CN102999732A - Multi-stage domain protection method and system based on information security level identifiers - Google Patents
Multi-stage domain protection method and system based on information security level identifiers Download PDFInfo
- Publication number
- CN102999732A CN102999732A CN2012104830765A CN201210483076A CN102999732A CN 102999732 A CN102999732 A CN 102999732A CN 2012104830765 A CN2012104830765 A CN 2012104830765A CN 201210483076 A CN201210483076 A CN 201210483076A CN 102999732 A CN102999732 A CN 102999732A
- Authority
- CN
- China
- Prior art keywords
- ciphertext
- security level
- level identification
- file system
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention provides a multi-stage domain protection method and a multi-stage domain protection system based on information security level identifiers. Dynamic encryption/decryption of confidential documents is realized on the basis of security level identifiers including a creator identifier, a document identifier and a domain security level identifier, so that fine-grained access of validated users is realized, and the problem of information disclosure threat existing in a series of processes including generation, access, circulation and destruction of information of different security levels is solved.
Description
Technical field
The present invention relates to the computer security technique field, refer in particular to a kind of multilevel field means of defence and system based on the information security level identification.
Background technology
Social informatization brings easily simultaneously to everybody, has also brought numerous security threats.For security consideration, the classified network ruton often carries out partition security domain according to different levels of confidentiality, according to national requirements, must take robust techniques, forbids High Security Level information flow direction Low Security Level territory.And in corporate intranet related numerous trade secrets, also need to be controlled at the minimum scope of knowing, prevent information leakage.Security domain management and information flow control based on security level identification are the directions and key that addresses this problem.In field, multilevel security territory, there is no perfect technology can address this problem in perfection at present, has adopted the file system filter driver technology to ensure data security but obtain in association areas such as trusted computer data security and file encryptions.
For example, one application number is 200610096441.1, the Chinese invention patent that name is called " a kind of computer data security protective method " discloses a kind of driver framework that utilizes kernel operations system of Microsoft, adopt modified file system filter driver technology, with the filter Driver on FSD Module-embedding between I/0 manager and the file system driver layer module, confirm the legitimacy of login user by the key in the electron key and user login code, then the I/0 manager arrives the filter Driver on FSD module with data packet transmission, carry out the encryption and decryption authentication processing, hand to again file system driver layer module, thereby realize for the fully transparent Computer Data Security protection of validated user.
Shortcoming 1: this invention is simple is applied to the Computer Data Security protection, can't realize fine granularity control, not have to realize the information grading protection to different security level, as long as cause the usefulness of electron key can access per family various grades of other classified informations.
Shortcoming 2: do not have to realize information monitoring, the interception of information in the process of circulation of multilevel security territory, real-time monitoring and alarming device more is not provided, prevent information leakage.
Shortcoming 3: do not realize the audit of user behavior, for the information leakage accident, can't audit, thereby can't realize responsibility system.
Summary of the invention
The object of the invention is to overcome defects, a kind of multilevel field means of defence and system based on the information security level identification is provided.
The object of the present invention is achieved like this:
Beneficial effect of the present invention is to realize dynamic encryption/deciphering to confidential document based on the security level identification that comprises founder's sign, file identification and territory level of security sign, thereby the fine granularity that realizes validated user is accessed, and the information existing information leakage from generation-access-these a series of processes of circulation-destruction that solves different security level threatens.
Description of drawings
Below in conjunction with accompanying drawing in detail concrete structure of the present invention is described in detail
Fig. 1 is System Framework of the present invention and forms module;
Fig. 2 is the idiographic flow synoptic diagram that creates ciphertext by authenticated of the present invention;
Fig. 3 is the idiographic flow synoptic diagram that user of the present invention accesses ciphertext;
Fig. 4 is the idiographic flow synoptic diagram of ciphertext flow quantity control of the present invention.
Embodiment
By describing technology contents of the present invention, structural attitude in detail, realized purpose and effect, below in conjunction with embodiment and cooperate that accompanying drawing is detailed to give explanation.
The invention provides a kind of multilevel field means of defence based on the information security level identification, comprise with execution by between the I/O manager of the driver framework of kernel operations system and file driving system layer, embedding the file system filter layer,
Create ciphertext by authenticated:
After being included in the request of receiving the I/0 request bag of writing, send the request of the I/0 request bag (IRP-I/O Request Pcaket) of writing to the file system driver layer, thereby (for example usually most convenient be at file header) adds and after security level identification (best is a security level identification that has regular length) is encrypted by cryptographic algorithm it is kept at step on the physical disk with the ciphertext form again in file to be encrypted, and this step has realized the dynamically transparent encryption.
Above-mentioned cryptographic algorithm is included in the security level identification, security level identification also should include founder's sign, file identification and territory level of security sign at least, described territory level of security sign is corresponding with establishment territory, user self place, and described founder's sign is corresponding with the Permission Levels that create user self.
Above-mentioned founder sign is with the creation-time name, and so benefit is so that founder's also clear and definite creation-time of file when being identified at as file identification.
Best, security level identification comprises that file identification (ID sign), founder's sign, reviser identify, read at last taker sign, authority information sign, territory level of security sign, cryptographic algorithm, file size (L).Corresponding, if user's successful access confidential document, user side can be updated to the user of current accessed to reading at last the taker sign and upgrade in the security level identification after access, in order to monitor during the subsequent user behavior auditing.
