminal is driven by the file set between the application and the file to encrypt and decrypt.
  • the file filter driver is used to decrypt the encrypted file and transmit the decrypted data to the application program; in the process of writing the encrypted file, the file filter driver is used to encrypt the data generated by the application program. and save it to an encrypted file.
  • the encrypted file in this embodiment is encrypted using a stream encryption algorithm, which does not add any other information during the encryption process, and the file filtering driver uses the stream encryption algorithm to encrypt and decrypt data.
  • a stream encryption algorithm which does not add any other information during the encryption process
  • the file filtering driver uses the stream encryption algorithm to encrypt and decrypt data.
  • ordinary encryption algorithms need to add additional information such as file headers, IDs, and control information
  • the stream encryption algorithm of the present application does not add any other information during the encryption process, that is, it is not necessary to add additional information such as file headers, IDs, and control information. , which makes the encrypted file exactly the same size as the original file.
  • Using the file filter driver at the filter driver layer achieves the simplest technology implementation, and achieves the highest encryption and decryption efficiency, so that encrypted files are always in the secure file directory, and there are no unencrypted original files, even if the terminal is violently disassembled , it is still unable to decrypt encrypted files without a file filter driver, thus effectively preventing the problem of file leakage due to violent disassembly of the storage device.
  • the terminal of the present embodiment sets the management information of the encrypted file before sending the encrypted file, and simultaneously sends the encrypted file and the management information, wherein the management information and the encrypted file are an integral file. .
  • the management information includes, but is not limited to, a whitelist of usage rights, a blacklist of usage rights, the number of times the file is used, the usage time of the file, the time of automatic file destruction, and the one-click destruction of the file, where the whitelist of usage rights refers to the right to use the file
  • the use rights blacklist refers to the user accounts that are prohibited from using the file; the number of file usages refers to the maximum number of times the file can be used, after which the file cannot be used; the file usage time refers to once the file is used
  • the time of opening and use when the accumulated time of the file being opened and used reaches the time of use of the file, it will only continue to use the file; the automatic file destruction time means that the file is automatically destroyed at the set destruction time; the one-click file destruction means that the file can be destroyed at the set time. Destroyed when a preset key signal is received. It can be understood that the management information of the encrypted file cannot be listed exhaustively, and the information that can manage the file can be used
  • the received file when transferring files between terminals, the received file needs to be stored in the secure file directory. If the receiving terminal does not have a secure file directory, the received file cannot be used, so as to ensure that the file is still in a controlled state after the transfer, ensuring that File security.
  • the file security server in the file security management system of this embodiment includes a second identity verification unit for verifying the file authority corresponding to the user account using the secure file directory, and the second identity verification unit allows the user to pass the verification.
  • the account accesses the file corresponding to the secure file directory.
  • the terminal uploads the received user identity information to the file security server, and the second identity verification unit searches whether the user account is a legal account and the authority corresponding to the user account. After verification, if the user account is allowed to access the file corresponding to the secure file directory after the second authentication unit is verified, the user is allowed to use the application to access the file in the secure file directory, but the application still needs to access the file in the secure file directory.
  • the verification authority is driven by the file, and the verification process may refer to the above-mentioned embodiment, which will not be repeated here.
  • the user identity information verified by the second identity verification unit includes but is not limited to user account, user password, user fingerprint, user face information, mobile phone number, e-mail, electronic dog, USBKey, etc., one or more can be selected as required indivual.
  • the file security server of this embodiment may further set the authority of each user account to access files in the secure file directory, that is, set each user account to access some files in the secure file directory, and the authority of each user account may be different.
  • the permission for each user account to use the application program may be set, that is, the application program that each user account can use and which application programs cannot be used is limited.
  • each user has a corresponding user account.
  • the second identity verification unit verifies the user's identity and user authority to determine Whether the user can access the secure file directory.
  • an authentication unit is set to further ensure the safe use of files.
  • the file security management terminal of this embodiment further includes a second usage recording unit, and the second usage recording unit is used to record all operation records of the file.
  • the operation records include but are not limited to the user account login time, Application operation records, file modification time, file modification content, file moving time, file moving location, file deletion time, file copying time, etc.
  • the operation records are uploaded by the terminal to the file security server. Administrators have the right to view the operation records, and can log in to the file security server to view the usage records of each user. Other users do not have the right to view the operation records.
  • the file operation record is recorded at any time, so as to facilitate the later checking of the file usage.
  • the application program prohibits cross-application copy operation and cross-application paste operation Operations, screenshot operations, and screen recording operations are file content transfer operations.
  • the cross-application copy operation refers to copying content between different applications
  • the cross-application paste operation refers to pasting content between different applications.
  • This embodiment prohibits the cross-application copy operation, the cross-application paste operation, the screen capture operation, and the screen recording operation file content transfer operation, which can effectively prevent the file content from being moved during the use of the file, and effectively protect the file security.
  • the file security server in some file security management systems further includes: an approval request processing unit for approving user requests, the user uploads the request information through the terminal, and the administrator can view and review the request by logging in to the file security server information.
  • the file security server in some file security management systems further includes: a usage monitoring unit for monitoring file usage, and sends monitoring report information to the management terminal when the monitored file is used.
  • the file security server in some file security management systems further includes: an attribute changing unit for changing file attribute information.
  • the attribute change unit on the server sends the change information to the target terminal, and the target terminal executes the change information to change the file attribute.
  • the file security server in some file security management systems further includes: a destruction instruction delivery unit for delivering a file destruction instruction.
  • a destruction instruction delivery unit for delivering a file destruction instruction.
  • the management terminal transmits the destruction instruction through the file security server.
  • the unit sends a destruction instruction to the target terminal, and the target terminal destroys the target file after receiving the destruction execution.
  • RAM random access memory
  • ROM read only memory
  • EEPROM electrically programmable ROM
  • EEPly erasable programmable ROM registers
  • hard disk removable disk
  • CD-ROM compact disc-read only memory

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Databases & Information Systems (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Human Computer Interaction (AREA)
  • Data Mining & Analysis (AREA)
  • Storage Device Security (AREA)

Abstract

A file security management terminal and system. A plurality of application programs are installed in the terminal, and a plurality of files are stored in the terminal; the permission for the application programs to access files corresponding to a secure file directory is set, and the secure file directory corresponds to a plurality of files; a file filtering driver installed in the terminal is used for verifying the permissions of the application programs; and the application programs with access permission access the files corresponding to the secure file directory after passing verification by the file filtering driver. The access permissions of application programs are limited by means of defining a secure file directory, and the permission of the application programs is verified by means of a file filtering driver, so as to ensure that only authorized application programs can access protected files, thereby improving the file security.

