CN101729550A - Digital content safeguard system based on transparent encryption and decryption method thereof - Google Patents
Digital content safeguard system based on transparent encryption and decryption method thereof Download PDFInfo
- Publication number
- CN101729550A CN101729550A CN200910218880A CN200910218880A CN101729550A CN 101729550 A CN101729550 A CN 101729550A CN 200910218880 A CN200910218880 A CN 200910218880A CN 200910218880 A CN200910218880 A CN 200910218880A CN 101729550 A CN101729550 A CN 101729550A
- Authority
- CN
- China
- Prior art keywords
- digital content
- module
- encryption
- user
- decryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention belongs to the field of information safety, providing a digital content safeguard system based on transparent encryption and decryption. The system comprises a transparent encryption and decryption module, an access control module, a monitoring module, a certificate authority module, a communication proxy module, a management center and a permission server module, wherein the transparent encryption and decryption module, the access control module and the monitoring module are on a client side, and the management center and the permission server module are on a server side; the client side and the server side are connected by the communication proxy module and the permission server module. Aiming at the safeguard system, the invention provides a dynamic encryption and decryption method which carries out encryption and access control to digital content as well as opens, reads and writes cipher texts. The method realizes transparent encryption and decryption to the digital content by realizing filtering driving on the bottom layer of an operating system and records an intact log to all operation of a user, thus improving system safety, and greatly improving encryption and decryption speed. Compared with the existing like products, the system of the invention has the advantages of safe and efficient encryption mode, fine grit access control, perfect log audit function and convenient and efficient management mode.
Description
Technical field
The invention belongs to information security field, be specifically related to a kind of digital content safeguard system and encipher-decipher method based on transparent encryption and decryption.
Background technology
Along with the widespread usage of computer and the develop rapidly of Internet, more and more technological inventions, innovation etc. rely on computer technology, therefore, the confidential document of a lot of cores is stored on computers with electronic form, even most enterprise key technical documentations itself is exactly the electronic document of design drawing, program source code etc.Therefore, technological progress has brought new challenge to information security, popularizing of network technology and being extensive use of etc. of mobile office equipment, movable storage device, notebook computer are bringing efficient and are increasing the danger that information is intercepted, intercepted and captured and illegally copies easily simultaneously again to people.Show according to the survey institute investigation result, every year a large amount of enterprise's sensitive datas can take place all and lose incident that it is extremely heavy that e-file is revealed the loss that enterprise caused.Relate to the state secret aspect and work as this situation, the loss that is caused is immeasurable especially.In order to prevent the secret leakage, enterprise has taked various file encryption measures, and the technology that also occurred simultaneously much file being encrypted occur.
Encryption and decryption technology is divided into static encryption and decryption and dynamic encryption and decryption, and static encryption and decryption is meant that during encrypting data to be encrypted are in unused state, and in a single day these data encrypt, and the user needs at first obtain expressly could using then by the static state deciphering before use; Dynamic encryption is transparent encryption and decryption technology, be meant that data in use, system carries out the encryption and decryption operation to data automatically, do not change the user to the visit of file (open, reading and writing etc.) custom, need not user's intervention, apparently, file that visit is encrypted and visit unencrypted file are basic identical, therefore these encrypt files are " transparent " concerning validated user, promptly as not encrypting, but, also can't use even obtained encrypt file by other nonconventional approaches for the user who does not have access rights.Because transparent encryption and decryption technology does not change user's use habit, and need not the safety that the too many intervention operation of user can realize file, thereby obtained in recent years using widely.
There has been the safety product of a lot of transparent encryption and decryption to realize protection in the market, but existed various deficiencies and defective digital content:
1, fail safe is low.Big number product adopts in operating system user attitude finishes the encryption and decryption operation, and this mode fail safe is low, can cause digital content in use " expressly to land ", and promptly clear content is stored in the situation on the disk, easily causes giving away secrets and revealing of confidential information;
2, speed is low.Because in the encryption and decryption operation that operating system user attitude is finished, its speed ratio is lower, it is not high enough to cause handling file efficient; For example Shanghai Suo Yuan Docsecurity system does not adopt filter drive program and changes document format, makes encrypt file to operate with the application program that limits, and speed is lower, and has influenced user's use habit;
3, the control of authority refinement is not enough.Though safety product can allow or refusing user's visit protected digit content mostly, to the control of authority of sectionalization more can not be provided, the safety product that " whole or zero " authority is provided of this static state can not satisfy current dynamic business demand.For example iron volume electronic document safety system though introduced the filtration drive technology, is not supported fine-grained control of authority, can't satisfy user's dynamic need;
4, monitoring mechanism shortcoming.The like product design is simpler mostly, does not have to realize the digital content usage behavior is carried out perfect track record.
Summary of the invention
For deficiency and the defective that overcomes above-mentioned existing encryption and decryption technology like product, the objective of the invention is to, a kind of digital content safeguard system and encipher-decipher method based on transparent encryption and decryption is provided, the present invention passes through in operating system bottom layer realization filtration drive, thereby realize transparent encryption and decryption to digital content, the present invention is in conjunction with transparent encryption and decryption technology, access control technology and Digital Right Management technology, not only improved the fail safe of system, and encryption/decryption speed is greatly improved.
In order to realize above-mentioned task, the technical solution used in the present invention is as follows:
A kind of digital content safeguard system based on transparent encryption and decryption is made up of client and service end, and client comprises:
Transparent encryption and decryption module, mutual with the communication agent module, be used to receive the encrypt digital content request that application program is sent by the communication agent module, and according to asking encrypt digital content; Opening, in the reading and writing operating process, dynamically obtaining required key, authority information by the communication agent module from service end, and accessed digital content is carried out dynamic encryption and decryption according to these information;
The Certificate Authority module, mutual with the communication agent module, send the authentication information request to the service end permission server, return identity information according to permission server login user is carried out authentication, obtain authority information from the service end permission server simultaneously, the user is controlled according to identity information and authority information; The user can carry out ciphertext mandate distribution for other users by the Certificate Authority module;
Monitoring module, mutual with the communication agent module, recording user is to the use of system, to the operation of digital content; Import the permission server of service end into and be kept in the database by the Operation Log of communication agent module, so that the use of digital content is audited and followed the trail of record;
Access control module, mutual with the communication agent module, be used for the user digital content process that conducts interviews is intercepted and captured the opening operation of application program to digital content, obtain the complete trails of digital content by the data structure of transparent encryption and decryption module structure; Obtain the content ID and the corresponding authority information of digital content according to the complete trails of digital content from the permission server of service end, according to the use of authority information control user to ciphertext;
The communication agent module in order to communicating to connect between other each modules of client and each module of service end, sends various requests or receives the request return information, transmits client and service end desired data, the isomery of shielding server;
Service end comprises:
Administrative center for the system manager provides the unified connection interface that system user is managed, comprises and adds new user, interpolation user grouping, when the user registers user identity is verified, checks the Operation Log of user to digital content;
Permission server, by communication agent with each module exchange message of client, receive ID authentication request, authority information request or key information request that each module of client is sent, from database, obtain data, return to the information needed of each module of client according to respective request;
Database is in order to preserve client identity authentication information, the authority information of digital content, key information, User operation log;
The administrative center of service end is connected with database respectively with permission server, and service end is connected with permission server by the communication agent module with client.
Based on the digital content safeguard system of transparent encryption and decryption encryption protecting method, may further comprise the steps digital content:
Step 201: the user to need to select the digital content of encipherment protection by application program, comprises and selects a file, a plurality of files of disposable selection or select whole file;
Step 202: application program sends the request of encryption to the communication agent module;
Step 203: the communication agent module is transmitted to transparent encryption and decryption module after receiving the request of encryption;
Step 204: after transparent encryption and decryption module is received request, request is kept in the request chained list of self maintained;
Step 205: when closing application program, the encrypt digital content that transparent encryption and decryption module is selected the user, and add encryption identification at the afterbody of digital content, and be used for distinguishing expressly and ciphertext, send encryption key to the permission server storage by the communication agent module simultaneously;
Step 206: after encrypting end, transparent encryption and decryption module writes disk to ciphertext and preserves.