The user accesses ciphertext:
When the user will access ciphertext, the file system filter layer initiatively extracts the security level identification of ciphertext to be visited and the authority of calling party compares, thereby judge whether the user has the authority of browsing this document, in order to determine that whether sending IRP toward the file system driver layer finishes reading and deciphering of classified information, drive layer to data file system during the permission match of and if only if security level identification and calling party and send the request that the I/0 request of reading wraps and read the step that then ciphertext deciphers.
Best, above-mentioned cryptographic algorithm adopts secret key encryption, and the encryption in described establishment ciphertext and the access ciphertext, the key of deciphering are distributed by service end.
As mentioned above, the present invention utilizes the driver framework of kernel operations system of Microsoft, embed the file system filter layer, be arranged on the key management of service end, the combined with access control strategy is configured to an information control engine, realizes dynamically transparent encryption and decryption and the fine granularity access control of classified information, and guaranteed that in a single day classified information leaves this platform, will can't expressly be opened because of the disappearance key management module.As seen, information control engine is the basis of whole guard system.
The ciphertext flow quantity control comprises:
The multilevel field information flow control, when ciphertext circulates in multilevel field, then whether be higher than current circulation territory according to the territory level of security sign in the security level identification of access strategy comparison ciphertext by kidnapping ciphertext, be higher than then ciphertext is carried out interception, otherwise ciphertext is carried out the step of transmitting/letting pass;
Domain information at the same level flows to control, when ciphertext circulates in the one-level territory, then identify whether be higher than the reception user according to the founder in the security level identification of access strategy comparison ciphertext by kidnapping ciphertext, be higher than then ciphertext is carried out interception, otherwise ciphertext is carried out the step of clearance/forwarding.
Best, the ciphertext circulation is controlled under the intercepting and capturing of security gateway and realizes control.
Thus, if the user by external interfaces such as USB flash disks, removes ciphertext, if move at the loom that leaves this system, will be owing to not opened by the key of service end distribution.If copy other territory or copy the loom in same territory, owing in decrypting process, can judge territory rank and information security level identification, thereby cause undesirable people to open failure.
The user behavior audit comprises:
Be designated the step that identify label carries out sending under the log audit of user behavior and the risky operation warning according to the security level identification File of ciphertext, accomplish that responsibility can trace and Real Time Monitoring.
In whole process, user behavior audit can be followed the tracks of by associated with sign (ID sign), when the operation such as reading and writing, modification, circulation occurs as the user, writes the service end audit database, and the operation of meeting generation information leakage is reported to the police.
Be a kind of system entity configuration diagram that said method is carried out such as Fig. 1, the present invention is applicable to the C/S framework, connect user side and service end by the SSL escape way, realize fine granularity access and security domain management and the information flow control of confidential document, each functions of modules is as follows:
Utilize the self check scanning system, carry out the identification of computing machine, equipment at the territory administration module, binding IP/MAC, the whole Local Area Network framework of interface displaying, PC, server and relevant device, be the basis of whole territory management, the territory of dividing different level of securitys given the displaying of image.
User authentication module, when the user registered, the keeper gave a certain level-right according to minimization principle, comprised top secret, secret, secret, sensitivity, open; When the user logined, by page reorientation, force users realized handshake authentication by the SSL security mechanism, sets up the communication security passage.When authenticated reads classified information, just can according to this user right, realize the fine granularity access.
Information control engine, utilize the driver framework of Windows kernel, adopt modified file system filter driver technology, between I/0 manager and file driving system layer, embed the file system filter layer, by the file system filter layer security level identification is additional to the information head, and the IRP packet that transmits between the driving layer in the read-write process intercepted and captured and the corresponding operating such as filter, in conjunction with the key management module of service end, realize the dynamically transparent encryption and decryption.The user creates file or is identified when this document had read right, and system creates information security level identification chained list at inner nuclear layer and is used for associated permissions, improves reading efficiency.
The log audit module, file identification in the security level identification (ID) is as unique identify label of classified information, system is by related ID, realization is followed the tracks of from generating-access-circulate-destroy these a series of processes information, form log recording, and user's violation operation is played frame report to the police, reach the purpose of Real Time Monitoring and responsibility pursuit.
Key management module: kernel is to finish read-write to file by a plurality of IRP read write commands, because the operation of the encryption and decryption of each reading writing information all cannot change message length, therefore need to adopt symmetric encipherment algorithm, and add to decipher needed key be exactly to obtain by the key management module of service end.This system can support multiple encryption algorithms, and the user can according to the needs of oneself, when strategy disposes, select corresponding cryptographic algorithm.