Description

一种文件安全管理终端及系统A file security management terminal and system 技术领域technical field
本发明涉及文件管理领域,更具体地说,涉及一种文件安全管理终端及系统。The present invention relates to the field of file management, and more particularly, to a file security management terminal and system.
背景技术Background technique
电子文件广泛存在于各种智能终端中,电子文件在提高工作效率的同时也存在安全风险,电子文件一旦被盗将给用户带来巨大损失。特别是对于研发企业、政府部门等保密要求级别高的地方,如何保证文件安全可控使用一直是需要解决的问题。Electronic files widely exist in various smart terminals. While improving work efficiency, electronic files also have security risks. Once electronic files are stolen, it will bring huge losses to users. Especially for places with high confidentiality requirements such as R&D enterprises and government departments, how to ensure the safe and controllable use of files has always been a problem that needs to be solved.
技术问题technical problem
本发明要解决的技术问题在于,针对现有技术的上述缺陷,提供一种文件安全管理终端及系统。The technical problem to be solved by the present invention is to provide a file security management terminal and system aiming at the above-mentioned defects of the prior art.
技术解决方案technical solutions
本发明解决其技术问题所采用的技术方案是:构造一种文件安全管理终端,终端安装有多个应用程序以及存储有多个文件,设置所述应用程序访问安全文件目录对应文件的权限,所述安全文件目录对应多个文件;The technical solution adopted by the present invention to solve the technical problem is as follows: constructing a file security management terminal, the terminal is installed with multiple application programs and stored with multiple files, and the permissions of the application programs to access the files corresponding to the security file directory are set, so that the The security file directory corresponds to multiple files;
所述终端上安装的文件过滤驱动用于验证应用程序的权限,具有访问权限的应用程序经所述文件过滤驱动验证通过后访问所述安全文件目录对应的文件。The file filter driver installed on the terminal is used to verify the authority of the application program, and the application program with the access authority accesses the file corresponding to the secure file directory after being verified by the file filter driver.
进一步,在本发明所述的文件安全管理终端中,所述终端还包括用于验证用户账户使用所述安全文件目录对应文件权限的第一身份验证单元,所述第一身份验证单元验证通过后允许用户账户访问所述安全文件目录对应的文件。Further, in the file security management terminal of the present invention, the terminal further includes a first identity verification unit for verifying the user account to use the file authority corresponding to the secure file directory, and after the first identity verification unit has passed the verification The user account is allowed to access files corresponding to the secure file directory.
进一步,在本发明所述的文件安全管理终端中,所述第一身份验证单元验证的用户身份信息包括用户账户、用户密码、用户指纹、用户脸部信息、手机号、电子邮箱、电子狗、USBKey中的一种或几种。Further, in the file security management terminal of the present invention, the user identity information verified by the first identity verification unit includes user account, user password, user fingerprint, user face information, mobile phone number, e-mail, electronic dog, One or more of USBKey.
进一步,在本发明所述的文件安全管理终端中,设置每个所述用户账户访问所述安全文件目录中文件的权限。Further, in the file security management terminal of the present invention, the authority of each user account to access files in the secure file directory is set.
进一步,在本发明所述的文件安全管理终端中,所述应用程序访问所述安全文件目录对应文件的权限包括读取文件权限、写入文件权限、新建文件权限、另存文件权限;Further, in the file security management terminal of the present invention, the permission of the application program to access the file corresponding to the secure file directory includes the permission to read the file, the permission to write the file, the permission to create a new file, and the permission to save a file;
所述应用程序禁止访问所述终端上存储的所述安全文件目录以外的文件。The application program prohibits access to files other than the secure file directory stored on the terminal.
进一步,在本发明所述的文件安全管理终端中,所述安全文件目录为一个安全文件夹,所述安全文件目录对应的文件存储在所述安全文件夹内。Further, in the file security management terminal of the present invention, the security file directory is a security folder, and files corresponding to the security file directory are stored in the security folder.
进一步,在本发明所述的文件安全管理终端中,所述文件为加密文件;Further, in the file security management terminal of the present invention, the file is an encrypted file;
在所述加密文件读取过程中,所述文件过滤驱动用于解密所述加密文件并将解密后的数据传输至所述应用程序;In the process of reading the encrypted file, the file filter driver is used to decrypt the encrypted file and transmit the decrypted data to the application program;
在所述加密文件写入过程中,所述文件过滤驱动用于将所述应用程序产生的数据加密后保存至所述加密文件中。In the process of writing the encrypted file, the file filter driver is configured to encrypt the data generated by the application program and save it into the encrypted file.
进一步,在本发明所述的文件安全管理终端中,所述加密文件使用流加密算法加密,加密过程中不附加任何其他信息,所述文件过滤驱动使用所述流加密算法对数据进行加密和解密。Further, in the file security management terminal of the present invention, the encrypted file is encrypted using a stream encryption algorithm, and no other information is attached during the encryption process, and the file filtering driver uses the stream encryption algorithm to encrypt and decrypt data. .
进一步,在本发明所述的文件安全管理终端中,所述终端还包括发送单元和接收单元;Further, in the file security management terminal of the present invention, the terminal further includes a sending unit and a receiving unit;
所述发送单元用于发送所述加密文件,所述接收单元用于接收所述加密文件并将接收到的加密文件存储至所述安全文件目录。The sending unit is configured to send the encrypted file, and the receiving unit is configured to receive the encrypted file and store the received encrypted file in the secure file directory.
进一步,在本发明所述的文件安全管理终端中,所述终端还包括第一使用记录单元,所述第一使用记录单元用于记录所述文件的所有操作记录。Further, in the file security management terminal of the present invention, the terminal further includes a first usage recording unit, and the first usage recording unit is used to record all operation records of the file.
进一步,在本发明所述的文件安全管理终端中,所述应用程序在访问所述安全文件目录对应文件过程中,禁止跨应用复制操作、跨应用粘贴操作、截屏操作、录屏操作中的一种或几种。Further, in the file security management terminal of the present invention, in the process of accessing the file corresponding to the secure file directory, the application program prohibits one of the cross-application copy operation, the cross-application paste operation, the screen capture operation, and the screen recording operation. species or several.
另外,本发明还提供一种文件安全管理系统,包括文件安全服务器和多个终端,所述安全服务器分别通信连接每个所述终端;In addition, the present invention also provides a file security management system, including a file security server and a plurality of terminals, wherein the security server communicates with each of the terminals respectively;
每个所述终端安装有多个应用程序以及存储有多个文件,设置所述应用程序访问安全文件目录对应文件的权限,所述安全文件目录对应多个文件;所述终端上安装的文件过滤驱动用于验证应用程序的权限,具有访问权限的应用程序经所述文件过滤驱动验证通过后访问所述安全文件目录对应的文件。Each of the terminals is installed with multiple applications and stored with multiple files, and the permissions of the applications to access files corresponding to the secure file directory are set, and the secure file directory corresponds to multiple files; the files installed on the terminal are filtered The driver is used to verify the authority of the application program, and the application program with the access authority can access the file corresponding to the safe file directory after being verified by the file filter driver.
进一步,在本发明所述的文件安全管理系统中,至少两个所述终端位于同一局域网内,局域网内的两个终端之间传输所述文件,并将接收的文件保存至所述安全文件目录。Further, in the file security management system of the present invention, at least two of the terminals are located in the same local area network, the files are transmitted between the two terminals in the local area network, and the received files are saved in the secure file directory .
进一步,在本发明所述的文件安全管理系统中,所述终端在发送所述文件之前设置所述文件的管理信息,同时发送所述文件和所述管理信息。Further, in the file security management system of the present invention, the terminal sets the management information of the file before sending the file, and simultaneously sends the file and the management information.
进一步,在本发明所述的文件安全管理系统中,所述文件为加密文件;Further, in the file security management system of the present invention, the file is an encrypted file;
在所述加密文件读取过程中,所述文件过滤驱动用于解密所述加密文件并将解密后的数据传输至所述应用程序;In the process of reading the encrypted file, the file filter driver is used to decrypt the encrypted file and transmit the decrypted data to the application program;
在所述加密文件写入过程中,所述文件过滤驱动用于将所述应用程序产生的数据加密后保存至所述加密文件中。In the process of writing the encrypted file, the file filter driver is configured to encrypt the data generated by the application program and save it into the encrypted file.
进一步,在本发明所述的文件安全管理系统中,所述加密文件使用流加密算法加密,加密过程中不附加任何其他信息,所述文件过滤驱动使用所述流加密算法对数据进行加密和解密。Further, in the file security management system of the present invention, the encrypted file is encrypted using a stream encryption algorithm, and no other information is attached during the encryption process, and the file filter driver uses the stream encryption algorithm to encrypt and decrypt data. .
进一步,在本发明所述的文件安全管理系统中,其中两个所述终端之间传输所述加密文件,并将接收的所述加密文件保存至所述安全文件目录。Further, in the file security management system of the present invention, the encrypted file is transmitted between the two terminals, and the received encrypted file is saved in the secure file directory.
进一步,在本发明所述的文件安全管理系统中,两个所述终端位于互联网中。Further, in the file security management system of the present invention, the two terminals are located in the Internet.
进一步,在本发明所述的文件安全管理系统中,所述终端在发送所述加密文件之前设置所述加密文件的管理信息,同时发送所述加密文件和所述管理信息。Further, in the file security management system of the present invention, the terminal sets the management information of the encrypted file before sending the encrypted file, and simultaneously sends the encrypted file and the management information.
进一步,在本发明所述的文件安全管理系统中,所述管理信息包括使用权限白名单、使用权限黑名单、文件使用次数、文件使用时间、文件自动销毁时间、文件一键销毁中的一个或多个。Further, in the file security management system of the present invention, the management information includes one of a whitelist of usage rights, a blacklist of usage rights, the number of times of use of files, the time of file use, the time of automatic file destruction, and the one-key destruction of files. multiple.
