CN102999732B - Multi-stage domain protection method and system based on information security level identifiers - Google Patents

Multi-stage domain protection method and system based on information security level identifiers Download PDF

Info

Publication number
CN102999732B
CN102999732B CN201210483076.5A CN201210483076A CN102999732B CN 102999732 B CN102999732 B CN 102999732B CN 201210483076 A CN201210483076 A CN 201210483076A CN 102999732 B CN102999732 B CN 102999732B
Authority
CN
China
Prior art keywords
ciphertext
security level
level identification
file system
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201210483076.5A
Other languages
Chinese (zh)
Other versions
CN102999732A (en
Inventor
林文美
缪品章
翁鲲鹏
王美
方演
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fuchun Polytron Technologies Inc
Original Assignee
FUCHUN COMMUNICATION Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by FUCHUN COMMUNICATION Co Ltd filed Critical FUCHUN COMMUNICATION Co Ltd
Priority to CN201210483076.5A priority Critical patent/CN102999732B/en
Publication of CN102999732A publication Critical patent/CN102999732A/en
Application granted granted Critical
Publication of CN102999732B publication Critical patent/CN102999732B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

The invention provides a multi-stage domain protection method and a multi-stage domain protection system based on information security level identifiers. Dynamic encryption/decryption of confidential documents is realized on the basis of security level identifiers including a creator identifier, a document identifier and a domain security level identifier, so that fine-grained access of validated users is realized, and the problem of information disclosure threat existing in a series of processes including generation, access, circulation and destruction of information of different security levels is solved.

Description

Based on multilevel field means of defence and the system of information security level identification
Technical field
The present invention relates to computer security technique field, refer in particular to a kind of multilevel field means of defence based on information security level identification and system.
Background technology
The informationization of society, brings easily simultaneously to everybody, also brings numerous security threat.For security consideration, classified network ruton often carries out partition security domain according to different levels of confidentiality, according to national requirements, must take robust techniques, forbids High Security Level information flow direction Low Security Level territory.And numerous trade secrets involved in corporate intranet, also need to control the scope of knowing minimum, prevent information leakage.Based on the security domain management of security level identification and information flow control be solve this problem direction with crucial.At present in field, multilevel security territory, there is no perfect technology and perfectly can solve this problem, but obtain in association areas such as trusted computer data security and file encryptions and have employed file system filter driver technology to ensure data security.
Such as, one application number is 200610096441.1, name is called that the Chinese invention patent of " a kind of computer data security protective method " discloses a kind of driver framework utilizing Microsoft's kernel operating system, adopt modified file system filter driver technology, by filter Driver on FSD Module-embedding between I/0 manager and file system driver layer module, the legitimacy of login user is confirmed by the key in electron key and user login code, then I/0 manager by data packet transmission to filter Driver on FSD module, carry out encryption and decryption authentication processing, hand to file system driver layer module again, thus realize for the completely transparent Computer Data Security protection of validated user.
Shortcoming 1: what this invention was simple is applied to Computer Data Security protection, cannot realize fine granularity and control, and does not have to realize protecting the information grading of different security level, as long as cause the use of electron key can access the classified information of various rank per family.
Shortcoming 2: do not have to realize the information monitoring of information in the process of circulation of multilevel security territory, interception, more do not provide real-time monitoring and alarming device, prevent information leakage.
Shortcoming 3: the audit not realizing user behavior, for information leakage accident, cannot audit, thus cannot realize responsibility system.
Summary of the invention
The object of the invention is to overcome above-mentioned defect, a kind of multilevel field means of defence based on information security level identification and system are provided.
The object of the present invention is achieved like this:
Beneficial effect of the present invention is the dynamic encryption/deciphering of security level identification realization to confidential document based on comprising founder's mark, file identification and territory level of security mark, thus realizing the fine granularity access of validated user, the information solving different security level threatens from generating-accessing-circulate-destroy information leakage existing this serial procedures.
Accompanying drawing explanation
Below in conjunction with accompanying drawing in detail concrete structure of the present invention is described in detail
Fig. 1 is System Framework of the present invention and comprising modules;
Fig. 2 is the idiographic flow schematic diagram being created ciphertext by authenticated of the present invention;
Fig. 3 is the idiographic flow schematic diagram that user of the present invention accesses ciphertext;
Fig. 4 is the idiographic flow schematic diagram of ciphertext flow quantity control of the present invention.
Embodiment
By describing technology contents of the present invention, structural attitude in detail, realized object and effect, accompanying drawing is coordinated to be explained in detail below in conjunction with embodiment.