Embodiment
Above-mentioned by authenticated establishment ciphertext, referring to Fig. 2, can specifically comprise step in one embodiment:
A1), by page reorientation (being a kind of mode of common forcible authentication), force users realizes handshake authentication by the SSL security mechanism, sets up the communication security passage, the Connection Service end;
A2), (user is used for opening the application software of classified information to the user side application program, word for example) call operation system read-write information function (such as the CreateFile function, the function that will call when namely being the reading writing information in the windows framework) sends the IRP_MJ_WRITE write request to the I/0 manager;
A3), the I/0 manager extracts the I/0 request bags (IRP) corresponding to structure write request such as process title, store path, start address, data length, data to be stored, and this IRP is sent to the file system filter layer;
A4), after the file system filter driver layer is received packet, initiatively send an IRP write request to the file system driver layer, request adds security level identification at the file header of file to be encrypted, create the security level identification chained list in local respective user simultaneously and be used for preserving above-mentioned security level identification, and it is updated to service end, finishes encryption according to the cryptographic algorithm in the security level identification;
In this step, owing to will hang up first writing normally process, finish the process of adding security level identification by the file system filter driver layer again, so after the file system filter driver layer was received packet, what need active sent an IRP write request to the file system driver layer.
A5), the file system filter driver layer will add security level identification, and the IRP Packet Generation after the encryption finished of associating service end is to the file driving system, and finally should preserve (for example writing physical disk preserves) with the ciphertext form with the classified information of security level identification.
The user accesses the embodiment of ciphertext then referring to Fig. 3, specifically comprises step:
B1), by page reorientation, force users realizes handshake authentication by the SSL security mechanism, sets up the communication security passage, the Connection Service end;
B2), user side application call system kernel the function interface that provides is provided is sent the RP_MJ_READ read request to the I/0 manager;
B3), the I/0 manager extracts the IRP corresponding to structure read request such as process title, store path, start address, data length, and this IRP sent to the file system filter layer, waits the ciphertext of returning to be read;
B4), filter driving layer sends security level identification reading command (IRP_QUERY_INFO) to the file system driver layer, obtains the security level identification of this access ciphertext;
B5), the security level identification chained list with the file identification in the security level identification and user contrasts, if existing in the security level identification chained list, then continue step, if nothing, then carry out the contrast of authority, if founder sign is higher than and receives user right and then return mistake, then continue step otherwise this ciphertext is updated to the security level identification chained list and is synchronized to service end;
B6), the file system filter driver layer sends to the file system filter layer with IRP;
B7), the file system filter layer is read and returned to the file system driver layer with this access ciphertext after receiving data;
B8), after the file system filter layer receives the ciphertext of returning, according to the deciphering of the cryptographic algorithm in the security level identification, and the data after will deciphering are passed to the I/O manager;
B9), the I/O manager passes to the user side application programming interfaces with these data, finishes read request.
Concerning security matters mechanism or corporate intranet for privacy requirements, all can be divided according to self needs the security domain of different stage, and according to minimization principle, give the different role of user and corresponding authority.Therefore, referring to Fig. 4, in the ciphertext flow quantity control, particularly the access strategy of multilevel field information flow control may further include step:
C1), the level of security height in the territory level of security sign in the security level identification of ciphertext and current circulation territory relatively, height is then carried out interception, otherwise continues step;
C2), judge that whether receive the user has the authority of accessing this ciphertext, is then to continue step, otherwise returns mistake;
C3), ciphertext is carried out clearance/forwarding.
By founder's rank, territory level of security, the secret rank of information (file identification) are segmented, be aided with aforesaid access control policy, by information control engine and service end, realize the fine granularity access to classified information, stop classified information and flow to the Low Security Level territory by the High Security Level territory.
The present invention also provides a kind of system of the multilevel field protection based on the information security level identification, and by at embedding file system filter layer between the I/O manager of the driver framework of kernel operations system and the file driving system layer, the file system filter layer comprises:
Create the ciphertext module by authenticated, be used for after receiving the I/0 request bag request of writing, send the I/0 request bag request of writing to the file system driver layer, it is preserved with the ciphertext form after security level identification is encrypted by cryptographic algorithm thereby in file to be encrypted, add again;
Above-mentioned cryptographic algorithm is included in the security level identification, security level identification also includes founder's sign, file identification and territory level of security sign, described territory level of security sign is corresponding with establishment territory, user self place, and described founder's sign is corresponding with the Permission Levels that create user self;
The user accesses the ciphertext module, comprise the authority of the security level identification that initiatively extracts ciphertext to be visited and calling party relatively, only when the permission match of security level identification and calling party, drive layer to data file system and send the I/0 request of reading and wrap and ask to read ciphertext and then decipher;
Ciphertext circulation control module comprises,
Multilevel field information flow control unit, be used for when ciphertext when multilevel field circulates, then whether be higher than current circulation territory according to the territory level of security sign in the security level identification of the comparison ciphertext in the access strategy by kidnapping ciphertext, be higher than then ciphertext is carried out interception, otherwise ciphertext is carried out clearance/forwarding;
Domain information at the same level flows to control module, be used for when ciphertext when circulating with the one-level territory, then identify whether be higher than the reception user according to the founder in the security level identification of access strategy comparison ciphertext by kidnapping ciphertext, be then ciphertext to be carried out interception, otherwise ciphertext is carried out clearance/forwarding;
User behavior audit module is used for security level identification File according to ciphertext and is designated identify label and carries out sending warning under the log audit of user behavior and the risky operation.