进一步,在本发明所述的文件安全管理系统中,所述文件安全服务器包括用于验证用户账户使用所述安全文件目录对应文件权限的第二身份验证单元,所述第二身份验证单元验证通过后允许用户账户访问所述安全文件目录对应的文件。Further, in the file security management system of the present invention, the file security server includes a second identity verification unit for verifying the user account using the corresponding file authority of the secure file directory, and the second identity verification unit passes the verification Then, the user account is allowed to access the file corresponding to the secure file directory.
进一步,在本发明所述的文件安全管理系统中,所述第二身份验证单元验证的用户身份信息由终端上传所述文件安全服务器,所述用户身份信息包括用户账户、用户密码、USBKey、用户指纹、用户脸部信息、电子证书中的一种或几种。Further, in the file security management system of the present invention, the user identity information verified by the second identity verification unit is uploaded to the file security server by the terminal, and the user identity information includes user account, user password, USBKey, user One or more of fingerprints, user face information, and electronic certificates.
进一步,在本发明所述的文件安全管理系统中,所述文件安全服务器包括第二使用记录单元,所述第二使用记录单元用于记录所述文件的所有操作记录,所述操作记录由终端上传所述文件安全服务器。Further, in the file security management system of the present invention, the file security server includes a second usage recording unit, and the second usage recording unit is used to record all operation records of the file, and the operation records are recorded by the terminal Upload the file to the secure server.
进一步,在本发明所述的文件安全管理系统中,所述应用程序在访问所述安全文件目录对应文件过程中,禁止跨应用复制操作、跨应用粘贴操作、截屏操作、录屏操作中的一种或几种。Further, in the file security management system of the present invention, in the process of accessing the file corresponding to the security file directory, the application program prohibits one of the cross-application copy operation, the cross-application paste operation, the screen capture operation, and the screen recording operation. species or several.
进一步,在本发明所述的文件安全管理系统中,所述文件安全服务器还包括:Further, in the file security management system of the present invention, the file security server further includes:
用于审批用户请求的审批请求处理单元;和/或An approval request processing unit for approving user requests; and/or
用于监控文件使用情况的使用监控单元;和/或A usage monitoring unit for monitoring file usage; and/or
用于变更文件属性信息的属性变更单元;和/或an attribute change unit for changing document attribute information; and/or
用于传递文件销毁指令的销毁指令传递单元。Destruction instruction delivery unit for delivering file destruction instructions.
有益效果beneficial effect
实施本发明的一种文件安全管理终端及系统,具有以下有益效果:本发明通过定义安全文件目录来限定应用程序的访问权限,并通过文件过滤驱动来验证应用程序的权限,以确保只有经过授权的应用程序才能访问受保护文件,提高文件安全性。Implementing a file security management terminal and system of the present invention has the following beneficial effects: the present invention limits the access authority of the application program by defining a safe file directory, and verifies the authority of the application program through the file filter driver to ensure that only authorized only applications can access protected files, improving file security.
附图说明Description of drawings
下面将结合附图及实施例对本发明作进一步说明,附图中:The present invention will be further described below in conjunction with the accompanying drawings and embodiments, in which:
图1是一实施例提供的文件安全管理终端的结构示意图;1 is a schematic structural diagram of a file security management terminal provided by an embodiment;
图2是一实施例提供的文件安全管理终端的结构示意图;2 is a schematic structural diagram of a file security management terminal provided by an embodiment;
图3是一实施例提供的文件安全管理终端的结构示意图;3 is a schematic structural diagram of a file security management terminal provided by an embodiment;
图4是一实施例提供的文件安全管理系统的结构示意图。FIG. 4 is a schematic structural diagram of a file security management system provided by an embodiment.
本发明的最佳实施方式BEST MODE FOR CARRYING OUT THE INVENTION
为了对本发明的技术特征、目的和效果有更加清楚的理解,现对照附图详细说明本发明的具体实施方式。In order to have a clearer understanding of the technical features, objects and effects of the present invention, the specific embodiments of the present invention will now be described in detail with reference to the accompanying drawings.
实施例1Example 1
参考图1,本实施例的文件安全管理终端可为台式电脑、笔记本电脑、平板电脑、智能手机、智能手表等智能终端,智能终端安装有操作系统,操作系统可使用Windows系统、IOS系统、Android系统、Linux系统等,终端安装有多个应用程序(APP)以及存储有多个文件,例如应用程序为Office、AutoCAD、UG、SolidWorks等。为限制文件的访问权限,本实施例在终端上设置一个安全文件目录,该安全文件目录对应多个文件,并设置每个应用程序访问安全文件目录对应文件的权限,即应用程序能够访问该安全文件目录下的文件。具体的,应用程序访问安全文件目录对应文件的权限包括读取文件权限、写入文件权限、新建文件权限、另存文件权限;并且应用程序禁止访问终端上存储的安全文件目录以外的文件,这样就严格限制了应用程序的访问范围,应用程序仅能使用安全文件目录下的文件。作为选择,安全文件目录为一个安全文件夹,安全文件目录对应的文件存储在安全文件夹内,即该安全文件夹内的文件为限制访问文件。Referring to FIG. 1 , the file security management terminal in this embodiment may be an intelligent terminal such as a desktop computer, a notebook computer, a tablet computer, a smart phone, a smart watch, etc. The intelligent terminal is installed with an operating system, and the operating system can use Windows system, IOS system, Android system system, Linux system, etc., the terminal is installed with multiple application programs (APP) and stored with multiple files, for example, the applications are Office, AutoCAD, UG, SolidWorks, etc. In order to limit the access authority of the file, in this embodiment, a security file directory is set on the terminal, the security file directory corresponds to a plurality of files, and the permission of each application program to access the file corresponding to the security file directory is set, that is, the application program can access the security file directory. files in the files directory. Specifically, the permissions of the application program to access files corresponding to the secure file directory include read file permissions, write file permissions, new file permissions, and save file permissions; and the application program prohibits access to files other than the secure file directory stored on the terminal, so that The access scope of the application is strictly limited, and the application can only use the files in the secure file directory. Alternatively, the secure file directory is a secure folder, and files corresponding to the secure file directory are stored in the secure folder, that is, the files in the secure folder are access-restricted files.
进一步,本实施例的终端上安装有文件过滤驱动,该文件过来驱动用于验证应用程序的权限,具有访问权限的应用程序经文件过滤驱动验证通过后访问安全文件目录对应的文件。也就是说,本实施例文件过滤驱动是设置在应用程序和文件之间的一道“安全门”,应用程序在要想访问安全文件目录下的文件时,终端会自动启动文件过滤驱动来验证该应用程序的权限,查看该应用程序是否具有访问安全文件目录下文件的权限;经验证,若该应用程序有权限访问安全文件目录下的文件,则允许该应用程序读取文件;若该应用程序没有权限访问安全文件目录下的文件,则禁止该应用程序加载文件,并弹出提示信息。也就是说,该安全目录不允许除专用安全目录管理应用和注册应用之外的程序访问,且该安全目录不能通过系统操作进行操作,操作包括文件和目录的移动,复制,删除,读取,修改。Further, a file filter driver is installed on the terminal in this embodiment, and the file is used to verify the authority of the application program, and the application program with the access authority accesses the file corresponding to the secure file directory after passing the verification of the file filter driver. That is to say, the file filter driver in this embodiment is a "safety gate" set between the application program and the file. When the application program wants to access the files in the secure file directory, the terminal will automatically start the file filter driver to verify the application. The permission of the program, check whether the application has the permission to access the files in the secure file directory; after verification, if the application has permission to access the files in the secure file directory, the application is allowed to read the file; if the application does not If you have permission to access files in the secure file directory, the application is prohibited from loading the file, and a prompt message will pop up. That is to say, the secure directory does not allow access by programs other than dedicated secure directory management applications and registration applications, and the secure directory cannot be operated through system operations, operations including file and directory move, copy, delete, read, Revise.
本实施例通过定义安全文件目录来限定应用程序的访问权限,并通过文件过滤驱动来验证应用程序的权限,以确保只有经过授权的应用程序才能访问受保护文件,提高文件安全性。In this embodiment, the access authority of the application program is limited by defining a secure file directory, and the authority of the application program is verified by the file filter driver, so as to ensure that only the authorized application program can access the protected file, and the file security is improved.
实施例2Example 2
在实施例1的基础上,为进一步保证安全文件目录下文件的安全,本实施例的文件安全管理终端还包括用于验证用户账户使用安全文件目录对应文件权限的第一身份验证单元,用户想要访问安全文件目录下的文件时需要验证用户身份信息,第一身份验证单元查找该用户账户是否为合法账户以及该用户账户对应的权限。经验证,若第一身份验证单元验证通过后允许用户账户访问安全文件目录对应的文件,则允许该用户使用应用程序访问安全文件目录下的文件,但应用程序访问安全文件目录下的文件依然需要经过文件过来驱动验证权限,验证过程可参考上述实施例,在此不再赘述。作为选择,第一身份验证单元验证的用户身份信息包括但不限于用户账户、用户密码、用户指纹、用户脸部信息、手机号、电子邮箱、电子狗、USBKey等,可根据需要选择一个或多个。On the basis of Embodiment 1, in order to further ensure the security of files in the secure file directory, the file security management terminal of this embodiment further includes a first identity verification unit for verifying the user account using the corresponding file authority of the secure file directory. User identity information needs to be verified when accessing files in the secure file directory, and the first identity verification unit searches whether the user account is a legal account and the authority corresponding to the user account. After verification, if the user account is allowed to access the file corresponding to the secure file directory after the first authentication unit is verified, the user is allowed to use the application to access the files in the secure file directory, but the application still needs to access the files in the secure file directory. The verification authority is driven by the file, and the verification process may refer to the above-mentioned embodiment, which will not be repeated here. Alternatively, the user identity information verified by the first identity verification unit includes but is not limited to user account, user password, user fingerprint, user face information, mobile phone number, e-mail, electronic dog, USBKey, etc., one or more can be selected as required indivual.