The invention provides a kind of multilevel field means of defence based on information security level identification, comprising to perform by embedding file system filter layer between the I/O manager of the driver framework at kernel operating system and file driving system layer,
Ciphertext is created by authenticated:
After being included in the request receiving the I/0 request bag write, the request of I/0 request bag (IRP-I/O Request Pcaket) write is sent to file system driver layer, thus (such as usually it is most convenient that at file header) adds the step it be kept at ciphertext form after security level identification (it is still further preferred that the security level identification having a regular length) is encrypted by cryptographic algorithm again on physical disk in file to be encrypted, this step achieves dynamically transparent encryption.
Above-mentioned cryptographic algorithm is included in security level identification, security level identification also at least should include founder's mark, file identification and territory level of security mark, described territory level of security mark is corresponding with establishment territory, user self place, and described founder's mark is corresponding with the Permission Levels creating user self.
Above-mentioned founder mark is with creation-time name, and benefit so makes founder be identified at creation-time as also specify that file while of file identification.
Best, security level identification comprises file identification (ID mark), founder's mark, reviser's mark, last reader's mark, authority information mark, territory level of security mark, cryptographic algorithm, file size (L).Corresponding, if user's successful access confidential document, after access, user side can upgrade the last reader's mark in security level identification, is updated to the user of current accessed, to monitor during subsequent user behavior auditing.
User accesses ciphertext:
When user will access ciphertext, the authority of security level identification and calling party that file system filter layer initiatively extracts ciphertext to be visited compares, thus judge whether user has the authority browsing this file, to determine whether to send toward file system driver layer reading and the deciphering that IRP completes classified information, the step that the I/0 driving layer to send to read to data file system during the permission match of and if only if security level identification and calling party asks the request of wrapping to read ciphertext then to decipher.
Best, above-mentioned cryptographic algorithm adopts secret key encryption, and described establishment ciphertext is distributed by service end with the key of the encryption in access ciphertext, deciphering.
As mentioned above, the present invention utilizes the driver framework of Microsoft's kernel operating system, embed file system filter layer, be arranged on the key management of service end, combined with access control strategy, is configured to an information and controls engine, realize dynamically transparent encryption and decryption and the fine-granularity access control of classified information, and ensure that classified information once leave this platform, cannot expressly will be opened because of disappearance key management module.Visible, information controls the basis that engine is whole guard system.
Ciphertext flow quantity control, comprising:
Multilevel field information flow control, when ciphertext circulates in multilevel field, whether the territory level of security then compared in the security level identification of ciphertext according to access strategy by kidnapping ciphertext identifies higher than current circulation territory, higher than then performing interception to ciphertext, otherwise ciphertext is performed to the step of forwarding/clearance;
Domain information traffic organising at the same level, when ciphertext circulates in same one-level territory, then comparing founder's mark in the security level identification of ciphertext whether higher than reception user according to access strategy by kidnapping ciphertext, higher than then performing interception to ciphertext, otherwise ciphertext being performed to the step of clearance/forwarding.
Best, ciphertext flow quantity control realizes controlling under the intercepting and capturing of security gateway.
Thus, if user is by external interfaces such as USB flash disks, remove ciphertext, if run on the loom leaving this system, the key owing to not distributed by service end cannot be opened.If copy other territory or copy the loom in same territory, due in decrypting process, can judge territory rank and information security level identification, thus cause undesirable people to open failure.
User behavior is audited, and comprising:
Be designated the step sending warning under the log audit of user behavior and risky operation are carried out in identify label according to the security level identification file of ciphertext, accomplish that responsibility can trace and monitor in real time.
In whole process, user behavior audit can be followed the tracks of by associated with mark (ID mark), and when there is the operations such as reading and writing, amendment, circulation as user, write service end audit database, reports to the police to the operation that can produce information leakage.
If Fig. 1 is a kind of system entity configuration diagram that said method is performed, the present invention is applicable to C/S framework, connect user side and service end by SSL escape way, realize the fine granularity access of confidential document and security domain management and information flow control, each functions of modules is as follows:
Utilize self-inspection scanning system, carry out the identification of computing machine, equipment at territory administration module, binding IP/MAC, interfaceization shows whole area network architecture, PC, server and relevant device, be the basis of whole territory management, the territory dividing different level of security given the displaying of image.
User authentication module, when user registers, keeper, according to minimization principle, gives a certain level-right, comprises top secret, secret, secret, sensitivity, discloses; When user logs in, by page reorientation, force users realizes handshake authentication by SSL security mechanism, sets up communication security passage.When authenticated reads classified information, just according to this user right, fine granularity access can be realized.