Better, above-mentionedly create the ciphertext module by authenticated and specifically comprise:
The communication connection unit is used for by page reorientation, and force users realizes handshake authentication by the SSL security mechanism, sets up the communication security passage, and then the Connection Service end forwards the write request unit to;
The write request unit is used for sending write request when user side application call operating system reading writing information function to the I/0 manager;
The write request feedback unit, be used for after the write request of receiving the write request unit, the I/0 manager extracts I/0 request bag corresponding to the structure write requests such as process title, store path, start address, data length, data to be stored, and this I/0 request bag is sent to the file system filter layer;
The ciphertext creating unit, after being used for the file system filter driver layer and receiving packet, initiatively send the write request of an I/0 request bag to the file system driver layer, request adds security level identification at the file header of file to be encrypted, respective user creates the security level identification chained list for preserving above-mentioned security level identification simultaneously, and it is updated to service end, finishes encryption according to the cryptographic algorithm in the security level identification;
The Dealing with encrypt code unit is used for after the ciphertext creating unit is finished encryption, and the IRP Packet Generation after the file system filter driver layer will be encrypted is to the file driving system, and final should the preservation with the ciphertext form with the classified information of security level identification.
Better, above-mentioned user accesses the ciphertext module and specifically comprises:
The communication connection unit is used for by page reorientation, and force users realizes handshake authentication by the SSL security mechanism, sets up the communication security passage, and then the Connection Service end forwards the read request unit to;
The read request unit is used for setting up the function interface that provides when user side application call system kernel and sends read request to the I/0 manager;
Read feedback unit, be used for after the read request of receiving the read request unit, the I/0 manager extracts I/0 request bag corresponding to the structure read requests such as process title, store path, start address, data length, and this I/0 request bag sent to the file system filter layer, wait the ciphertext of returning to be read then to go to the security level identification acquiring unit;
The security level identification acquiring unit is used for filter driving layer and sends the security level identification reading command to the file system driver layer, obtains the security level identification of this access ciphertext;
The level of confidentiality recognition unit, be used for after the security level identification acquiring unit obtains the security level identification of ciphertext, security level identification chained list contrast with the file identification in the security level identification and user, if existing in the security level identification chained list, then continue step, if nothing is then carried out the contrast of authority, if founder sign is higher than and receives user right and then return mistake, then forward file system filter layer request unit to otherwise this ciphertext is updated to the security level identification chained list and is synchronized to service end;
File system filter layer request unit is used for the file system filter driver layer I/0 request bag sent to the file system filter layer;
File system filter layer response unit is used for after receiving the I/0 request bag of file system filter layer request unit, and the file system filter layer is read and returned to the file system driver layer with this access ciphertext;
I/O manager request unit is used for after file system filter layer feedback unit returns ciphertext, and the file system filter layer receives the ciphertext of returning, and according to the deciphering of the cryptographic algorithm in the security level identification, and the data after will deciphering are passed to the I/O manager;
I/O manager response unit is used for by the I/O manager these data being passed to the user side application programming interfaces behind I/O manager request unit decrypting ciphertext, finishes read request.
Best, the cryptographic algorithm that lock adopts between each module, the unit in the said system adopts secret key encryption, and the encryption in described establishment ciphertext and the access ciphertext, the key of deciphering are distributed by service end.
In sum, 3 deficiencies of the described prior art of corresponding background technology, beneficial effect of the present invention is:
1, for first defective, the technology that the present invention adopts is: after the file system filter driver layer is received packet, initiatively send an IRP write request to the file system driver layer, request adds the security level identification of regular length at file header, owing to include secret rank in the security level identification, automatically give corresponding information level of confidentiality according to the rank acquiescence that creates the user, thereby realized information level of confidentiality partition by fine granularities, again according to reading and the flow process that circulates of describing before, just can realize the fine granularity access, overcome the defective that can not realize partition by fine granularities and fine granularity access in the background technology.
2, for second defective, as previously mentioned, because security level identification includes three signs at least, be respectively security level identification, territory level of security, founder's sign.In service end, the keeper gives user right according to need of work in conjunction with minimization principle, produce founder's sign with and the territory, place; Enterprise or concerning security matters mechanism carry out the network area according to the level of security difference and divide also, realize the imagery displaying by the self-scanning system and with the level of security in binary identification territory in the administration module of territory; Security level identification is to add by the file system filter driver layer, and the inside include file sign, founder's sign, reviser identify, read at last taker sign, authority information sign, territory level of security sign, cryptographic algorithm, file size.When fileinfo is operated, comprise establishment, read, revise, circulate, the capital causes the renewal (mainly refer to read at last in the security level identification taker sign) of security level identification, and the content synchronization of this renewal to the service end audit database, just can be reached the purpose of information trace.Contrast security level identification, territory level of security, founder's sign when occurring causing the operation generation of information leakage, had both been carried out the lack of competence operation, should operate and pass through intensive identification renewal to audit database, ejected simultaneously the warning of reporting to the police.
3, for the 3rd defective, because the present invention has realized the tracking control of full process sign of information from generation-access-these a series of processes of circulation-destruction, and is recorded in the audit database, so when security incident occurring, can derive examination, accomplish responsibility investigation.
The above only is embodiments of the invention; be not so limit claim of the present invention; every equivalent structure or equivalent flow process conversion that utilizes instructions of the present invention and accompanying drawing content to do; or directly or indirectly be used in other relevant technical fields, all in like manner be included in the scope of patent protection of the present invention.