进一步,本实施例的文件安全管理终端还可设置每个用户账户访问安全文件目录中文件的权限,即设置每个用户账户访问安全文件目录的部分文件,每个用户账户的权限可不同。作为选择,本实施例还可设置每个用户账户使用应用程序的权限,即限定每个用户账户能够使用哪些应用程序,不能使用哪些应用程序。Further, the file security management terminal of this embodiment can also set permissions for each user account to access files in the secure file directory, that is, set each user account to access some files in the secure file directory, and the permissions for each user account may be different. Alternatively, in this embodiment, the permission for each user account to use the application program may be set, that is, the application program that each user account can use and which application programs cannot be used is limited.
本实施例中每个用户都有对应的用户账户,在用户想要使用安全文件目录下的文件时,首先要登陆自己的用户账户,由第一身份验证单元验证用户身份以及用户权限,以此来确定该用户是否能访问安全文件目录。本实施例设置身份验证单元,进一步确保文件的安全使用。In this embodiment, each user has a corresponding user account. When a user wants to use a file in the secure file directory, he first needs to log in to his user account, and the first identity verification unit verifies the user's identity and user authority. to determine whether the user can access the secure file directory. In this embodiment, an authentication unit is set to further ensure the safe use of files.
实施例3Example 3
在上述实施例的基础上,为进一步保证安全文件目录下文件的安全,本实施例的文件安全管理终端中文件为加密文件,且由设置在应用程序和文件之间的文件过来驱动来进行加密和解密。具体的,在加密文件读取过程中,文件过滤驱动用于解密加密文件并将解密后的数据传输至应用程序;在加密文件写入过程中,文件过滤驱动用于将应用程序产生的数据加密后保存至加密文件中。On the basis of the above embodiment, in order to further ensure the security of the files in the secure file directory, the files in the file security management terminal of this embodiment are encrypted files, and the files are driven by the files set between the application program and the files for encryption. and decryption. Specifically, in the process of reading the encrypted file, the file filter driver is used to decrypt the encrypted file and transmit the decrypted data to the application program; in the process of writing the encrypted file, the file filter driver is used to encrypt the data generated by the application program. and save it to an encrypted file.
作为选择,本实施例的加密文件使用流加密算法加密,流加密算法在加密过程中不附加任何其他信息,文件过滤驱动使用流加密算法对数据进行加密和解密。可以理解,普通加密算法需要添加文件头、ID、管控信息等附加信息,而本申请的流加密算法在加密过程中不附加任何其他信息,即不需要添加文件头、ID、管控信息等附加信息,这使得加密后的文件与原文件大小完全一致。使用文件过滤驱动在过滤驱动层的技术实现做到了最简,且加密解密效率做到了最高,这样安全文件目录下随时都是加密文件,没有未经加密的原文件,既使终端被暴力拆解,没有文件过滤驱动依然无法解密加密文件,从而有效防止因暴力拆卸存储设备而泄露文件的问题。Alternatively, the encrypted file in this embodiment is encrypted using a stream encryption algorithm, which does not add any other information during the encryption process, and the file filtering driver uses the stream encryption algorithm to encrypt and decrypt data. It can be understood that ordinary encryption algorithms need to add additional information such as file headers, IDs, and control information, while the stream encryption algorithm of the present application does not add any other information during the encryption process, that is, it is not necessary to add additional information such as file headers, IDs, and control information. , which makes the encrypted file exactly the same size as the original file. Using the file filter driver at the filter driver layer achieves the simplest technology implementation, and achieves the highest encryption and decryption efficiency, so that encrypted files are always in the secure file directory, and there are no unencrypted original files, even if the terminal is violently disassembled , it is still unable to decrypt encrypted files without a file filter driver, thus effectively preventing the problem of file leakage due to violent disassembly of the storage device.
本实施例中安全文件目录下的文件都为加密文件,且使用没有附加信息的流加密算法,且使用文件过滤驱动进行加密和解密,进一步确保文件安全,可有效防止因暴力拆卸存储设备而泄露文件的问题。In this embodiment, the files in the secure file directory are all encrypted files, and the stream encryption algorithm without additional information is used, and the file filter driver is used for encryption and decryption, which further ensures file security and can effectively prevent leakage due to violent disassembly of the storage device. file problem.
实施例4Example 4
参考图2,在上述实施例的基础上,本实施例的文件安全管理终端中还包括发送单元和接收单元,发送单元用于发送安全文件目录下的文件,接收单元用于接收其他终端的安全文件目录下的文件,并将接收到的文件存储在终端的文件安全目录下,若文件没有存储在安全文件目录下,则无法使用文件。Referring to FIG. 2, on the basis of the above-mentioned embodiment, the file security management terminal of this embodiment further includes a sending unit and a receiving unit, the sending unit is used for sending files under the security file directory, and the receiving unit is used for receiving the security of other terminals. If the file is not stored in the secure file directory, the file cannot be used.
作为选择,发送文件为普通文件,即未加密文件,则发送单元用于发送安全文件目录下的文件,接收单元用于接收其他终端的安全文件目录下的文件,并将接收到的文件存储在终端的文件安全目录下,若文件没有存储在安全文件目录下,则无法使用文件。Alternatively, if the sent file is an ordinary file, that is, an unencrypted file, the sending unit is used to send the file in the secure file directory, and the receiving unit is used to receive the file in the secure file directory of other terminals, and the received file is stored in the Under the file security directory of the terminal, if the file is not stored in the security file directory, the file cannot be used.
作为选择,若文件为加密文件,则发送单元用于发送加密文件,接收单元用于接收加密文件并将接收到的加密文件存储至安全文件目录。同理,若加密文件没有存储在安全文件目录下,则无法使用加密文件。作为选择,终端之间发送文件可通过网络发送,也可使用移动存储设备拷贝文件。Alternatively, if the file is an encrypted file, the sending unit is configured to send the encrypted file, and the receiving unit is configured to receive the encrypted file and store the received encrypted file in the secure file directory. Similarly, if the encrypted file is not stored in the secure file directory, the encrypted file cannot be used. As an option, files sent between terminals can be sent over a network, or a removable storage device can be used to copy files.
参考图3,为进一步保证安全文件目录下文件的安全,本实施例的终端在发送加密文件之前设置加密文件的管理信息,同时发送加密文件和管理信息,其中管理信息和加密文件为一个整体文件。作为选择,管理信息包括但不限于使用权限白名单、使用权限黑名单、文件使用次数、文件使用时间、文件自动销毁时间、文件一键销毁等,其中使用权限白名单是指有权使用该文件的用户账户;使用权限黑名单是指禁止使用该文件的用户账户;文件使用次数是指该文件能够被使用的最多次数,达到该使用次数后文件不能继续使用;文件使用时间是指一旦文件被打开使用的时间,当文件被打开使用的时间累积达到文件使用时间,则仅是继续使用文件;文件自动销毁时间是指文件在设置的销毁时刻自动销毁;文件一键销毁是指该文件能够在接收到预设按键信号时销毁。可以理解,加密文件的管理信息不能穷尽列举,能够管理文件的信息都可作为加密文件的管理信息。Referring to Fig. 3, in order to further ensure the safety of the file under the safe file directory, the terminal of the present embodiment sets the management information of the encrypted file before sending the encrypted file, and simultaneously sends the encrypted file and the management information, wherein the management information and the encrypted file are an integral file. . Optionally, the management information includes, but is not limited to, a whitelist of usage rights, a blacklist of usage rights, the number of times the file is used, the usage time of the file, the time of automatic file destruction, and the one-click destruction of the file, where the whitelist of usage rights refers to the right to use the file The use rights blacklist refers to the user accounts that are prohibited from using the file; the number of file usages refers to the maximum number of times the file can be used, after which the file cannot be used; the file usage time refers to once the file is used The time of opening and use, when the accumulated time of the file being opened and used reaches the time of use of the file, it will only continue to use the file; the automatic file destruction time means that the file is automatically destroyed at the set destruction time; the one-click file destruction means that the file can be destroyed at the set time. Destroyed when a preset key signal is received. It can be understood that the management information of the encrypted file cannot be listed exhaustively, and the information that can manage the file can be used as the management information of the encrypted file.
本实施例中终端之间传输文件时,需将接收文件存储在安全文件目录下,若接收终端没有安全文件目录,则无法使用接收文件,以此来保证文件传输后依然处于受控状态,保证文件安全。In this embodiment, when transferring files between terminals, the received file needs to be stored in the secure file directory. If the receiving terminal does not have a secure file directory, the received file cannot be used, so as to ensure that the file is still in a controlled state after the transfer, ensuring that File security.
实施例5Example 5
在上述实施例的基础上,本实施例的文件安全管理终端中还包括第一使用记录单元,第一使用记录单元用于记录文件的所有操作记录,操作记录包括但不限于用户账户登录时间、应用程序操作记录、文件修改时间、文件修改内容、文件移动时间、文件移动位置、文件删除时间、文件复制时间等。管理人员具有查看操作记录的权限,其他用户没有权限查看操作记录。On the basis of the above embodiment, the file security management terminal of this embodiment further includes a first usage recording unit, which is used to record all operation records of the file, including but not limited to user account login time, Application operation records, file modification time, file modification content, file moving time, file moving location, file deletion time, file copying time, etc. Administrators have permission to view operation records, while other users do not have permission to view operation records.