Above-mentioned encryption identification part is as follows:
301: flag bit indicates that whether this content is protected content, takies 128 bytes;
302: content ID, digital content of unique identification is made up of current time (being accurate to second), MAC Address and 16 random character sequence three parts, takies 256 bytes.
303: content type, be used for the initial form information of storing digital content, be MS001 as the Word document in the definition Office document, the Excel Doctype is MS002 etc., takies 256 bytes.
304: cryptographic algorithm, be used for storing the encryption algorithm type that this digital content adopts, so that when follow-up encryption and decryption operation, adopt identical algorithm, take 256 bytes.
305: reserved byte for follow-up expansion provides headspace, takies 128 bytes.
Method based on the ciphertext mandate distribution of the digital content safeguard system of transparent encryption and decryption may further comprise the steps:
Step 401: the user selects protected content by application program;
Step 402: user and authority information that the user need authorize by the application program selection send authorization requests to the Certificate Authority module;
Step 403: the Certificate Authority module receives authorization requests, sends the renewal authority request by the communication agent module to permission server, comprises former authority is got common factor or union; Permission server upgrades user's authority information and return results;
Step 404: the Certificate Authority module is received the request return information, protected digital content mode such as is shared by USB flash disk, email, network be distributed to authorized user, and the user uses according to the authority of authorizing after receiving digital content;
Based on the dynamic encryption and decryption method of the digital content safeguard system of transparent encryption and decryption, dynamic encryption and decryption is opened in digital content, carry out in the reading and writing operation, wherein:
The digital content opening procedure may further comprise the steps:
Step 501: the protected digital content that the user need open by the application program selection;
Step 502: application program sends the IRP_MJ_CREATE request to transparent encryption and decryption module;
Step 503: after transparent encryption and decryption module is intercepted and captured the IRP_MJ_CREATE request, whether the afterbody that structure IRP inquires about this digital content has encryption indicator, if any, show that this digital content is a ciphertext, then the construction data structure writes down this document relevant information, so that in the subsequent operation of all being opened digital content, distinguish plaintext and ciphertext, empty system cache then, jump to step 504; If there is not encryption identification, then show not to be ciphertext to jump to step 506; The data structure of this transparent encryption and decryption module structure comprises with the lower part:
1) ListEntry is Windows kernel list structure;
2) FsContext, reality is the pointer of digital content controll block FCB, this digital content of unique sign;
3) Pid is for visiting the process ID of this digital content;
4) FilePath, the storing digital content complete trails;
Step 504: transparent encryption and decryption module is obtained content ID from the encryption identification of ciphertext, according to this content ID, obtain authority information and the key information of user by communication agent from permission server to this ciphertext, judge according to user's authority information whether the user has authority to open this content, if have, then use this content of corresponding secret key decryption, execution in step 505 then; Otherwise, will not decipher, application prompts user haves no right to open;
Step 505: access control module obtains right of digital content information by communication agent from permission server, carry out fine-grained control of authority according to authority information, the availability that comprises menu, button, the control of pulling between the copy and paste of clipbook, the program, OLE exchanges data, screenshotss;
Step 506: digital content is shown to the user;
Ciphertext is carried out read operation be may further comprise the steps:
Step 601: application program sends the IRP_MJ_READ request to the bottom filter drive program;
Step 602: after transparent encryption and decryption module is received the IRP_MJ_READ request, judge whether Irp->Flags is IRP_NOCACH or IRP_PAGING_IO, it is execution in step 603 then, otherwise, transparent encryption and decryption module does not process, but the default processing function PassThroughLowerDriver of call operation system;
Step 603: preserve Read Irp and be with the Buffer pointer, application and the onesize SwapBuffer of Buffer;
Step 604: former Buffer is replaced with SwapBuffer, set up into routine ReadProcCompletion, wait for the return results that filter drive program is handled then;
Step 605: finish routine and be activated, transparent encryption and decryption module is decrypted the data among the SwapBuffer with key, and data copy among the former Buffer after will deciphering;
Step 606: reduction Irp Buffer pointer Irp->MdlAddress and Irp->UserBuffer;
Step 607: the digital content after the deciphering is shown to the user;
Ciphertext is carried out write operation be may further comprise the steps:
Step 701: application program sends the IRP_MJ_WRITE request;
Step 702: transparent encryption and decryption module is intercepted and captured the IRP_MJ_WRITE request, judging whether Irp->Flags is IRP_NOCACHE or IRP_PAGING_IO, is execution in step 703 then, otherwise PassThroughLowerDriver (Irp), transparent encryption and decryption module does not process, and directly returns;
Step 703: preserve Write Irp and be with the Buffer pointer, apply for onesize SwapBuffer;
Step 704: data among the Buffer are encrypted and data encrypted is copied among the SwapBuffer;
Step 705: former Buffer is replaced with SwapBuffer, set up into routine (WriteProcCompletion), wait for the return results that the bottom filter drive program is handled;
Step 706: finish routine and be activated, reduction Irp Buffer pointer Irp->MdlAddress and Irp->UserBuffer;
Step 707: the digital content after system will encrypt is saved on the computer disk.
When in a plurality of digital contents of opening ciphertext being arranged, step 503 is further comprising the steps of: transparent encryption and decryption module is created a new Archive sit to it when ciphertext is opened, kernel list structure (ListEntry) in the data structure is chained list with the Archive sit series connection of all ciphertexts of opening, plaintext and ciphertext in the digital content of opening with differentiation, when ciphertext was closed, its node was deleted.
In step 505, access control module obtains corresponding authority information by communication agent from permission server, and may further comprise the steps according to the process that authority information is carried out fine-grained control of authority:
Step 801: the user opens protected digit content by application program, and application program sends the opening operation request of content;
Step 802: access control module is intercepted and captured the opening operation request of application program, obtains the complete trails of digital content by the data structure of transparent encryption and decryption module structure.
Step 803: access control module sends request by communication agent to permission server according to the complete trails of digital content, and permission server returns the content ID and the corresponding authority information of digital content.
Step 804: access control module is carried out fine-grained control of authority according to the authority information that obtains, and comprises the availability of menu, button, the control of modes such as pulling between the copy and paste of clipbook, the program, OLE exchanges data, screenshotss.
Compared with prior art, beneficial effect of the present invention is as follows:
1. cipher mode is safe and efficient.Because the present invention adopts the transparent encryption and decryption that realizes based on the bottom filtration drive, with traditional comparing in application layer realization encryption and decryption mode, this mode has improved the fail safe of system, encryption/decryption speed has had very big lifting simultaneously, through testing: for the file of 35M, traditional application layer realizes that encryption and decryption needs 2 minutes, realizes that encryption and decryption only needed for 6 seconds and the present invention is based on the bottom filtration drive.
2. fine granularity control of authority.The present invention is according to digital content owner's different demands, write the control of COM plug-in unit realization to important application software (as Word, Excel, AutoCad), do not support the software of developing plug to adopt the Hook technology to other, authority is set flexibly, thereby has satisfied the ever-increasing demand of user.Individual or group all can be composed power, authority specifically comprises control, several times read-only fully, print several times, reproducible, can deposit in addition, can editor, Expiration Date, effective time etc., this provides the safety product of " all or zero " authorities for traditional static state is a very big breakthrough.
3. the daily record audit function is perfect.The present invention does detailed log record to the user to all operations of protected content (as open, preserve, deposit in addition, printing etc.), and comprehensive daily record audit function is provided, and the evidence obtaining of afterwards tracing that the concerning security matters digital content is leaked provides and provides powerful support for.