Claims (9)
1. multilevel field means of defence based on the information security level identification is characterized in that: comprises with execution by between the I/O manager of the driver framework of kernel operations system and file driving system layer, embedding the file system filter layer,
Create ciphertext by authenticated,
Be included in receive the I/0 request bag request of writing after, send the I/0 request bag request of writing to the file system driver layer, thus in file to be encrypted, add security level identification encrypt by cryptographic algorithm again after with its step of preserving with the ciphertext form; Wherein, described security level identification includes founder's sign, file identification and territory level of security sign, and level of security sign in described territory is corresponding with establishment territory, user place, and described founder's sign is corresponding with the Permission Levels that create the user;
The user accesses ciphertext, comprises,
Initiatively extract the authority of the security level identification of ciphertext to be visited and calling party relatively, only when the permission match of security level identification and calling party, drive layer to data file system and send the I/0 request of reading and wrap and ask to read the step that then ciphertext deciphers;
The ciphertext flow quantity control comprises,
The multilevel field information flow control, when ciphertext circulates in multilevel field, then whether be higher than current circulation territory according to the territory level of security sign in the security level identification of access strategy comparison ciphertext by kidnapping ciphertext, be higher than then ciphertext is carried out interception, otherwise ciphertext is carried out the step of letting pass/transmitting;
Domain information at the same level flows to control, when ciphertext circulates in the one-level territory, then identifying whether be higher than the reception user according to the founder in the security level identification of access strategy comparison ciphertext by kidnapping ciphertext, is then ciphertext to be carried out interception, otherwise ciphertext is carried out the step of clearance/forwarding;
The user behavior audit comprises,
Be designated the step that identify label carries out sending under the log audit of user behavior and the risky operation warning according to the security level identification File of ciphertext.
2. the multilevel field means of defence based on the information security level identification as claimed in claim 1 is characterized in that: describedly creates ciphertext by authenticated and specifically comprises step,
A1), by page reorientation, force users realizes handshake authentication by the SSL security mechanism, sets up the communication security passage, the Connection Service end;
A2), user side call operation system read-write information function sends write request to the I/0 manager;
A3), the I/0 manager extracts I/0 request bag corresponding to the structure write requests such as process title, store path, start address, data length, data to be stored, and this I/0 request bag is sent to the file system filter layer;
A4), after the file system filter driver layer is received packet, initiatively send the write request of an I/0 request bag to the file system driver layer, request adds security level identification at the file header of file to be encrypted, respective user creates the security level identification chained list for preserving above-mentioned security level identification simultaneously, and the security level identification chained list is updated to service end, finish encryption according to the cryptographic algorithm in the security level identification;
A5), the IRP Packet Generation of file system filter driver layer after will encrypting be to the file driving system, and finally should preserve with the ciphertext form with the classified information of security level identification.
3. the multilevel field means of defence based on the information security level identification as claimed in claim 2, it is characterized in that: described user accesses ciphertext and specifically comprises step,
B1), by page reorientation, force users realizes handshake authentication by the SSL security mechanism, sets up the communication security passage, the Connection Service end;
B2), user side application call system kernel the function interface that provides is provided is sent read request to the I/0 manager;
B3), the I/0 manager extracts I/0 request bag corresponding to the structure read requests such as process title, store path, start address, data length, and this I/0 request bag sent to the file system filter layer, waits the ciphertext of returning to be read;
B4), filter driving layer sends the security level identification reading command to the file system driver layer, obtains the security level identification of this access ciphertext;
B5), the security level identification chained list with the file identification in the security level identification and user contrasts, if existing in the security level identification chained list, then continue step, if nothing, then carry out the contrast of authority, if founder sign is higher than and receives user right and then return mistake, then continue step otherwise this ciphertext is updated to the security level identification chained list and is synchronized to service end;
B6), the file system filter driver layer sends to the file system filter layer with I/0 request bag;
B7), the file system filter layer is read and returned to the file system driver layer with this access ciphertext after receiving data;
B8), after the file system filter layer receives the ciphertext of returning, according to the deciphering of the cryptographic algorithm in the security level identification, and the data after will deciphering are passed to the I/O manager;
B9), the data of I/O manager after will deciphering pass to the user side application programming interfaces, finish read request.
4. the multilevel field means of defence based on the information security level identification as claimed in claim 1, it is characterized in that: the multilevel field information flow control further comprises step in the described ciphertext flow quantity control,
C1), the level of security height in the territory level of security sign in the security level identification of ciphertext and current circulation territory relatively, height is then carried out interception, otherwise continues step;
C2), judge that whether receive the user has the authority of accessing this ciphertext, is then to continue step, otherwise returns mistake;
C3), ciphertext is carried out clearance/forwarding.
5. such as the described multilevel field means of defence based on the information security level identification of claim 1-4 any one, it is characterized in that: described cryptographic algorithm adopts secret key encryption, and the encryption in described establishment ciphertext and the access ciphertext, the key of deciphering are distributed by service end.