本实施例随时记录文件操作记录,以方便后期查看文件使用情况。In this embodiment, the file operation record is recorded at any time, so as to facilitate the later checking of the file usage.
实施例6Example 6
在上述实施例的基础上,为进一步保证安全文件目录下文件的安全,本实施例的文件安全管理终端中,应用程序在访问安全文件目录对应文件过程中,禁止跨应用复制操作、跨应用粘贴操作、截屏操作、录屏操作文件内容转移操作,其中跨应用复制操作是指在不同应用程序之间复制内容,跨应用粘贴操作是指在不同应用程序之间粘贴内容。On the basis of the above embodiment, in order to further ensure the security of files in the secure file directory, in the file security management terminal of this embodiment, in the process of accessing the file corresponding to the secure file directory, the application program prohibits cross-application copy operation and cross-application paste operation Operations, screenshot operations, and screen recording operations are file content transfer operations. The cross-application copy operation refers to copying content between different applications, and the cross-application paste operation refers to pasting content between different applications.
本实施例禁止跨应用复制操作、跨应用粘贴操作、截屏操作、录屏操作文件内容转移操作,可有效防止在使用文件过程中搬移文件内容,有效保护文件安全。This embodiment prohibits the cross-application copy operation, the cross-application paste operation, the screen capture operation, and the screen recording operation file content transfer operation, which can effectively prevent the file content from being moved during the use of the file, and effectively protect the file security.
实施例7Example 7
参考图1至图4,本实施例的文件安全管理系统包括文件安全服务器和多个终端,安全服务器分别通信连接每个终端,终端的结构和功能和参考上述实施例,在此不再赘述。每个终端安装有多个应用程序以及存储有多个文件,设置应用程序访问安全文件目录对应文件的权限,安全文件目录对应多个文件;终端上安装的文件过滤驱动用于验证应用程序的权限,具有访问权限的应用程序经文件过滤驱动验证通过后访问安全文件目录对应的文件。1 to 4 , the file security management system of this embodiment includes a file security server and multiple terminals, and the security server communicates with each terminal respectively. The structure and function of the terminals refer to the above-mentioned embodiments and will not be repeated here. Each terminal is installed with multiple applications and stored with multiple files. Set the permission of the application to access the file corresponding to the secure file directory, and the security file directory corresponds to multiple files; the file filter driver installed on the terminal is used to verify the permissions of the application , the application program with access permission can access the file corresponding to the secure file directory after passing the verification of the file filter driver.
本实施例通过定义安全文件目录来限定应用程序的访问权限,并通过文件过滤驱动来验证应用程序的权限,以确保只有经过授权的应用程序才能访问受保护文件,提高文件安全性。In this embodiment, the access authority of the application program is limited by defining a secure file directory, and the authority of the application program is verified by the file filter driver, so as to ensure that only the authorized application program can access the protected file, and the file security is improved.
实施例8Example 8
在上述实施例的基础上,本实施例文件安全管理系统中至少两个终端位于同一局域网内或互联网内,两个终端之间传输文件并将接收的文件保存至安全文件目录。本实施例的文件安全管理终端中还包括发送单元和接收单元,发送单元用于发送安全文件目录下的文件,接收单元用于接收其他终端的安全文件目录下的文件,并将接收到的文件存储在终端的文件安全目录下,若文件没有存储在安全文件目录下,则无法使用文件。On the basis of the above embodiment, in the file security management system of this embodiment, at least two terminals are located in the same local area network or the Internet, and the two terminals transmit files and save the received files in the secure file directory. The file security management terminal in this embodiment further includes a sending unit and a receiving unit, the sending unit is used for sending files in the secure file directory, and the receiving unit is used for receiving files in the secure file directories of other terminals, and sends the received files It is stored in the file security directory of the terminal. If the file is not stored in the security file directory, the file cannot be used.
作为选择,发送文件为普通文件,即未加密文件,则发送单元用于发送安全文件目录下的文件,接收单元用于接收其他终端的安全文件目录下的文件,并将接收到的文件存储在终端的文件安全目录下,若文件没有存储在安全文件目录下,则无法使用文件。Alternatively, if the sent file is an ordinary file, that is, an unencrypted file, the sending unit is used to send the file in the secure file directory, and the receiving unit is used to receive the file in the secure file directory of other terminals, and the received file is stored in the Under the file security directory of the terminal, if the file is not stored in the security file directory, the file cannot be used.
作为选择,若文件为加密文件,则发送单元用于发送加密文件,接收单元用于接收加密文件并将接收到的加密文件存储至安全文件目录。同理,若加密文件没有存储在安全文件目录下,则无法使用加密文件。终端在加密文件使用过程中,由设置在应用程序和文件之间的文件过来驱动来进行加密和解密。具体的,在加密文件读取过程中,文件过滤驱动用于解密加密文件并将解密后的数据传输至应用程序;在加密文件写入过程中,文件过滤驱动用于将应用程序产生的数据加密后保存至加密文件中。作为选择,本实施例的加密文件使用流加密算法加密,流加密算法在加密过程中不附加任何其他信息,文件过滤驱动使用流加密算法对数据进行加密和解密。可以理解,普通加密算法需要添加文件头、ID、管控信息等附加信息,而本申请的流加密算法在加密过程中不附加任何其他信息,即不需要添加文件头、ID、管控信息等附加信息,这使得加密后的文件与原文件大小完全一致。使用文件过滤驱动在过滤驱动层的技术实现做到了最简,且加密解密效率做到了最高,这样安全文件目录下随时都是加密文件,没有未经加密的原文件,既使终端被暴力拆解,没有文件过滤驱动依然无法解密加密文件,从而有效防止因暴力拆卸存储设备而泄露文件的问题。Alternatively, if the file is an encrypted file, the sending unit is configured to send the encrypted file, and the receiving unit is configured to receive the encrypted file and store the received encrypted file in the secure file directory. Similarly, if the encrypted file is not stored in the secure file directory, the encrypted file cannot be used. In the process of using the encrypted file, the terminal is driven by the file set between the application and the file to encrypt and decrypt. Specifically, in the process of reading the encrypted file, the file filter driver is used to decrypt the encrypted file and transmit the decrypted data to the application program; in the process of writing the encrypted file, the file filter driver is used to encrypt the data generated by the application program. and save it to an encrypted file. Alternatively, the encrypted file in this embodiment is encrypted using a stream encryption algorithm, which does not add any other information during the encryption process, and the file filtering driver uses the stream encryption algorithm to encrypt and decrypt data. It can be understood that ordinary encryption algorithms need to add additional information such as file headers, IDs, and control information, while the stream encryption algorithm of the present application does not add any other information during the encryption process, that is, it is not necessary to add additional information such as file headers, IDs, and control information. , which makes the encrypted file exactly the same size as the original file. Using the file filter driver at the filter driver layer achieves the simplest technology implementation, and achieves the highest encryption and decryption efficiency, so that encrypted files are always in the secure file directory, and there are no unencrypted original files, even if the terminal is violently disassembled , it is still unable to decrypt encrypted files without a file filter driver, thus effectively preventing the problem of file leakage due to violent disassembly of the storage device.
参考图3,为进一步保证安全文件目录下文件的安全,本实施例的终端在发送加密文件之前设置加密文件的管理信息,同时发送加密文件和管理信息,其中管理信息和加密文件为一个整体文件。作为选择,管理信息包括但不限于使用权限白名单、使用权限黑名单、文件使用次数、文件使用时间、文件自动销毁时间、文件一键销毁等,其中使用权限白名单是指有权使用该文件的用户账户;使用权限黑名单是指禁止使用该文件的用户账户;文件使用次数是指该文件能够被使用的最多次数,达到该使用次数后文件不能继续使用;文件使用时间是指一旦文件被打开使用的时间,当文件被打开使用的时间累积达到文件使用时间,则仅是继续使用文件;文件自动销毁时间是指文件在设置的销毁时刻自动销毁;文件一键销毁是指该文件能够在接收到预设按键信号时销毁。可以理解,加密文件的管理信息不能穷尽列举,能够管理文件的信息都可作为加密文件的管理信息。Referring to Fig. 3, in order to further ensure the safety of the file under the safe file directory, the terminal of the present embodiment sets the management information of the encrypted file before sending the encrypted file, and simultaneously sends the encrypted file and the management information, wherein the management information and the encrypted file are an integral file. . Optionally, the management information includes, but is not limited to, a whitelist of usage rights, a blacklist of usage rights, the number of times the file is used, the usage time of the file, the time of automatic file destruction, and the one-click destruction of the file, where the whitelist of usage rights refers to the right to use the file The use rights blacklist refers to the user accounts that are prohibited from using the file; the number of file usages refers to the maximum number of times the file can be used, after which the file cannot be used; the file usage time refers to once the file is used The time of opening and use, when the accumulated time of the file being opened and used reaches the time of use of the file, it will only continue to use the file; the automatic file destruction time means that the file is automatically destroyed at the set destruction time; the one-click file destruction means that the file can be destroyed at the set time. Destroyed when a preset key signal is received. It can be understood that the management information of the encrypted file cannot be listed exhaustively, and the information that can manage the file can be used as the management information of the encrypted file.
本实施例中终端之间传输文件时,需将接收文件存储在安全文件目录下,若接收终端没有安全文件目录,则无法使用接收文件,以此来保证文件传输后依然处于受控状态,保证文件安全。In this embodiment, when transferring files between terminals, the received file needs to be stored in the secure file directory. If the receiving terminal does not have a secure file directory, the received file cannot be used, so as to ensure that the file is still in a controlled state after the transfer, ensuring that File security.
实施例9Example 9