4. way to manage convenient and efficient.The administrative center of numeric security guard system of the present invention adopts the B/S structure, and web administration is flexible, is adapted at the visit of the interior any main frame of environment for use to administrative center, for the keeper provides unified connection interface system is managed for configuration; When the user registers user identity is verified; The Operation Log that inquiring user is detailed.
Description of drawings
Fig. 1 is a digital content safeguard system structure chart of the present invention;
Fig. 2 is the encipherment protection procedure chart to the digital content that needs protection;
Fig. 3 is the encryption identification structure chart;
Fig. 4 authorizes distribution procedure figure for the user with ciphertext;
Fig. 5 is the opening procedure flow chart of digital content;
The flow chart of Fig. 6 for ciphertext is carried out read operation;
Fig. 7 is for carrying out the flow chart of write operation to ciphertext;
The procedure chart that Fig. 8 conducts interviews and controls ciphertext for access control module;
Below in conjunction with accompanying drawing the present invention is described in further detail.
Embodiment
The operating system that the present invention is suitable for has: Microsoft Windows XP, Microsoft Windows2000, Microsoft Windows 2003, Microsoft Windows vista etc.; Hardware environment: Pentium (R) 3CPU is more than the 256 MB of memory; Application software: Microsoft Office2000/XP/2003/2007, Adobe Reader, AutoCAD etc.; The development language that is suitable for: C++, C, C#.
Referring to Fig. 1, a kind of digital content safeguard system based on transparent encryption and decryption comprises client and service end, wherein,
Client comprises following each unit:
Transparent encryption and decryption module, mutual with the communication agent module, be used to receive the encrypt digital content request that application program is sent by the communication agent module, and according to asking encrypt digital content; Opening, in the reading and writing operating process, dynamically obtaining required key, authority information by the communication agent module from service end, and accessed digital content is carried out dynamic encryption and decryption according to these information;
The Certificate Authority module, mutual with the communication agent module, send the authentication information request to the service end permission server, return identity information according to permission server login user is carried out authentication, obtain authority information from the service end permission server simultaneously, the user is controlled according to identity information and authority information; The user can carry out ciphertext mandate distribution for other users by the Certificate Authority module;
Monitoring module, mutual with the communication agent module, recording user is to the use of system, to the operation of digital content; Import the permission server of service end into and be kept in the database by the Operation Log of communication agent module, so that the use of digital content is audited and followed the trail of record;
Access control module, mutual with the communication agent module, be used for the user digital content process that conducts interviews is intercepted and captured the opening operation of application program to digital content, obtain the complete trails of digital content by the data structure of transparent encryption and decryption module structure; Obtain the content ID and the corresponding authority information of digital content according to the complete trails of digital content from the permission server of service end, according to the use of authority information control user to ciphertext;
The communication agent module, in order to communicating to connect between other each modules of client and each module of service end, send various requests or receive the request return information, transmit client and service end desired data, the isomery of shielding server, if be that server has change, need not revise other module, only need to revise the communication agent module.
Service end provides a convenient and swift management control center safely and effectively for the system manager, and all client-requested all meet with a response by the service end permission server, and service end comprises following each unit:
Administrative center for the system manager provides the unified connection interface that system user is managed, comprises and adds new user, interpolation user grouping, when the user registers user identity is verified, checks the Operation Log of user to digital content;
Permission server, by communication agent with each module exchange message of client, receive ID authentication request, authority information request or key information request that each module of client is sent, from database, obtain data, return to the information needed of each module of client according to respective request;
Database is in order to preserve client identity authentication information, the authority information of digital content, key information, User operation log;
The administrative center of service end is connected with database respectively with the permission server module, service end and the be connected exchange message of client by communication agent module and permission server module.
More than main interface between each module as follows:
Transparent encryption and decryption-communication agent interface: be used for transparent encryption and decryption module sends request from information such as the authority obtain digital content and key to the communication agent module.Realize by DeviceIoControl.
Certificate Authority-communication agent interface: be used for the Certificate Authority module and send authentication message, obtain file permission information etc. to the communication agent module.Realize by pipe communication mechanism.
Monitoring-communication agent interface: be used for monitoring module and send the User operation log operation information, realize communication by com interface to the communication agent module.
Access control-communication agent interface: be used for access control module and send request, information such as the authority of acquisition file, client certificate to the communication agent module.Realize communication by Windows pipeline mechanism.
Communication agent-permission server interface: be used for of the request of communication agent module forwards, as information such as the authority information that obtains file, encryption key, User operation log from other modules of client.Realize communication by the SSL encryption channel.
There is not direct communication between permission server and the administrative center, separately with the direct communication of service end database.
Client is connected with application program, and the bottom filter drive program is realized by DeviceIoControl with communicating by letter of application program.
In this system, the access control of digital content is finished by the access control module of client, realize important application software (as Word by writing the COM plug-in unit, Excel, AutoCad) control, the software of not supporting developing plug is adopted Hook technical intercept information, and to the copy and paste of clipbook, pulling between the program, the OLE exchanges data, modes such as screenshotss are all controlled, realize two purposes: the one, the exchanges data only import but no export between the application program that guarantees and the application program of non-concerning security matters, for example, after if Word document is encrypted, its content just can not be adhered among the OutLook of non-concerning security matters, and perhaps pasting the content that is mess code; The 2nd, can carry out normal exchanges data between the encryption software, for example, cross Word and Excel and be protected process, then data can be duplicated from Word and be pasted the Excel.Realize fine-grained access control by the way, and COM plug-in unit and the Hook of system and bottom filter drive program have the operating state authentication mechanism, in case the access control on upper strata and monitoring module are by malicious modification or destruction, transparent encryption and decryption service will stop automatically.
Referring to Fig. 2; before each digital content is used; need carry out encipherment protection to it according to its significance level; the digital content that does not need encipherment protection is expressly; need encipherment protection and be ciphertext, may further comprise the steps based on the digital content safeguard system of transparent encryption and decryption encryption protecting method to digital content by the digital content after the transparent encryption and decryption module encrypt:
Step 201: the user to need to select the digital content of encipherment protection by application program, comprises selecting file, a plurality of files of disposable selection, selecting whole file, and the mode of operation of this selection is supported multiple mode, as right button, pull, property pages etc.;
Step 202: application program sends the request of encryption to the communication agent module;
Step 203: the communication agent module is transmitted to transparent encryption and decryption module after receiving the request of encryption;
Step 204: after transparent encryption and decryption module is received request, request is kept in the request chained list of self maintained;
Step 205: when closing application program, the encrypt digital content that transparent encryption and decryption module is selected the user, and add encryption identification at the afterbody of digital content, and be used for distinguishing expressly and ciphertext, send encryption key to the permission server module stores by the communication agent module simultaneously;
Step 206: after encrypting end, transparent encryption and decryption module writes disk to ciphertext and preserves;
Referring to Fig. 3, during transparent encryption and decryption module encrypt file, the encryption identification that adds at tail of file comprises with the lower part:
301: flag bit indicates that whether this content is protected content, takies 128 bytes;
302: content ID, digital content of unique identification is made up of current time (being accurate to second), MAC Address and 16 random character sequence three parts, takies 256 bytes;
303: content type, be used for the initial form information of storing digital content, be MS001 as the Word document in the definition Office document, the Excel Doctype is MS002 etc., takies 256 bytes;
304: cryptographic algorithm, be used for storing the encryption algorithm type that this digital content adopts, so that when follow-up encryption and decryption operation, adopt identical algorithm, take 256 bytes;
305: reserved byte for follow-up expansion provides headspace, takies 128 bytes.