6. system based on the protection of the multilevel field of information security level identification is characterized in that: by at embedding file system filter layer between the I/O manager of the driver framework of kernel operations system and the file driving system layer, the file system filter layer comprises:
Create the ciphertext module by authenticated, be used for after receiving the I/0 request bag request of writing, send the I/0 request bag request of writing to the file system driver layer, it is preserved with the ciphertext form after security level identification is encrypted by cryptographic algorithm thereby in file to be encrypted, add again;
Above-mentioned cryptographic algorithm is included in the security level identification, security level identification also includes founder's sign, file identification and territory level of security sign, described territory level of security sign is corresponding with establishment territory, user place, and described founder's sign is corresponding with the Permission Levels that create the user;
The user accesses the ciphertext module, comprise the authority of the security level identification that initiatively extracts ciphertext to be visited and calling party relatively, only when the permission match of security level identification and calling party, drive layer to data file system and send the I/0 request of reading and wrap and ask to read ciphertext and then decipher;
Ciphertext circulation control module comprises,
Multilevel field information flow control unit, be used for when ciphertext when multilevel field circulates, then whether be higher than current circulation territory according to the territory level of security sign in the security level identification of the comparison ciphertext in the access strategy by kidnapping ciphertext, be higher than then ciphertext is carried out interception, otherwise ciphertext is carried out clearance/forwarding;
Domain information at the same level flows to control module, be used for when ciphertext when circulating with the one-level territory, then identify whether be higher than the reception user according to the founder in the security level identification of access strategy comparison ciphertext by kidnapping ciphertext, be then ciphertext to be carried out interception, otherwise ciphertext is carried out clearance/forwarding;
User behavior audit module is used for security level identification File according to ciphertext and is designated identify label and carries out sending warning under the log audit of user behavior and the risky operation.
7. the system of the multilevel field protection based on the information security level identification as claimed in claim 6 is characterized in that: describedly creates the ciphertext module by authenticated and specifically comprises,
The communication connection unit is used for by page reorientation, and force users realizes handshake authentication by the SSL security mechanism, sets up the communication security passage, and then the Connection Service end forwards the write request unit to;
The write request unit is used for sending write request when user side call operation system read-write information function to the I/0 manager;
The write request feedback unit, be used for after the write request of receiving the write request unit, the I/0 manager extracts I/0 request bag corresponding to the structure write requests such as process title, store path, start address, data length, data to be stored, and this I/0 request bag is sent to the file system filter layer;
The ciphertext creating unit, after being used for the file system filter driver layer and receiving packet, initiatively send the write request of an I/0 request bag to the file system driver layer, request adds security level identification at the file header of file to be encrypted, respective user creates the security level identification chained list for preserving above-mentioned security level identification simultaneously, and the security level identification chained list is updated to service end, finish encryption according to the cryptographic algorithm in the security level identification;
The Dealing with encrypt code unit is used for after the ciphertext creating unit is finished encryption, and the IRP Packet Generation after the file system filter driver layer will be encrypted is to the file driving system, and final should the preservation with the ciphertext form with the classified information of security level identification.
8. the system of the multilevel field protection based on the information security level identification as claimed in claim 6, it is characterized in that: described user accesses the ciphertext module and specifically comprises,
The communication connection unit is used for by page reorientation, and force users realizes handshake authentication by the SSL security mechanism, sets up the communication security passage, and then the Connection Service end forwards the read request unit to;
The read request unit is used for setting up the function interface that provides when user side application call system kernel and sends read request to the I/0 manager;
Read feedback unit, be used for after the read request of receiving the read request unit, the I/0 manager extracts I/0 request bag corresponding to the structure read requests such as process title, store path, start address, data length, and this I/0 request bag sent to the file system filter layer, wait the ciphertext of returning to be read then to go to the security level identification acquiring unit;
The security level identification acquiring unit is used for filter driving layer and sends the security level identification reading command to the file system driver layer, obtains the security level identification of this access ciphertext;
The level of confidentiality recognition unit, be used for after the security level identification acquiring unit obtains the security level identification of ciphertext, security level identification chained list contrast with the file identification in the security level identification and user, if existing in the security level identification chained list, then continue step, if nothing is then carried out the contrast of authority, if founder sign is higher than and receives user right and then return mistake, then forward file system filter layer request unit to otherwise this ciphertext is updated to the security level identification chained list and is synchronized to service end;
File system filter layer request unit is used for the file system filter driver layer I/0 request bag sent to the file system filter layer;
File system filter layer response unit is used for after receiving the I/0 request bag of file system filter layer request unit, and the file system filter layer is read and returned to the file system driver layer with this access ciphertext;
I/O manager request unit is used for after file system filter layer feedback unit returns ciphertext, and the file system filter layer receives the ciphertext of returning, and according to the deciphering of the cryptographic algorithm in the security level identification, and the data after will deciphering are passed to the I/O manager;
I/O manager response unit is used for behind I/O manager request unit decrypting ciphertext, and the data after will being deciphered by the I/O manager are passed to the user side application programming interfaces, finish read request.