在上述实施例的基础上,本实施例的文件安全管理系统中文件安全服务器包括用于验证用户账户使用安全文件目录对应文件权限的第二身份验证单元,第二身份验证单元验证通过后允许用户账户访问安全文件目录对应的文件。终端将接收的用户身份信息上传至文件安全服务器,由第二身份验证单元查找该用户账户是否为合法账户以及该用户账户对应的权限。经验证,若第二身份验证单元验证通过后允许用户账户访问安全文件目录对应的文件,则允许该用户使用应用程序访问安全文件目录下的文件,但应用程序访问安全文件目录下的文件依然需要经过文件过来驱动验证权限,验证过程可参考上述实施例,在此不再赘述。作为选择,第二身份验证单元验证的用户身份信息包括但不限于用户账户、用户密码、用户指纹、用户脸部信息、手机号、电子邮箱、电子狗、USBKey等,可根据需要选择一个或多个。On the basis of the above-mentioned embodiment, the file security server in the file security management system of this embodiment includes a second identity verification unit for verifying the file authority corresponding to the user account using the secure file directory, and the second identity verification unit allows the user to pass the verification. The account accesses the file corresponding to the secure file directory. The terminal uploads the received user identity information to the file security server, and the second identity verification unit searches whether the user account is a legal account and the authority corresponding to the user account. After verification, if the user account is allowed to access the file corresponding to the secure file directory after the second authentication unit is verified, the user is allowed to use the application to access the file in the secure file directory, but the application still needs to access the file in the secure file directory. The verification authority is driven by the file, and the verification process may refer to the above-mentioned embodiment, which will not be repeated here. Alternatively, the user identity information verified by the second identity verification unit includes but is not limited to user account, user password, user fingerprint, user face information, mobile phone number, e-mail, electronic dog, USBKey, etc., one or more can be selected as required indivual.
进一步,本实施例的文件安全服务器还可设置每个用户账户访问安全文件目录中文件的权限,即设置每个用户账户访问安全文件目录的部分文件,每个用户账户的权限可不同。作为选择,本实施例还可设置每个用户账户使用应用程序的权限,即限定每个用户账户能够使用哪些应用程序,不能使用哪些应用程序。Further, the file security server of this embodiment may further set the authority of each user account to access files in the secure file directory, that is, set each user account to access some files in the secure file directory, and the authority of each user account may be different. Alternatively, in this embodiment, the permission for each user account to use the application program may be set, that is, the application program that each user account can use and which application programs cannot be used is limited.
本实施例中每个用户都有对应的用户账户,在用户想要使用安全文件目录下的文件时,需要登录文件安全服务器,由第二身份验证单元验证用户身份以及用户权限,以此来确定该用户是否能访问安全文件目录。本实施例设置身份验证单元,进一步确保文件的安全使用。In this embodiment, each user has a corresponding user account. When the user wants to use the file in the secure file directory, he needs to log in to the file security server, and the second identity verification unit verifies the user's identity and user authority to determine Whether the user can access the secure file directory. In this embodiment, an authentication unit is set to further ensure the safe use of files.
实施例10Example 10
在上述实施例的基础上,本实施例的文件安全管理终端中还包括第二使用记录单元,第二使用记录单元用于记录文件的所有操作记录,操作记录包括但不限于用户账户登录时间、应用程序操作记录、文件修改时间、文件修改内容、文件移动时间、文件移动位置、文件删除时间、文件复制时间等,操作记录由终端上传文件安全服务器。管理人员具有查看操作记录的权限,可通过登录文件安全服务器查看每个用户的使用记录,其他用户没有权限查看操作记录。On the basis of the above embodiment, the file security management terminal of this embodiment further includes a second usage recording unit, and the second usage recording unit is used to record all operation records of the file. The operation records include but are not limited to the user account login time, Application operation records, file modification time, file modification content, file moving time, file moving location, file deletion time, file copying time, etc. The operation records are uploaded by the terminal to the file security server. Administrators have the right to view the operation records, and can log in to the file security server to view the usage records of each user. Other users do not have the right to view the operation records.
本实施例随时记录文件操作记录,以方便后期查看文件使用情况。In this embodiment, the file operation record is recorded at any time, so as to facilitate the later checking of the file usage.
实施例11Example 11
在上述实施例的基础上,为进一步保证安全文件目录下文件的安全,本实施例的文件安全管理终端中,应用程序在访问安全文件目录对应文件过程中,禁止跨应用复制操作、跨应用粘贴操作、截屏操作、录屏操作文件内容转移操作,其中跨应用复制操作是指在不同应用程序之间复制内容,跨应用粘贴操作是指在不同应用程序之间粘贴内容。On the basis of the above embodiment, in order to further ensure the security of files in the secure file directory, in the file security management terminal of this embodiment, in the process of accessing the file corresponding to the secure file directory, the application program prohibits cross-application copy operation and cross-application paste operation Operations, screenshot operations, and screen recording operations are file content transfer operations. The cross-application copy operation refers to copying content between different applications, and the cross-application paste operation refers to pasting content between different applications.
本实施例禁止跨应用复制操作、跨应用粘贴操作、截屏操作、录屏操作文件内容转移操作,可有效防止在使用文件过程中搬移文件内容,有效保护文件安全。This embodiment prohibits the cross-application copy operation, the cross-application paste operation, the screen capture operation, and the screen recording operation file content transfer operation, which can effectively prevent the file content from being moved during the use of the file, and effectively protect the file security.
在上述实施例的基础上,一些文件安全管理系统中文件安全服务器还包括:用于审批用户请求的审批请求处理单元,用户通过终端上传请求信息,管理人员可通过登录文件安全服务器查看和审核请求信息。On the basis of the above embodiments, the file security server in some file security management systems further includes: an approval request processing unit for approving user requests, the user uploads the request information through the terminal, and the administrator can view and review the request by logging in to the file security server information.
在上述实施例的基础上,一些文件安全管理系统中文件安全服务器还包括:用于监控文件使用情况的使用监控单元,在被监控文件被使用时,发送监控报告信息至管理终端。On the basis of the above embodiments, the file security server in some file security management systems further includes: a usage monitoring unit for monitoring file usage, and sends monitoring report information to the management terminal when the monitored file is used.
在上述实施例的基础上,一些文件安全管理系统中文件安全服务器还包括:用于变更文件属性信息的属性变更单元,终端上文件安全目录中的文件需要变更管理权限时,管理终端通过文件安全服务器上的属性变更单元发送变更信息至目标终端,目标终端执行该变更信息来变更文件属性。On the basis of the above-mentioned embodiments, the file security server in some file security management systems further includes: an attribute changing unit for changing file attribute information. The attribute change unit on the server sends the change information to the target terminal, and the target terminal executes the change information to change the file attribute.
在上述实施例的基础上,一些文件安全管理系统中文件安全服务器还包括:用于传递文件销毁指令的销毁指令传递单元,在某个文件需要销毁时,管理终端通过文件安全服务器的销毁指令传递单元发送销毁指令至目标终端,目标终端收到销毁执行后销毁与目标文件。On the basis of the above embodiments, the file security server in some file security management systems further includes: a destruction instruction delivery unit for delivering a file destruction instruction. When a certain file needs to be destroyed, the management terminal transmits the destruction instruction through the file security server. The unit sends a destruction instruction to the target terminal, and the target terminal destroys the target file after receiving the destruction execution.
本说明书中各个实施例采用递进的方式描述,每个实施例重点说明的都是与其他实施例的不同之处,各个实施例之间相同相似部分互相参见即可。对于实施例公开的装置而言,由于其与实施例公开的方法相对应,所以描述的比较简单,相关之处参见方法部分说明即可。The various embodiments in this specification are described in a progressive manner, and each embodiment focuses on the differences from other embodiments, and the same and similar parts between the various embodiments can be referred to each other. As for the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant part can be referred to the description of the method.
专业人员还可以进一步意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、计算机软件或者二者的结合来实现,为了清楚地说明硬件和软件的可互换性,在上述说明中已经按照功能一般性地描述了各示例的组成及步骤。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本发明的范围。Professionals may further realize that the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, computer software, or a combination of the two, in order to clearly illustrate the possibilities of hardware and software. Interchangeability, the above description has generally described the components and steps of each example in terms of function. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each particular application, but such implementations should not be considered beyond the scope of the present invention.
结合本文中所公开的实施例描述的方法或算法的步骤可以直接用硬件、处理器执行的软件模块,或者二者的结合来实施。软件模块可以置于随机存储器(RAM)、内存、只读存储器(ROM)、电可编程ROM、电可擦除可编程ROM、寄存器、硬盘、可移动磁盘、CD-ROM、或技术领域内所公知的任意其它形式的存储介质中。The steps of a method or algorithm described in conjunction with the embodiments disclosed herein may be directly implemented in hardware, a software module executed by a processor, or a combination of the two. Software modules can be placed in random access memory (RAM), internal memory, read only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, removable disk, CD-ROM, or any other in the technical field. in any other known form of storage medium.
以上实施例只为说明本发明的技术构思及特点,其目的在于让熟悉此项技术的人士能够了解本发明的内容并据此实施,并不能限制本发明的保护范围。凡跟本发明权利要求范围所做的均等变化与修饰,均应属于本发明权利要求的涵盖范围。The above embodiments are only intended to illustrate the technical concept and characteristics of the present invention, and the purpose is to enable those skilled in the art to understand the content of the present invention and implement accordingly, and cannot limit the protection scope of the present invention. All equivalent changes and modifications made with the scope of the claims of the present invention shall fall within the scope of the claims of the present invention.