Information controls engine, utilize the driver framework of Windows kernel, adopt modified file system filter driver technology, file system filter layer is embedded between I/0 manager and file driving system layer, by file system filter layer, security level identification is additional to information header, and carry out intercepting and capturing to the IRP packet transmitted between the driving layer in read-write process and the corresponding operating such as to filter, in conjunction with the key management module of service end, realize dynamically transparent encryption and decryption.User creates file or is identified when having a read right to this file, and system creates information security level identification chained list at inner nuclear layer and is used for associated permissions, improves reading efficiency.
Log audit module, file identification (ID) in security level identification is as the unique identity of classified information, system is by association ID, realize following the tracks of from generating-accessing-circulate-destroy this serial procedures information, form log recording, and the warning of bullet frame is carried out to the violation operation of user, reach the object that monitoring and responsibility are in real time pursued.
Key management module: kernel is the read-write having come file by multiple IRP read write command, because the encryption and decryption operation of each reading writing information all cannot change message length, therefore need adopt symmetric encipherment algorithm, and add deciphering required for key be exactly obtained by the key management module of service end.This system can support multiple encryption algorithms, and user according to the needs of oneself, when strategy configures, can select corresponding cryptographic algorithm.
Embodiment
Create ciphertext above by authenticated, see Fig. 2, specifically can comprise step in one embodiment:
A1), by page reorientation (being a kind of mode of common forcible authentication), force users realizes handshake authentication by SSL security mechanism, sets up communication security passage, Connection Service end;
A2), (user is for opening the application software of classified information for user side application program, such as word) call operation system read-write information function (as CreateFile function, the function that will call when being namely the reading writing information in windows framework) sends IRP_MJ_WRITE write request to I/0 manager;
A3), I/0 manager extracts I/0 request bag (IRP) corresponding to the structure write requests such as process title, store path, start address, data length, data to be stored, and this IRP is sent to file system filter layer;
A4) after, file system filter driver layer receives packet, initiatively send an IRP write request to file system driver layer, request adds security level identification at the file header of file to be encrypted, create security level identification chained list for preserving above-mentioned security level identification in local respective user simultaneously, and it is updated to service end, complete encryption according to the cryptographic algorithm in security level identification;
In this step, owing to first will hang up writing normally process, completed by file system filter driver layer again and add the process of security level identification, so after file system filter driver layer receives packet, need initiatively send an IRP write request to file system driver layer.
A5), file system filter driver layer will with the addition of security level identification, and the IRP Packet Generation of combining after the encryption that service end completes is to file driving system, and finally should preserve (such as writing physical disk to preserve) with ciphertext form with the classified information of security level identification.
User accesses the embodiment of ciphertext then see Fig. 3, specifically comprises step:
B1), by page reorientation, force users realizes handshake authentication by SSL security mechanism, sets up communication security passage, Connection Service end;
B2), user side application call system kernel is set up the function interface provided and is sent RP_MJ_READ read request to I/0 manager;
B3), I/0 manager extracts IRP corresponding to the structure read requests such as process title, store path, start address, data length, and this IRP is sent to file system filter layer, waits the ciphertext returned to be read;
B4), filter driving layer to file system driver layer send security level identification reading command (IRP_QUERY_INFO), obtain this access ciphertext security level identification;
B5), the security level identification chained list of the file identification in security level identification and user is contrasted, if existing in security level identification chained list, then continue step, if nothing, then carry out the contrast of authority, if founder's mark is higher than reception user right, returns mistake, otherwise this ciphertext is updated to security level identification chained list and is synchronized to service end then continue step;
B6), IRP is sent to file system filter layer by file system filter driver layer;
B7) after, file system driver layer receives data, this access ciphertext is read and returns to file system filter layer;
B8), after file system filter layer receives the ciphertext returned, according to the cryptographic algorithm deciphering in security level identification, and the data after deciphering are passed to I/O manager;
B9), these data are passed to user side application programming interfaces by I/O manager, complete read request.
Concerning security matters mechanism or corporate intranet, for privacy requirements, all according to self needing the security domain dividing different stage, and according to minimization principle, can give the authority of the different role of user and correspondence.Therefore, see Fig. 4, in ciphertext flow quantity control, particularly the access strategy of multilevel field information flow control may further include step:
C1), compare the level of security height in the territory level of security mark in the security level identification of ciphertext and current circulation territory, height then performs interception, otherwise continues step;
C2), judge that whether receive user is the authority having this ciphertext of access, is continue step, otherwise returns mistake;
C3), clearance/forwarding is performed to ciphertext.