9. such as the described system that protects based on the multilevel field of information security level identification of claim 6-8 any one, it is characterized in that: described cryptographic algorithm adopts secret key encryption, and the encryption in described establishment ciphertext and the access ciphertext, the key of deciphering are distributed by service end.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210483076.5A CN102999732B (en) | 2012-11-23 | 2012-11-23 | Multi-stage domain protection method and system based on information security level identifiers |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210483076.5A CN102999732B (en) | 2012-11-23 | 2012-11-23 | Multi-stage domain protection method and system based on information security level identifiers |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102999732A true CN102999732A (en) | 2013-03-27 |
| CN102999732B CN102999732B (en) | 2015-04-22 |
Family
ID=47928286
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210483076.5A Active CN102999732B (en) | 2012-11-23 | 2012-11-23 | Multi-stage domain protection method and system based on information security level identifiers |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102999732B (en) |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104869119A (en) * | 2015-05-19 | 2015-08-26 | 上海大学 | Network file isolation and access control method in scripting engine |
| CN105447397A (en) * | 2016-01-07 | 2016-03-30 | 成都卫士通信息产业股份有限公司 | File security level identification method based on kernel module |
| CN106060003A (en) * | 2016-05-09 | 2016-10-26 | 北京航天数控系统有限公司 | Network boundary unidirectional isolated transmission device |
| CN106156046A (en) * | 2015-03-27 | 2016-11-23 | 中国移动通信集团云南有限公司 | A kind of informatization management method, device, system and analytical equipment |
| CN107657162A (en) * | 2017-09-22 | 2018-02-02 | 苏州大成有方数据科技有限公司 | A kind of safe electronic document management system |
| CN107770191A (en) * | 2017-11-03 | 2018-03-06 | 黑龙江工业学院 | A kind of finicial administration of enterprise system with security protection |
| CN108334770A (en) * | 2018-03-06 | 2018-07-27 | 王彬 | Mobile terminal safety guard system |
| CN108376227A (en) * | 2017-12-29 | 2018-08-07 | 北京智芯微电子科技有限公司 | A kind of file access method and its system of safety chip |
| CN108664797A (en) * | 2017-03-30 | 2018-10-16 | 北京北信源软件股份有限公司 | It is a kind of for pdf documents into rower it is close and verification method and device |
| WO2019056327A1 (en) * | 2017-09-22 | 2019-03-28 | 苏州大成有方数据科技有限公司 | Safe electronic file management system |
| CN109858205A (en) * | 2018-12-29 | 2019-06-07 | 深圳市雁联移动科技有限公司 | A kind of safe Enhancement Method and device suitable for enterprise mobile working portal |
| CN110059488A (en) * | 2018-01-19 | 2019-07-26 | 普天信息技术有限公司 | Security level identification management method and device |
| CN110474873A (en) * | 2019-07-09 | 2019-11-19 | 杭州电子科技大学 | It is a kind of based on know range encryption electronic document access control method and system |
| CN110516451A (en) * | 2019-07-24 | 2019-11-29 | 杭州电子科技大学 | The change of ciphertext part level of confidentiality, decryption alert notification method are determined in derivation based on block chain |
| CN111368269A (en) * | 2020-02-29 | 2020-07-03 | 杭州电子科技大学 | Fine-grained access control method based on dense point labeling |
| CN111527507A (en) * | 2018-12-03 | 2020-08-11 | 戴斯数字有限责任公司 | Data interaction platform utilizing secure environment |
| CN112989377A (en) * | 2021-03-12 | 2021-06-18 | 深圳供电局有限公司 | Method and system for performing authority processing on encrypted document |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1928881A (en) * | 2006-09-26 | 2007-03-14 | 南京擎天科技有限公司 | Computer data security protective method |
| EP2006792A2 (en) * | 2007-06-21 | 2008-12-24 | Siemens Aktiengesellschaft | Encryption and decryption methods and a PLC system using said methods |
| US20100306534A1 (en) * | 2009-05-26 | 2010-12-02 | Raytheon Company | Enabling multi-level security in a single-level security computing system |
-
2012
- 2012-11-23 CN CN201210483076.5A patent/CN102999732B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1928881A (en) * | 2006-09-26 | 2007-03-14 | 南京擎天科技有限公司 | Computer data security protective method |
| CN100449560C (en) * | 2006-09-26 | 2009-01-07 | 南京擎天科技有限公司 | Computer data security protective method |
| EP2006792A2 (en) * | 2007-06-21 | 2008-12-24 | Siemens Aktiengesellschaft | Encryption and decryption methods and a PLC system using said methods |
| US20100306534A1 (en) * | 2009-05-26 | 2010-12-02 | Raytheon Company | Enabling multi-level security in a single-level security computing system |
Cited By (24)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106156046A (en) * | 2015-03-27 | 2016-11-23 | 中国移动通信集团云南有限公司 | A kind of informatization management method, device, system and analytical equipment |
| CN106156046B (en) * | 2015-03-27 | 2021-03-30 | 中国移动通信集团云南有限公司 | Information management method, device and system and analysis equipment |
| CN104869119A (en) * | 2015-05-19 | 2015-08-26 | 上海大学 | Network file isolation and access control method in scripting engine |
| CN104869119B (en) * | 2015-05-19 | 2019-02-01 | 上海大学 | The isolation of network file and access control method in script engine |
| CN105447397A (en) * | 2016-01-07 | 2016-03-30 | 成都卫士通信息产业股份有限公司 | File security level identification method based on kernel module |