Referring to Fig. 4, the method for a kind of ciphertext mandate of the digital content safeguard system based on transparent encryption and decryption distribution may further comprise the steps:
Step 401: the user selects protected content by application program;
Step 402: user and right to choose limit information that the user need authorize by the application program selection send authorization requests to the Certificate Authority module;
Step 403: the Certificate Authority module receives authorization requests, sends the renewal authority request by the communication agent module to the service end permission server, comprises former authority is got common factor or union; Permission server upgrades user's authority information and return results;
Step 404: the Certificate Authority module is received the request return information, agent-protected file mode such as is shared by USB flash disk, email, network be distributed to authorized user, and the user uses according to the authority of authorizing after receiving file;
Windows NT system is IRP_MJ_CREATE to the at first corresponding Drive Layer of access process of digital content and equipment, the corresponding Drive Layer of last operation is IRP_MJ_CLOSE, for the data of avoiding system cache to cause are revealed, in IRP_MJ_CREATE and IRP_MJ_CLOSE operation, all buffer memory is emptied processing, the read-write requests of the corresponding application program of IRP_MJ_READ and IRP_MJ_WRITE, read and write operated data and be stored in IRP (the fixed data form of the request structure that I/O Request Packet is the I/O manager to be sent according to application program).Transparent encryption and decryption is to finish in to the opening of data, reading and writing operation in system, in aforesaid operations, upper level applications is sent corresponding read-write requests to transparent encryption and decryption module, transparent encryption and decryption module filters out the read-write requests of application program to buffer memory, only non-cache read write request is carried out corresponding operating, system is by judging whether sign is that IRP_NOCACH and IRP_PAGING_IO judge whether to be non-buffer memory read-write in the read-write requests.
Based on the dynamic encryption and decryption method of the digital content safeguard system of transparent encryption and decryption, this method is opened in digital content, carry out in the reading and writing operation, wherein:
Referring to Fig. 5, the digital content opening procedure may further comprise the steps:
Step 501: the protected digital content that the user need open by the application program selection;
Step 502: application program sends the IRP_MJ_CREATE request to transparent encryption and decryption module;
Step 503: after transparent encryption and decryption module is intercepted and captured the IRP_MJ_CREATE request, whether the afterbody that structure IRP inquires about this digital content has encryption indicator, if any, show that this file is a ciphertext, then the construction data structure writes down this document relevant information, so that in the subsequent operation of all being opened digital content, distinguish plaintext and ciphertext, empty system cache then, jump to step 504; If there is not encryption identification, then show not to be ciphertext to jump to step 506; The data structure of this transparent encryption and decryption module structure comprises with the lower part:
1) ListEntry is Windows kernel list structure;
2) FsContext, reality is the pointer of digital content controll block FCB, this digital content of unique sign;
3) Pid is for visiting the process ID of this digital content;
4) FilePath, the storing digital content complete trails;
Step 504: transparent encryption and decryption module is obtained content ID from the encryption identification of ciphertext, obtain user authority information and key information to this ciphertext by communication agent from permission server according to this content ID, judge according to user's authority information whether the user has authority to open this content, if have, then use this content of corresponding secret key decryption, execution in step 505 then; Otherwise, will not decipher, application prompts user haves no right to open;
Step 505: access control module obtains right of digital content information by communication agent from permission server, carry out fine-grained control of authority according to authority information, the availability that comprises menu, button, the control of pulling between the copy and paste of clipbook, the program, OLE exchanges data, screenshotss;
Step 506: digital content is shown to the user.
Referring to Fig. 6, ciphertext is carried out read operation may further comprise the steps:
Step 601: application program sends the IRP_MJ_READ request to the bottom filter drive program;
Step 602: after transparent encryption and decryption module is received the IRP_MJ_READ request, judge whether Irp->Flags is IRP_NOCACH or IRP_PAGING_IO, it is execution in step 603 then, otherwise, transparent encryption and decryption module does not process, but the default processing function PassThroughLowerDriver of call operation system;
Step 603: preserve Read Irp and be with the Buffer pointer, application and the onesize SwapBuffer of Buffer;
Step 604: former Buffer is replaced with SwapBuffer, set up into routine ReadProcCompletion, wait for the return results that the bottom filter drive program is handled then;
Step 605: finish routine and be activated, transparent encryption and decryption module is decrypted the data among the SwapBuffer with key, and data copy among the former Buffer after will deciphering;
Step 606: reduction Irp Buffer pointer Irp->MdlAddress and Irp->UserBuffer;
Step 607: the digital content after the deciphering is shown to the user.
Referring to Fig. 7, ciphertext is carried out write operation may further comprise the steps:
Step 701: application program sends the IRP_MJ_WRITE request;
Step 702: transparent encryption and decryption module is intercepted and captured the IRP_MJ_WRITE request, judging whether Irp->Flags is IRP_NOCACHE or IRP_PAGING_IO, is execution in step 703 then, otherwise PassThroughLowerDriver (Irp), transparent encryption and decryption module does not process, and directly returns;
Step 703: preserve Write Irp and be with the Buffer pointer, apply for onesize SwapBuffer;
Step 704: data among the Buffer are encrypted and data encrypted is copied among the SwapBuffer;
Step 705: former Buffer is replaced with SwapBuffer, set up into routine (WriteProcCompletion), wait for the return results that the bottom filter drive program is handled, whether successful as write operation, write how many bytes;
Step 706: finish routine and be activated, reduction Irp Buffer pointer Irp->MdlAddress and Irp->UserBuffer;
Step 707: the digital content after system will encrypt is saved on the computer disk.
In above-mentioned read-write process to digital content, the encryption and decryption operation is all carried out in SwapBuffer, original I rp with the data buffer zone be expressly, and the read-write of disk is ciphertext, so not only guaranteed that clear data does not land but also avoided operating issuable the conflict with application's data.
In addition, when in a plurality of digital contents of opening ciphertext being arranged, step 503 is further comprising the steps of: transparent encryption and decryption module is created a new Archive sit to it when ciphertext is opened, kernel list structure (ListEntry) in the data structure is chained list with the Archive sit series connection of all ciphertexts of opening, plaintext and ciphertext in the digital content of opening with differentiation, when ciphertext was closed, its node was deleted.
Referring to Fig. 8, access control module obtains corresponding authority information by communication agent from permission server in the step 505, and may further comprise the steps according to the process that authority information is carried out fine-grained control of authority:
Step 801: the user opens protected digit content by application program, and application program sends the opening operation request of content;
Step 802: access control module is intercepted and captured the opening operation request of application program, obtains the complete trails of digital content by the data structure of transparent encryption and decryption module structure;
Step 803: access control module sends request by communication agent to permission server according to the complete trails of digital content, and permission server returns the content ID and the corresponding authority information of digital content;
Step 804: access control module is carried out fine-grained control of authority according to the authority information that obtains, and comprises the availability of menu, button, the control of modes such as pulling between the copy and paste of clipbook, the program, OLE exchanges data, screenshotss.
In order to reach the purpose that defence is in advance followed the trail of afterwards, detailed Operation Log has been write down in all key operations that the client control module is carried out the user (as open, preserve, deposit in addition, printing etc.), and all journalizing information can be by administrative center's inquiry of service end.