Claims (25)

  1. 一种文件安全管理终端,终端安装有多个应用程序以及存储有多个文件,其特征在于,设置所述应用程序访问安全文件目录对应文件的权限,所述安全文件目录对应多个文件;A file security management terminal, wherein the terminal is installed with a plurality of application programs and stored with a plurality of files, characterized in that a permission of the application program to access a file corresponding to a security file directory is set, and the security file directory corresponds to a plurality of files;
    所述终端上安装的文件过滤驱动用于验证应用程序的权限,具有访问权限的应用程序经所述文件过滤驱动验证通过后访问所述安全文件目录对应的文件。The file filter driver installed on the terminal is used to verify the authority of the application program, and the application program with the access authority accesses the file corresponding to the secure file directory after being verified by the file filter driver.
  2. 根据权利要求1所述的文件安全管理终端,其特征在于,所述终端还包括用于验证用户账户使用所述安全文件目录对应文件权限的第一身份验证单元,所述第一身份验证单元验证通过后允许用户账户访问所述安全文件目录对应的文件。The file security management terminal according to claim 1, wherein the terminal further comprises a first identity verification unit for verifying a user account using the file authority corresponding to the secure file directory, and the first identity verification unit verifies After passing, the user account is allowed to access the file corresponding to the secure file directory.
  3. 根据权利要求2所述的文件安全管理终端,其特征在于,所述第一身份验证单元验证的用户身份信息包括用户账户、用户密码、用户指纹、用户脸部信息、手机号、电子邮箱、电子狗、USBKey中的一种或几种。The file security management terminal according to claim 2, wherein the user identity information verified by the first identity verification unit includes user account, user password, user fingerprint, user face information, mobile phone number, e-mail, electronic One or more of dog and USBKey.
  4. 根据权利要求2所述的文件安全管理终端,其特征在于,设置每个所述用户账户访问所述安全文件目录中文件的权限。The file security management terminal according to claim 2, characterized in that a permission of each of the user accounts to access files in the secure file directory is set.
  5. 根据权利要求1所述的文件安全管理终端,其特征在于,所述应用程序访问所述安全文件目录对应文件的权限包括读取文件权限、写入文件权限、新建文件权限、另存文件权限;The file security management terminal according to claim 1, wherein the permission of the application program to access the file corresponding to the secure file directory includes a permission to read a file, a permission to write a file, a permission to create a new file, and a permission to save a file;
    所述应用程序禁止访问所述终端上存储的所述安全文件目录以外的文件。The application program prohibits access to files other than the secure file directory stored on the terminal.
  6. 根据权利要求1所述的文件安全管理终端,其特征在于,所述安全文件目录为一个安全文件夹,所述安全文件目录对应的文件存储在所述安全文件夹内。The file security management terminal according to claim 1, wherein the security file directory is a security folder, and the files corresponding to the security file directory are stored in the security folder.
  7. 根据权利要求1所述的文件安全管理终端,其特征在于,所述文件为加密文件;The file security management terminal according to claim 1, wherein the file is an encrypted file;
    在所述加密文件读取过程中,所述文件过滤驱动用于解密所述加密文件并将解密后的数据传输至所述应用程序;In the process of reading the encrypted file, the file filter driver is used to decrypt the encrypted file and transmit the decrypted data to the application program;
    在所述加密文件写入过程中,所述文件过滤驱动用于将所述应用程序产生的数据加密后保存至所述加密文件中。In the process of writing the encrypted file, the file filter driver is configured to encrypt the data generated by the application program and save it into the encrypted file.
  8. 根据权利要求7所述的文件安全管理终端,其特征在于,所述加密文件使用流加密算法加密,加密过程中不附加任何其他信息,所述文件过滤驱动使用所述流加密算法对数据进行加密和解密。The file security management terminal according to claim 7, wherein the encrypted file is encrypted using a stream encryption algorithm, and no other information is attached during the encryption process, and the file filtering driver uses the stream encryption algorithm to encrypt data and decryption.
  9. 根据权利要求7所述的文件安全管理终端,其特征在于,所述终端还包括发送单元和接收单元;The file security management terminal according to claim 7, wherein the terminal further comprises a sending unit and a receiving unit;
    所述发送单元用于发送所述加密文件,所述接收单元用于接收所述加密文件并将接收到的加密文件存储至所述安全文件目录。The sending unit is configured to send the encrypted file, and the receiving unit is configured to receive the encrypted file and store the received encrypted file in the secure file directory.
  10. 根据权利要求6所述的文件安全管理终端,其特征在于,所述终端还包括第一使用记录单元,所述第一使用记录单元用于记录所述文件的所有操作记录。The file security management terminal according to claim 6, wherein the terminal further comprises a first usage recording unit, and the first usage recording unit is used to record all operation records of the file.
  11. 根据权利要求1所述的文件安全管理终端,其特征在于,所述应用程序在访问所述安全文件目录对应文件过程中,禁止跨应用复制操作、跨应用粘贴操作、截屏操作、录屏操作中的一种或几种。The file security management terminal according to claim 1, wherein the application program prohibits cross-application copy operation, cross-application paste operation, screen capture operation, and screen recording operation during the process of accessing the file corresponding to the secure file directory one or more of them.
  12. 一种文件安全管理系统,其特征在于,包括文件安全服务器和多个终端,所述安全服务器分别通信连接每个所述终端;A file security management system, characterized in that it includes a file security server and a plurality of terminals, wherein the security server communicates with each of the terminals respectively;
    每个所述终端安装有多个应用程序以及存储有多个文件,设置所述应用程序访问安全文件目录对应文件的权限,所述安全文件目录对应多个文件;所述终端上安装的文件过滤驱动用于验证应用程序的权限,具有访问权限的应用程序经所述文件过滤驱动验证通过后访问所述安全文件目录对应的文件。Each of the terminals is installed with multiple applications and stored with multiple files, and the permissions of the applications to access files corresponding to the secure file directory are set, and the secure file directory corresponds to multiple files; the files installed on the terminal are filtered The driver is used to verify the authority of the application program, and the application program with the access authority can access the file corresponding to the safe file directory after being verified by the file filter driver.
  13. 根据权利要求12所述的文件安全管理系统,其特征在于,至少两个所述终端位于同一局域网内,局域网内的两个终端之间传输所述文件,并将接收的文件保存至所述安全文件目录。The file security management system according to claim 12, wherein at least two of the terminals are located in the same local area network, the files are transmitted between the two terminals in the local area network, and the received files are saved in the security File Directory.
  14. 根据权利要求13所述的文件安全管理系统,其特征在于,所述终端在发送所述文件之前设置所述文件的管理信息,同时发送所述文件和所述管理信息。The file security management system according to claim 13, wherein the terminal sets the management information of the file before sending the file, and simultaneously sends the file and the management information.
  15. 根据权利要求12所述的文件安全管理系统,其特征在于,所述文件为加密文件;The file security management system according to claim 12, wherein the file is an encrypted file;
    在所述加密文件读取过程中,所述文件过滤驱动用于解密所述加密文件并将解密后的数据传输至所述应用程序;In the process of reading the encrypted file, the file filter driver is used to decrypt the encrypted file and transmit the decrypted data to the application program;
    在所述加密文件写入过程中,所述文件过滤驱动用于将所述应用程序产生的数据加密后保存至所述加密文件中。In the process of writing the encrypted file, the file filter driver is configured to encrypt the data generated by the application program and save it into the encrypted file.
  16. 根据权利要求15所述的文件安全管理系统,其特征在于,所述加密文件使用流加密算法加密,加密过程中不附加任何其他信息,所述文件过滤驱动使用所述流加密算法对数据进行加密和解密。The file security management system according to claim 15, wherein the encrypted file is encrypted using a stream encryption algorithm, and no other information is attached during the encryption process, and the file filtering driver uses the stream encryption algorithm to encrypt data and decryption.
  17. 根据权利要求15所述的文件安全管理系统,其特征在于,其中两个所述终端之间传输所述加密文件,并将接收的所述加密文件保存至所述安全文件目录。The file security management system according to claim 15, wherein the encrypted file is transmitted between the two terminals, and the received encrypted file is saved in the secure file directory.
  18. 根据权利要求17所述的文件安全管理系统,其特征在于,两个所述终端位于互联网中。The file security management system according to claim 17, wherein the two terminals are located in the Internet.
  19. 根据权利要求17所述的文件安全管理系统,其特征在于,所述终端在发送所述加密文件之前设置所述加密文件的管理信息,同时发送所述加密文件和所述管理信息。The file security management system according to claim 17, wherein the terminal sets the management information of the encrypted file before sending the encrypted file, and simultaneously sends the encrypted file and the management information.
  20. 根据权利要求14或19所述的文件安全管理系统,其特征在于,所述管理信息包括使用权限白名单、使用权限黑名单、文件使用次数、文件使用时间、文件自动销毁时间、文件一键销毁中的一个或多个。The file security management system according to claim 14 or 19, wherein the management information includes a whitelist of usage rights, a blacklist of usage rights, the number of times of use of files, the time of file use, the time of automatic file destruction, and the one-key destruction of files one or more of.
  21. 根据权利要求12所述的文件安全管理系统,其特征在于,所述文件安全服务器包括用于验证用户账户使用所述安全文件目录对应文件权限的第二身份验证单元,所述第二身份验证单元验证通过后允许用户账户访问所述安全文件目录对应的文件。The file security management system according to claim 12, wherein the file security server comprises a second identity verification unit for verifying a user account using the file authority corresponding to the secure file directory, the second identity verification unit After the verification is passed, the user account is allowed to access the file corresponding to the secure file directory.
  22. 根据权利要求21所述的文件安全管理系统,其特征在于,所述第二身份验证单元验证的用户身份信息由终端上传所述文件安全服务器,所述用户身份信息包括用户账户、用户密码、USBKey、用户指纹、用户脸部信息、电子证书中的一种或几种。The file security management system according to claim 21, wherein the user identity information verified by the second identity verification unit is uploaded to the file security server by the terminal, and the user identity information includes a user account, a user password, a USBKey , one or more of user fingerprint, user face information, and electronic certificate.
  23. 根据权利要求12所述的文件安全管理系统,其特征在于,所述文件安全服务器包括第二使用记录单元,所述第二使用记录单元用于记录所述文件的所有操作记录,所述操作记录由终端上传所述文件安全服务器。The file security management system according to claim 12, wherein the file security server comprises a second usage recording unit, and the second usage recording unit is configured to record all operation records of the file, and the operation records The file security server is uploaded by the terminal.
  24. 根据权利要求12所述的文件安全管理系统,其特征在于,所述应用程序在访问所述安全文件目录对应文件过程中,禁止跨应用复制操作、跨应用粘贴操作、截屏操作、录屏操作中的一种或几种。The file security management system according to claim 12, wherein, in the process of accessing the file corresponding to the secure file directory, the application program prohibits cross-application copy operation, cross-application paste operation, screen capture operation, and screen recording operation one or more of them.
  25. 根据权利要求12所述的文件安全管理系统,其特征在于,所述文件安全服务器还包括:The file security management system according to claim 12, wherein the file security server further comprises:
    用于审批用户请求的审批请求处理单元;和/或An approval request processing unit for approving user requests; and/or
    用于监控文件使用情况的使用监控单元;和/或A usage monitoring unit for monitoring file usage; and/or
    用于变更文件属性信息的属性变更单元;和/或an attribute change unit for changing document attribute information; and/or
    用于传递文件销毁指令的销毁指令传递单元。Destruction instruction delivery unit for delivering file destruction instructions.
PCT/CN2021/121874 2020-10-14 2021-09-29 File security management terminal and system WO2022078222A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202011095030.7 2020-10-14
CN202011095030.7A CN112329050A (en) 2020-10-14 2020-10-14 File security management terminal and system