| CN106060003A (en) * | 2016-05-09 | 2016-10-26 | 北京航天数控系统有限公司 | Network boundary unidirectional isolated transmission device |
| CN108664797A (en) * | 2017-03-30 | 2018-10-16 | 北京北信源软件股份有限公司 | It is a kind of for pdf documents into rower it is close and verification method and device |
| CN107657162A (en) * | 2017-09-22 | 2018-02-02 | 苏州大成有方数据科技有限公司 | A kind of safe electronic document management system |
| WO2019056327A1 (en) * | 2017-09-22 | 2019-03-28 | 苏州大成有方数据科技有限公司 | Safe electronic file management system |
| CN107770191A (en) * | 2017-11-03 | 2018-03-06 | 黑龙江工业学院 | A kind of finicial administration of enterprise system with security protection |
| CN107770191B (en) * | 2017-11-03 | 2020-08-11 | 黑龙江工业学院 | Enterprise financial management system with safety protection |
| CN108376227A (en) * | 2017-12-29 | 2018-08-07 | 北京智芯微电子科技有限公司 | A kind of file access method and its system of safety chip |
| CN108376227B (en) * | 2017-12-29 | 2021-07-20 | 北京智芯微电子科技有限公司 | File access method and system of security chip |
| CN110059488A (en) * | 2018-01-19 | 2019-07-26 | 普天信息技术有限公司 | Security level identification management method and device |
| CN108334770B (en) * | 2018-03-06 | 2019-01-29 | 石家庄裕兆科技有限公司 | Mobile terminal safety guard system |
| CN108334770A (en) * | 2018-03-06 | 2018-07-27 | 王彬 | Mobile terminal safety guard system |
| CN111527507A (en) * | 2018-12-03 | 2020-08-11 | 戴斯数字有限责任公司 | Data interaction platform utilizing secure environment |
| CN111527507B (en) * | 2018-12-03 | 2023-08-11 | 戴斯数字有限责任公司 | Data interaction platform utilizing secure environment |
| CN109858205A (en) * | 2018-12-29 | 2019-06-07 | 深圳市雁联移动科技有限公司 | A kind of safe Enhancement Method and device suitable for enterprise mobile working portal |
| CN110474873A (en) * | 2019-07-09 | 2019-11-19 | 杭州电子科技大学 | It is a kind of based on know range encryption electronic document access control method and system |
| CN110474873B (en) * | 2019-07-09 | 2021-06-29 | 杭州电子科技大学 | Electronic file access control method and system based on knowledge range encryption |
| CN110516451A (en) * | 2019-07-24 | 2019-11-29 | 杭州电子科技大学 | The change of ciphertext part level of confidentiality, decryption alert notification method are determined in derivation based on block chain |
| CN111368269A (en) * | 2020-02-29 | 2020-07-03 | 杭州电子科技大学 | Fine-grained access control method based on dense point labeling |
| CN112989377A (en) * | 2021-03-12 | 2021-06-18 | 深圳供电局有限公司 | Method and system for performing authority processing on encrypted document |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102999732B (en) | 2015-04-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102999732B (en) | Multi-stage domain protection method and system based on information security level identifiers | |
| Abouelmehdi et al. | Big data security and privacy in healthcare: A Review | |
| US9348984B2 (en) | Method and system for protecting confidential information | |
| CN109923548A (en) | Method, system and the computer program product that encryption data realizes data protection are accessed by supervisory process | |
| US7895452B2 (en) | Technique for protecting a database from an ongoing threat | |
| US20140019753A1 (en) | Cloud key management | |
| CN103763313B (en) | File protection method and system | |
| CN104680079A (en) | Electronic document security management system and electronic document security management method | |
| US9118617B1 (en) | Methods and apparatus for adapting the protection level for protected content | |
| US20130086685A1 (en) | Secure integrated cyberspace security and situational awareness system | |
| CN101512490A (en) | Securing data in a networked environment | |
| CN110889130B (en) | Database-based fine-grained data encryption method, system and device | |
| CN101923678A (en) | Data security protection method of enterprise management software | |
| CN201682524U (en) | Document transfer authority control system based on document filtering driver | |
| US20130086376A1 (en) | Secure integrated cyberspace security and situational awareness system | |
| US11693981B2 (en) | Methods and systems for data self-protection | |
| CN110995657A (en) | Data access method, server and system based on data label | |
| CN106992851A (en) | TrustZone-based database file password encryption and decryption method and device and terminal equipment | |
| CN106682521B (en) | File transparent encryption and decryption system and method based on driver layer | |
| CN102667792B (en) | For the method and apparatus of the file of the file server of access security | |
| CN111046405B (en) | Data processing method, device, equipment and storage medium | |
| Herrera Montano et al. | Survey of Techniques on Data Leakage Protection and Methods to address the Insider threat | |
| KR102542213B1 (en) | Real-time encryption/decryption security system and method for data in network based storage | |
| US11507686B2 (en) | System and method for encrypting electronic documents containing confidential information | |
| CN113901507B (en) | Multi-party resource processing method and privacy computing system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: C District No. 89 Copper Road Software Avenue Gulou District of Fuzhou city in Fujian province 350003 Building No. 25 Patentee after: Fuchun Polytron Technologies Inc Address before: C District No. 89 Copper Road Software Avenue Gulou District of Fuzhou city in Fujian province 350003 Building No. 25 Patentee before: Fuchun Communication Co., Ltd. |
|
| CP01 | Change in the name or title of a patent holder |