Claims (12)
1. the digital content safeguard system based on transparent encryption and decryption is made up of client and service end, it is characterized in that:
Described client comprises:
Transparent encryption and decryption module, mutual with the communication agent module, be used to receive the encrypt digital content request that application program is sent by the communication agent module, and according to asking encrypt digital content; Opening, in the reading and writing operating process, dynamically obtaining required key, authority information by the communication agent module from service end, and accessed digital content is carried out dynamic encryption and decryption according to these information;
The Certificate Authority module, mutual with the communication agent module, send the authentication information request to the service end permission server, return identity information according to permission server login user is carried out authentication, obtain authority information from the service end permission server simultaneously, the user is controlled according to identity information and authority information; The user can carry out ciphertext mandate distribution for other users by the Certificate Authority module;
Monitoring module, mutual with the communication agent module, recording user is to the use of system, to the operation of digital content; Import the permission server of service end into and be kept in the database by the Operation Log of communication agent module, so that the use of digital content is audited and followed the trail of record;
Access control module, mutual with the communication agent module, be used for the user digital content process that conducts interviews is intercepted and captured the opening operation of application program to digital content, obtain the complete trails of digital content by the data structure of transparent encryption and decryption module structure; Obtain the content ID and the corresponding authority information of digital content according to the complete trails of digital content from the permission server of service end, according to the use of authority information control user to ciphertext;
The communication agent module, in order to communicating to connect between other each modules of client and each module of service end, send various requests or receive the request return information, transmit client and service end desired data, the isomery of shielding server supports offline mode to use this system;
Described service end comprises:
Administrative center for the system manager provides the unified connection interface that system user is managed, comprises and adds new user, interpolation user grouping, when the user registers user identity is verified, checks the Operation Log of user to digital content;
Permission server, by communication agent with each module exchange message of client, receive ID authentication request, authority information request or key information request that each module of client is sent, from database, obtain data, return to the information needed of each module of client according to respective request;
Database is in order to preserve client identity authentication information, the authority information of digital content, key information, User operation log;
The administrative center of service end is connected with database respectively with permission server, and service end is connected with permission server by the communication agent module with client.
2. the described digital content safeguard system based on transparent encryption and decryption of claim 1 is characterized in that to the encryption protecting method of digital content this method may further comprise the steps:
Step 201: the user to need to select the digital content of encipherment protection by application program, comprises and selects a file, a plurality of files of disposable selection or select whole file;
Step 202: application program sends the request of encryption to the communication agent module;
Step 203: the communication agent module is transmitted to transparent encryption and decryption module after receiving the request of encryption;
Step 204: after transparent encryption and decryption module is received request, request is kept in the request chained list of self maintained;
Step 205: when closing application program, the encrypt digital content that transparent encryption and decryption module is selected the user, and add encryption identification at the afterbody of digital content, and be used for distinguishing expressly and ciphertext, send encryption key to the permission server storage by the communication agent module simultaneously;
Step 206: after encrypting end, transparent encryption and decryption module writes disk to ciphertext and preserves.
3. method as claimed in claim 2 is characterized in that, described encryption identification part is as follows:
301. flag bit indicates that whether this content is protected content, takies 128 bytes;
302. content ID, digital content of unique identification is made up of current time (being accurate to second), MAC Address and 16 random character sequence three parts, takies 256 bytes;
303. content type is used for the initial form information of storing digital content, is MS001 as the Word document in the definition Office document, the Excel Doctype is MS002 etc., takies 256 bytes;
304. cryptographic algorithm is used for storing the encryption algorithm type that this digital content adopts, so that adopt identical algorithm when follow-up encryption and decryption operation, takies 256 bytes;
305. reserved byte for follow-up expansion provides headspace, takies 128 bytes.
4. the method for the ciphertext mandate distribution of the described digital content safeguard system based on transparent encryption and decryption of claim 1 is characterized in that, may further comprise the steps:
Step 401: the user selects protected content by application program;
Step 402: user and authority information that the user need authorize by the application program selection send authorization requests to the Certificate Authority module;
Step 403: the Certificate Authority module receives authorization requests, sends the renewal authority request by the communication agent module to the service end permission server, comprises former authority is got common factor or union; Permission server upgrades user's authority information and return results;
Step 404: the Certificate Authority module is received the request return information, protected digital content mode such as is shared by USB flash disk, email, network be distributed to authorized user, and the user uses according to the authority of authorizing after receiving digital content;
5. the dynamic encryption and decryption method of the described digital content safeguard system based on transparent encryption and decryption of claim 1 is characterized in that, described dynamic encryption and decryption method is opened in digital content, carry out in the reading and writing operation, wherein:
Described digital content opening procedure may further comprise the steps:
Step 501: the protected digital content that the user need open by the application program selection;
Step 502: application program sends the IRP_MJ_CREATE request to transparent encryption and decryption module;
Step 503: after transparent encryption and decryption module is intercepted and captured the IRP_MJ_CREATE request, whether the afterbody that structure IRP inquires about this digital content has encryption indicator, if any, show that this digital content is a ciphertext, then the construction data structure writes down this document relevant information, so that in the subsequent operation of all being opened digital content, distinguish plaintext and ciphertext, empty system cache then, jump to step 504; If there is not encryption identification, then show not to be ciphertext to jump to step 506; The data structure of this transparent encryption and decryption module structure comprises with the lower part:
1) ListEntry is Windows kernel list structure;
2) FsContext, reality is the pointer of digital content controll block FCB, this digital content of unique sign;
3) Pid is for visiting the process ID of this digital content;
4) FilePath, the storing digital content complete trails;
Step 504: transparent encryption and decryption module is obtained content ID from the encryption identification of ciphertext, according to this content ID, obtain authority information and the key information of user by communication agent from permission server to this ciphertext, judge according to user's authority information whether the user has authority to open this content, if have, then use this content of corresponding secret key decryption, execution in step 505 then; Otherwise, will not decipher, application prompts user haves no right to open;
Step 505: access control module obtains right of digital content information by communication agent from permission server, carry out fine-grained control of authority according to authority information, the availability that comprises menu, button, the control of pulling between the copy and paste of clipbook, the program, OLE exchanges data, screenshotss;
Step 506: digital content is shown to the user;
Describedly ciphertext is carried out read operation may further comprise the steps:
Step 601: application program sends the IRP_MJ_READ request to the bottom filter drive program;
Step 602: after transparent encryption and decryption module is received the IRP_MJ_READ request, judge whether Irp->Flags is IRP_NOCACH or IRP_PAGING_IO, it is execution in step 603 then, otherwise, transparent encryption and decryption module does not process, but the default processing function PassThroughLowerDriver of call operation system;
Step 603: preserve Read Irp and be with the Buffer pointer, application and the onesize SwapBuffer of Buffer;
Step 604: former Buffer is replaced with SwapBuffer, set up into routine ReadProcCompletion, wait for the return results that filter drive program is handled then;
Step 605: finish routine and be activated, transparent encryption and decryption module is decrypted the data among the SwapBuffer with key, and data copy among the former Buffer after will deciphering;
Step 606: reduction Irp Buffer pointer Irp->MdlAddress and Irp->UserBuffer;
Step 607: the digital content after the deciphering is shown to the user;
Describedly ciphertext is carried out write operation may further comprise the steps:
Step 701: application program sends the IRP_MJ_WRITE request;
Step 702: transparent encryption and decryption module is intercepted and captured the IRP_MJ_WRITE request, judging whether Irp->Flags is IRP_NOCACHE or IRP_PAGING_IO, is execution in step 703 then, otherwise PassThroughLowerDriver (Irp), transparent encryption and decryption module does not process, and directly returns;
Step 703: preserve Write Irp and be with the Buffer pointer, apply for onesize SwapBuffer;
Step 704: data among the Buffer are encrypted and data encrypted is copied among the SwapBuffer;
Step 705: former Buffer is replaced with SwapBuffer, set up into routine (WriteProcCompletion), wait for the return results that the bottom filter drive program is handled;
Step 706: finish routine and be activated, reduction Irp Buffer pointer Irp->MdlAddress and Irp->UserBuffer;
Step 707: the digital content after system will encrypt is saved on the computer disk.
6. method as claimed in claim 5, it is characterized in that, when in a plurality of digital contents of opening ciphertext being arranged, step 503 is further comprising the steps of: transparent encryption and decryption module is created a new Archive sit to it when ciphertext is opened, kernel list structure (ListEntry) in the data structure is chained list with the Archive sit series connection of all ciphertexts of opening, plaintext and ciphertext in the digital content of opening with differentiation, when ciphertext was closed, its node was deleted.