Publications (1)

Publication Number Publication Date
WO2022078222A1 true WO2022078222A1 (en) 2022-04-21

Family

ID=74314897

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/121874 WO2022078222A1 (en) 2020-10-14 2021-09-29 File security management terminal and system

Country Status (2)

Country Link
CN (1) CN112329050A (en)
WO (1) WO2022078222A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117216809A (en) * 2023-11-09 2023-12-12 江苏省测绘资料档案馆 Secret-related mapping result offline distribution approval authorization system and method

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112329050A (en) * 2020-10-14 2021-02-05 杭州来布科技有限公司 File security management terminal and system
WO2024021069A1 (en) * 2022-07-29 2024-02-01 华为技术有限公司 Access control method and apparatus
CN115292294A (en) * 2022-10-08 2022-11-04 深圳市海豚网络信息科技有限公司 Database security management method and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100257372A1 (en) * 2009-03-26 2010-10-07 Ryan Seifert Integrated file level cryptographical access control
CN105528553A (en) * 2014-09-30 2016-04-27 中国移动通信集团公司 A method and a device for secure sharing of data and a terminal
CN112329050A (en) * 2020-10-14 2021-02-05 杭州来布科技有限公司 File security management terminal and system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100257372A1 (en) * 2009-03-26 2010-10-07 Ryan Seifert Integrated file level cryptographical access control
CN105528553A (en) * 2014-09-30 2016-04-27 中国移动通信集团公司 A method and a device for secure sharing of data and a terminal
CN112329050A (en) * 2020-10-14 2021-02-05 杭州来布科技有限公司 File security management terminal and system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117216809A (en) * 2023-11-09 2023-12-12 江苏省测绘资料档案馆 Secret-related mapping result offline distribution approval authorization system and method
CN117216809B (en) * 2023-11-09 2024-03-08 江苏省测绘资料档案馆 Secret-related mapping result offline distribution approval authorization system and method

Also Published As

Publication number Publication date
CN112329050A (en) 2021-02-05

Similar Documents

Publication Publication Date Title
WO2022078222A1 (en) File security management terminal and system
US10645091B2 (en) Methods and systems for a portable data locker
US8966580B2 (en) System and method for copying protected data from one secured storage device to another via a third party
KR102068580B1 (en) Method of securing a computing device
AU2008341026C1 (en) System and method for securing data
US20080184035A1 (en) System and Method of Storage Device Data Encryption and Data Access
US20090276474A1 (en) Method for copying protected data from one secured storage device to another via a third party
CN102948114A (en) Single-use authentication methods for accessing encrypted data
JP2021022393A (en) Method and system for blocking phishing or ransomware attack
CN112673600A (en) Multi-security authentication system and method between mobile phone terminal and IoT (Internet of things) equipment based on block chain
US9378339B2 (en) System, method, and device for delivering communications and storing and delivering data
KR20050053569A (en) Document preservation authority endowment method
CN101739361A (en) Access control method, access control device and terminal device
CN104104650A (en) Data file visit method and terminal equipment
CN108399341B (en) Windows dual file management and control system based on mobile terminal
US11941130B2 (en) Secure data storage
US8321915B1 (en) Control of access to mass storage system
US8296826B1 (en) Secure transfer of files
KR102554875B1 (en) Apparatus and method for connecting network for providing remote work environment
CN113360877A (en) Method for designing safe mobile storage medium based on RAM
CN103942502A (en) Method and device for ferry type safety data exchange
US20240048532A1 (en) Data exchange protection and governance system
CN116992500A (en) Data double-layer storage data searching prevention method and system
US20240048380A1 (en) Cryptography-as-a-Service
US20220174067A1 (en) Securing data and tracking actions upon data

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21879268

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21879268

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 21879268

Country of ref document: EP

Kind code of ref document: A1