7. method as claimed in claim 5 is characterized in that, in step 505, access control module obtains corresponding authority information by communication agent from permission server, and may further comprise the steps according to the process that authority information is carried out fine-grained control of authority:
Step 801: the user opens protected digit content by application program, and application program sends the opening operation request of content;
Step 802: access control module is intercepted and captured the opening operation request of application program, obtains the complete trails of digital content by the data structure of transparent encryption and decryption module structure;
Step 803: access control module sends request by communication agent to permission server according to the complete trails of digital content, and permission server returns the content ID and the corresponding authority information of digital content;
Step 804: access control module is carried out fine-grained control of authority according to the authority information that obtains, and comprises the availability of menu, button, the control of modes such as pulling between the copy and paste of clipbook, the program, OLE exchanges data, screenshotss.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009102188809A CN101729550B (en) | 2009-11-09 | 2009-11-09 | Digital content safeguard system based on transparent encryption and decryption, and encryption and decryption method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009102188809A CN101729550B (en) | 2009-11-09 | 2009-11-09 | Digital content safeguard system based on transparent encryption and decryption, and encryption and decryption method thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101729550A true CN101729550A (en) | 2010-06-09 |
| CN101729550B CN101729550B (en) | 2012-07-25 |
Family
ID=42449751
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009102188809A Expired - Fee Related CN101729550B (en) | 2009-11-09 | 2009-11-09 | Digital content safeguard system based on transparent encryption and decryption, and encryption and decryption method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101729550B (en) |
Cited By (50)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101860438A (en) * | 2010-06-30 | 2010-10-13 | 上海华御信息技术有限公司 | Local data secret leakage prevention system and method based on secret-related data flow direction encryption |
| CN101977190A (en) * | 2010-10-25 | 2011-02-16 | 北京中科联众科技有限公司 | Digital content encryption transmission method and server side |
| CN102202062A (en) * | 2011-06-03 | 2011-09-28 | 苏州九州安华信息安全技术有限公司 | Method and apparatus for realizing access control |
| CN102280929A (en) * | 2010-06-13 | 2011-12-14 | 中国电子科技集团公司第三十研究所 | System for information safety protection of electric power supervisory control and data acquisition (SCADA) system |
| CN102542182A (en) * | 2010-12-15 | 2012-07-04 | 苏州凌霄科技有限公司 | Device and method for controlling mandatory access based on Windows platform |
| CN102609667A (en) * | 2012-02-22 | 2012-07-25 | 浙江机电职业技术学院 | Automatic file encryption and decryption system and automatic file encryption and decryption method based on filter drive program |
| CN102609637A (en) * | 2011-12-20 | 2012-07-25 | 北京友维科软件科技有限公司 | Audit protection system for data leakage |
| CN102685086A (en) * | 2011-04-14 | 2012-09-19 | 天脉聚源(北京)传媒科技有限公司 | File access method and system |
| CN102739793A (en) * | 2012-07-03 | 2012-10-17 | 厦门简帛信息科技有限公司 | Intelligent terminal, management system and method of digital resource |
| CN103078866A (en) * | 2013-01-14 | 2013-05-01 | 成都西可科技有限公司 | Transparent encryption method for mobile platform |
| CN103095482A (en) * | 2011-11-07 | 2013-05-08 | 上海宝信软件股份有限公司 | Program development maintenance system |
| CN103164659A (en) * | 2011-12-13 | 2013-06-19 | 联想(北京)有限公司 | Method for realizing data storage safety and electronic device |
| CN103269343A (en) * | 2013-05-21 | 2013-08-28 | 福建畅云安鼎信息科技有限公司 | Business data safety control platform |
| CN103488949A (en) * | 2013-09-17 | 2014-01-01 | 上海颐东网络信息有限公司 | Electronic document security system |
| CN103632107A (en) * | 2012-08-23 | 2014-03-12 | 苏州慧盾信息安全科技有限公司 | Mobile terminal information safety protection system and method |
| CN103679050A (en) * | 2013-12-31 | 2014-03-26 | 中国电子科技集团公司第三研究所 | Security management method for enterprise-level electronic documents |
| CN103995990A (en) * | 2014-05-14 | 2014-08-20 | 江苏敏捷科技股份有限公司 | Method for preventing electronic documents from divulging secrets |
| CN104063633A (en) * | 2014-04-29 | 2014-09-24 | 航天恒星科技有限公司 | Safe auditing system based on filter driver |
| CN104145444A (en) * | 2012-02-29 | 2014-11-12 | 良好科技公司 | Method of operating a computing device, computing device and computer program |
| CN104243149A (en) * | 2013-06-19 | 2014-12-24 | 北京搜狗科技发展有限公司 | Encrypting and decrypting method, device and server |
| CN104424404A (en) * | 2013-09-07 | 2015-03-18 | 镇江金软计算机科技有限责任公司 | Implementation method for realizing third-party escrow system through authorization management |
| CN104683477A (en) * | 2015-03-18 | 2015-06-03 | 哈尔滨工程大学 | Sharing file operation filtering method based on SMB protocol |
| CN104680079A (en) * | 2015-02-04 | 2015-06-03 | 上海信息安全工程技术研究中心 | Electronic document security management system and electronic document security management method |
| CN104915601A (en) * | 2014-03-12 | 2015-09-16 | 三星电子株式会社 | System and method of encrypting folder in device |
| CN105095693A (en) * | 2015-07-13 | 2015-11-25 | 江苏简果科技发展有限公司 | Method and system for safely sharing digital asset based on Internet |
| CN105337954A (en) * | 2014-10-22 | 2016-02-17 | 航天恒星科技有限公司 | Method and device for encryption and decryption of IP message in satellite communication |
| CN105471832A (en) * | 2014-10-22 | 2016-04-06 | 航天恒星科技有限公司 | Processing method and device of IP packet in satellite communication |
| CN105574429A (en) * | 2015-11-30 | 2016-05-11 | 东莞酷派软件技术有限公司 | File data encryption and decryption method and device and terminal |
| CN105893852A (en) * | 2015-06-04 | 2016-08-24 | 济南亚东软件科技有限公司 | First author leakage prevention application system based on Windows EFS transparent encryption |
| CN105981009A (en) * | 2014-02-14 | 2016-09-28 | 瑞典爱立信有限公司 | Caching of encrypted content |
| CN106209891A (en) * | 2016-07-26 | 2016-12-07 | 广东道易鑫物联网科技有限公司 | A kind of means of communication based on D BUS communications protocol |
| CN107196932A (en) * | 2017-05-18 | 2017-09-22 | 北京计算机技术及应用研究所 | Managing and control system in a kind of document sets based on virtualization |
| CN107466035A (en) * | 2017-07-20 | 2017-12-12 | 北京奇安信科技有限公司 | A kind of method and device for the automatic test for simulating radio node |
| CN107967430A (en) * | 2014-10-28 | 2018-04-27 | 深圳市大成天下信息技术有限公司 | A kind of document protection method, equipment and system |
| CN108111508A (en) * | 2017-12-19 | 2018-06-01 | 浙江维融电子科技股份有限公司 | A kind of print control instrument security protection system |
| CN108229190A (en) * | 2018-01-02 | 2018-06-29 | 北京亿赛通科技发展有限责任公司 | Control method, device, program, storage medium and the electronic equipment of transparent encryption and decryption |
| CN108334787A (en) * | 2017-01-19 | 2018-07-27 | 珠海金山办公软件有限公司 | A kind of security document management system |
| CN108399341A (en) * | 2018-01-17 | 2018-08-14 | 中国地质大学(武汉) | A kind of Windows dualized file managing and control systems based on mobile terminal |
| CN108459973A (en) * | 2018-04-03 | 2018-08-28 | 清华大学 | The method of controlling security of processor, device and system |
| CN109558451A (en) * | 2018-11-14 | 2019-04-02 | 咪咕文化科技有限公司 | A kind of data managing method and system, storage medium |
| CN109670325A (en) * | 2018-12-21 | 2019-04-23 | 北京思源互联科技有限公司 | A kind of devices and methods therefor of configuration file encryption and decryption |
| CN109885994A (en) * | 2019-01-08 | 2019-06-14 | 深圳禾思众成科技有限公司 | A kind of offline identity authorization system, equipment and computer readable storage medium |
| CN109995735A (en) * | 2017-12-31 | 2019-07-09 | 中国移动通信集团重庆有限公司 | Downloading and application method, server, client, system, equipment and medium |
| CN110752929A (en) * | 2019-09-29 | 2020-02-04 | 华为终端有限公司 | Application program processing method and related product |
| CN110971580A (en) * | 2018-09-30 | 2020-04-07 | 北京国双科技有限公司 | Authority control method and device |
| CN111159758A (en) * | 2019-12-18 | 2020-05-15 | 深信服科技股份有限公司 | Identification method, device and storage medium |
| CN111310213A (en) * | 2020-02-20 | 2020-06-19 | 苏州浪潮智能科技有限公司 | Service data protection method, device, equipment and readable storage medium |
| CN112632625A (en) * | 2020-12-31 | 2021-04-09 | 深圳昂楷科技有限公司 | Database security gateway system, data processing method and electronic equipment |
| CN113806785A (en) * | 2021-10-11 | 2021-12-17 | 北京晓航众芯科技有限公司 | Method and system for carrying out safety protection on electronic document |
| CN114338629A (en) * | 2020-09-25 | 2022-04-12 | 北京金山云网络技术有限公司 | Data processing method, device, equipment and medium |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100568251C (en) * | 2006-03-23 | 2009-12-09 | 沈明峰 | The guard method of security files under cooperative working environment |
| CN101098224B (en) * | 2006-06-28 | 2010-08-25 | 中色科技股份有限公司 | Method for encrypting/deciphering dynamically data file |
| CN100592313C (en) * | 2008-04-30 | 2010-02-24 | 李硕 | Electric document anti-disclosure system and its implementing method |
-
2009
- 2009-11-09 CN CN2009102188809A patent/CN101729550B/en not_active Expired - Fee Related
Cited By (74)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102280929A (en) * | 2010-06-13 | 2011-12-14 | 中国电子科技集团公司第三十研究所 | System for information safety protection of electric power supervisory control and data acquisition (SCADA) system |
| CN102280929B (en) * | 2010-06-13 | 2013-07-03 | 中国电子科技集团公司第三十研究所 | System for information safety protection of electric power supervisory control and data acquisition (SCADA) system |
| CN101860438A (en) * | 2010-06-30 | 2010-10-13 | 上海华御信息技术有限公司 | Local data secret leakage prevention system and method based on secret-related data flow direction encryption |
| CN101977190A (en) * | 2010-10-25 | 2011-02-16 | 北京中科联众科技有限公司 | Digital content encryption transmission method and server side |
| CN101977190B (en) * | 2010-10-25 | 2013-05-08 | 北京中科联众科技股份有限公司 | Digital content encryption transmission method and server side |
| CN102542182A (en) * | 2010-12-15 | 2012-07-04 | 苏州凌霄科技有限公司 | Device and method for controlling mandatory access based on Windows platform |
| CN102685086A (en) * | 2011-04-14 | 2012-09-19 | 天脉聚源(北京)传媒科技有限公司 | File access method and system |
| CN102202062A (en) * | 2011-06-03 | 2011-09-28 | 苏州九州安华信息安全技术有限公司 | Method and apparatus for realizing access control |
| CN102202062B (en) * | 2011-06-03 | 2013-12-25 | 苏州九州安华信息安全技术有限公司 | Method and apparatus for realizing access control |
| CN103095482B (en) * | 2011-11-07 | 2015-10-21 | 上海宝信软件股份有限公司 | Program development maintenance system |
| CN103095482A (en) * | 2011-11-07 | 2013-05-08 | 上海宝信软件股份有限公司 | Program development maintenance system |
| CN103164659A (en) * | 2011-12-13 | 2013-06-19 | 联想(北京)有限公司 | Method for realizing data storage safety and electronic device |
| CN102609637A (en) * | 2011-12-20 | 2012-07-25 | 北京友维科软件科技有限公司 | Audit protection system for data leakage |
| CN102609667A (en) * | 2012-02-22 | 2012-07-25 | 浙江机电职业技术学院 | Automatic file encryption and decryption system and automatic file encryption and decryption method based on filter drive program |
| CN104145444A (en) * | 2012-02-29 | 2014-11-12 | 良好科技公司 | Method of operating a computing device, computing device and computer program |
| CN104145444B (en) * | 2012-02-29 | 2018-07-06 | 黑莓有限公司 | Operate method, computing device and the computer program of computing device |
| CN102739793A (en) * | 2012-07-03 | 2012-10-17 | 厦门简帛信息科技有限公司 | Intelligent terminal, management system and method of digital resource |
| CN103632107B (en) * | 2012-08-23 | 2017-10-13 | 慧盾信息安全科技(苏州)股份有限公司 | A kind of information of mobile terminal security protection system and method |
| CN103632107A (en) * | 2012-08-23 | 2014-03-12 | 苏州慧盾信息安全科技有限公司 | Mobile terminal information safety protection system and method |
| CN103078866A (en) * | 2013-01-14 | 2013-05-01 | 成都西可科技有限公司 | Transparent encryption method for mobile platform |
| CN103078866B (en) * | 2013-01-14 | 2015-11-04 | 成都西可科技有限公司 | Mobile platform transparent encryption method |
| CN103269343B (en) * | 2013-05-21 | 2017-08-25 | 福建畅云安鼎信息科技有限公司 | Business datum safety control platform |
| CN103269343A (en) * | 2013-05-21 | 2013-08-28 | 福建畅云安鼎信息科技有限公司 | Business data safety control platform |
| CN104243149B (en) * | 2013-06-19 | 2018-05-29 | 北京搜狗科技发展有限公司 | Encrypt and Decrypt method, device and server |
| CN104243149A (en) * | 2013-06-19 | 2014-12-24 | 北京搜狗科技发展有限公司 | Encrypting and decrypting method, device and server |
| CN104424404A (en) * | 2013-09-07 | 2015-03-18 | 镇江金软计算机科技有限责任公司 | Implementation method for realizing third-party escrow system through authorization management |
| CN103488949A (en) * | 2013-09-17 | 2014-01-01 | 上海颐东网络信息有限公司 | Electronic document security system |
| CN103488949B (en) * | 2013-09-17 | 2016-08-17 | 上海颐东网络信息有限公司 | A kind of electronic document security system |
| CN103679050A (en) * | 2013-12-31 | 2014-03-26 | 中国电子科技集团公司第三研究所 | Security management method for enterprise-level electronic documents |
| CN105981009B (en) * | 2014-02-14 | 2019-12-03 | 瑞典爱立信有限公司 | The caching of encrypted content |
| CN105981009A (en) * | 2014-02-14 | 2016-09-28 | 瑞典爱立信有限公司 | Caching of encrypted content |
| CN104915601A (en) * | 2014-03-12 | 2015-09-16 | 三星电子株式会社 | System and method of encrypting folder in device |
| CN104915601B (en) * | 2014-03-12 | 2019-04-19 | 三星电子株式会社 | The system and method that file in device is encrypted |
| US10521602B2 (en) | 2014-03-12 | 2019-12-31 | Samsung Electronics Co., Ltd. | System and method of encrypting folder in device |
| US11328079B2 (en) | 2014-03-12 | 2022-05-10 | Samsung Electronics Co., Ltd. | System and method of encrypting folder in device |
| CN104063633B (en) * | 2014-04-29 | 2017-05-31 | 航天恒星科技有限公司 | A kind of safety auditing system based on filtration drive |
| CN104063633A (en) * | 2014-04-29 | 2014-09-24 | 航天恒星科技有限公司 | Safe auditing system based on filter driver |
| CN103995990A (en) * | 2014-05-14 | 2014-08-20 | 江苏敏捷科技股份有限公司 | Method for preventing electronic documents from divulging secrets |
| CN105337954A (en) * | 2014-10-22 | 2016-02-17 | 航天恒星科技有限公司 | Method and device for encryption and decryption of IP message in satellite communication |
| CN105471832A (en) * | 2014-10-22 | 2016-04-06 | 航天恒星科技有限公司 | Processing method and device of IP packet in satellite communication |
| CN107967430B (en) * | 2014-10-28 | 2019-10-18 | 深圳市大成天下信息技术有限公司 | A kind of document protection method, equipment and system |
| CN107967430A (en) * | 2014-10-28 | 2018-04-27 | 深圳市大成天下信息技术有限公司 | A kind of document protection method, equipment and system |
| CN104680079A (en) * | 2015-02-04 | 2015-06-03 | 上海信息安全工程技术研究中心 | Electronic document security management system and electronic document security management method |
| CN104683477B (en) * | 2015-03-18 | 2018-08-31 | 哈尔滨工程大学 | A kind of shared file operation filter method based on SMB agreements |
| CN104683477A (en) * | 2015-03-18 | 2015-06-03 | 哈尔滨工程大学 | Sharing file operation filtering method based on SMB protocol |
| CN105893852A (en) * | 2015-06-04 | 2016-08-24 | 济南亚东软件科技有限公司 | First author leakage prevention application system based on Windows EFS transparent encryption |
| CN105095693A (en) * | 2015-07-13 | 2015-11-25 | 江苏简果科技发展有限公司 | Method and system for safely sharing digital asset based on Internet |
| CN105574429A (en) * | 2015-11-30 | 2016-05-11 | 东莞酷派软件技术有限公司 | File data encryption and decryption method and device and terminal |
| CN106209891A (en) * | 2016-07-26 | 2016-12-07 | 广东道易鑫物联网科技有限公司 | A kind of means of communication based on D BUS communications protocol |
| CN108334787A (en) * | 2017-01-19 | 2018-07-27 | 珠海金山办公软件有限公司 | A kind of security document management system |
| CN107196932A (en) * | 2017-05-18 | 2017-09-22 | 北京计算机技术及应用研究所 | Managing and control system in a kind of document sets based on virtualization |
| CN107466035A (en) * | 2017-07-20 | 2017-12-12 | 北京奇安信科技有限公司 | A kind of method and device for the automatic test for simulating radio node |
| CN107466035B (en) * | 2017-07-20 | 2019-11-15 | 奇安信科技集团股份有限公司 | A kind of method and device of automatic test that simulating radio node |
| CN108111508A (en) * | 2017-12-19 | 2018-06-01 | 浙江维融电子科技股份有限公司 | A kind of print control instrument security protection system |
| CN109995735A (en) * | 2017-12-31 | 2019-07-09 | 中国移动通信集团重庆有限公司 | Downloading and application method, server, client, system, equipment and medium |
| CN108229190A (en) * | 2018-01-02 | 2018-06-29 | 北京亿赛通科技发展有限责任公司 | Control method, device, program, storage medium and the electronic equipment of transparent encryption and decryption |
| CN108399341B (en) * | 2018-01-17 | 2020-10-30 | 中国地质大学(武汉) | Windows dual file management and control system based on mobile terminal |
| CN108399341A (en) * | 2018-01-17 | 2018-08-14 | 中国地质大学(武汉) | A kind of Windows dualized file managing and control systems based on mobile terminal |
| CN108459973A (en) * | 2018-04-03 | 2018-08-28 | 清华大学 | The method of controlling security of processor, device and system |
| CN108459973B (en) * | 2018-04-03 | 2022-03-18 | 清华大学 | Safety control method, device and system for processor |
| CN110971580A (en) * | 2018-09-30 | 2020-04-07 | 北京国双科技有限公司 | Authority control method and device |
| CN110971580B (en) * | 2018-09-30 | 2022-05-17 | 北京国双科技有限公司 | Authority control method and device |
| CN109558451B (en) * | 2018-11-14 | 2022-06-10 | 咪咕文化科技有限公司 | Data management method and system and storage medium |
| CN109558451A (en) * | 2018-11-14 | 2019-04-02 | 咪咕文化科技有限公司 | A kind of data managing method and system, storage medium |
| CN109670325A (en) * | 2018-12-21 | 2019-04-23 | 北京思源互联科技有限公司 | A kind of devices and methods therefor of configuration file encryption and decryption |
| CN109885994A (en) * | 2019-01-08 | 2019-06-14 | 深圳禾思众成科技有限公司 | A kind of offline identity authorization system, equipment and computer readable storage medium |
| CN110752929B (en) * | 2019-09-29 | 2022-04-22 | 华为终端有限公司 | Application program processing method and related product |
| CN110752929A (en) * | 2019-09-29 | 2020-02-04 | 华为终端有限公司 | Application program processing method and related product |
| CN111159758A (en) * | 2019-12-18 | 2020-05-15 | 深信服科技股份有限公司 | Identification method, device and storage medium |
| CN111310213A (en) * | 2020-02-20 | 2020-06-19 | 苏州浪潮智能科技有限公司 | Service data protection method, device, equipment and readable storage medium |
| CN114338629A (en) * | 2020-09-25 | 2022-04-12 | 北京金山云网络技术有限公司 | Data processing method, device, equipment and medium |
| CN112632625A (en) * | 2020-12-31 | 2021-04-09 | 深圳昂楷科技有限公司 | Database security gateway system, data processing method and electronic equipment |
| CN113806785A (en) * | 2021-10-11 | 2021-12-17 | 北京晓航众芯科技有限公司 | Method and system for carrying out safety protection on electronic document |
| CN113806785B (en) * | 2021-10-11 | 2023-12-08 | 北京晓航众芯科技有限公司 | Method and system for carrying out security protection on electronic document |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101729550B (en) | 2012-07-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101729550B (en) | Digital content safeguard system based on transparent encryption and decryption, and encryption and decryption method thereof | |
| CN102710633B (en) | Cloud security management system of security electronic documents and method | |
| CN100592313C (en) | Electric document anti-disclosure system and its implementing method | |
| CN103530570B (en) | A kind of electronic document safety management system and method | |
| CN100371847C (en) | Method for ciphering and diciphering of file, safety managing storage apparatus and system method thereof | |
| JP4759513B2 (en) | Data object management in dynamic, distributed and collaborative environments | |
| CN101853363B (en) | File protection method and system | |
| CN101361076B (en) | Mobile memory system for secure storage and delivery of media content | |
| CN103763313B (en) | File protection method and system | |
| CN101547199B (en) | Electronic document safety guarantee system and method | |
| CN101120355B (en) | System for creating control structure for versatile content control | |
| CN201682524U (en) | Document transfer authority control system based on document filtering driver | |
| CN109063499B (en) | Flexible configurable electronic file region authorization method and system | |
| CN104834835B (en) | A kind of general digital rights protection method under windows platform | |
| CN103679050A (en) | Security management method for enterprise-level electronic documents | |
| CN102799539A (en) | Safe USB flash disk and data active protection method thereof | |
| CN101840471A (en) | Document right control method and device | |
| CN103413100A (en) | File security protection system | |
| US20120233712A1 (en) | Method and Device for Accessing Control Data According to Provided Permission Information | |
| CN104778954B (en) | A kind of CD subregion encryption method and system | |
| CN104239812A (en) | Local area network data safety protection method and system | |
| CN101132275B (en) | Safety system for implementing use right of digital content | |
| US8321915B1 (en) | Control of access to mass storage system | |
| US8296826B1 (en) | Secure transfer of files | |
| KR20000000410A (en) | System and method for security management on distributed PC |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20120725 Termination date: 20141109 |
|
| EXPY | Termination of patent right or utility model |