By segmenting founder's rank, territory level of security, information privacy rank (file identification), be aided with access control policy as above, control engine and service end by information, realize accessing the fine granularity of classified information, stop classified information and flow to Low Security Level territory by High Security Level territory.
Present invention also offers the system of a kind of multilevel field based on information security level identification protection, by embedding file system filter layer between the I/O manager of the driver framework at kernel operating system and file driving system layer, file system filter layer comprises:
Ciphertext module is created by authenticated, for after receiving the I/0 request bag request write, send the I/0 request bag request write to file system driver layer, thus add in file to be encrypted after security level identification is encrypted by cryptographic algorithm again it is preserved with ciphertext form;
Above-mentioned cryptographic algorithm is included in security level identification, security level identification also includes founder's mark, file identification and territory level of security mark, described territory level of security mark is corresponding with establishment territory, user self place, and described founder's mark is corresponding with the Permission Levels creating user self;
User accesses ciphertext module, the authority comprising the security level identification and calling party initiatively extracting ciphertext to be visited compares, and the I/0 only driving layer to send to read to data file system when the permission match of security level identification and calling party asks to wrap and asks to read ciphertext and then decipher;
Ciphertext circulation control module, comprises,
Multilevel field information flow control unit, for when ciphertext circulates in multilevel field, then whether identify higher than current circulation territory according to the territory level of security in the security level identification of the comparison ciphertext in access strategy by kidnapping ciphertext, higher than then performing interception to ciphertext, otherwise clearance/forwarding is performed to ciphertext;
Domain information traffic organising unit at the same level, for when ciphertext circulates in same one-level territory, then comparing founder's mark in the security level identification of ciphertext whether higher than reception user according to access strategy by kidnapping ciphertext, being then interception is performed to ciphertext, otherwise clearance/forwarding is performed to ciphertext;
User behavior Audit Module, sends warning for being designated according to the security level identification file of ciphertext under the log audit of user behavior and risky operation are carried out in identify label.
Preferably, create ciphertext module above by authenticated specifically to comprise:
Communication connection unit, for passing through page reorientation, force users realizes handshake authentication by SSL security mechanism, sets up communication security passage, and then Connection Service end forwards write request unit to;
Write request unit, for sending write request when user side application call operating system reading writing information function to I/0 manager;
Write request feedback unit, for when after the write request receiving write request unit, I/0 manager extracts I/0 request bag corresponding to the structure write requests such as process title, store path, start address, data length, data to be stored, and asks bag to be sent to file system filter layer this I/0;
Ciphertext creating unit, after receiving packet for file system filter driver layer, the write request of an I/0 request bag is initiatively sent to file system driver layer, request adds security level identification at the file header of file to be encrypted, respective user creates security level identification chained list for preserving above-mentioned security level identification simultaneously, and it is updated to service end, complete encryption according to the cryptographic algorithm in security level identification;
Dealing with encrypt code unit, for after ciphertext creating unit completes encryption, the IRP Packet Generation after encryption to file driving system, and finally should to be preserved with ciphertext form with the classified information of security level identification by file system filter driver layer.
Preferably, above-mentioned user accesses ciphertext module and specifically comprises:
Communication connection unit, for passing through page reorientation, force users realizes handshake authentication by SSL security mechanism, sets up communication security passage, and then Connection Service end forwards read request unit to;
Read request unit, sends read request for setting up the function interface provided when user side application call system kernel to I/0 manager;
Read feedback unit, for when after the read request receiving read request unit, I/0 manager extracts I/0 request bag corresponding to the structure read requests such as process title, store path, start address, data length, and ask bag to be sent to file system filter layer this I/0, wait the ciphertext returned to be read then to go to security level identification acquiring unit;
Security level identification acquiring unit, sends security level identification reading command for filter driving layer to file system driver layer, obtains the security level identification of this access ciphertext;
Level of confidentiality recognition unit, for after the security level identification of security level identification acquiring unit acquisition ciphertext, the security level identification chained list of the file identification in security level identification and user is contrasted, if existing in security level identification chained list, then continue step, if nothing, then carry out the contrast of authority, if founder's mark is higher than reception user right, returns mistake, otherwise this ciphertext is updated to security level identification chained list and is synchronized to service end and then forward file system filter layer request unit to;
File system filter layer request unit, asks bag to send to file system filter layer I/0 for file system filter driver layer;
File system filter layer response unit, for after receiving the I/0 request bag of file system filter layer request unit, this access ciphertext reads and returns to file system filter layer by file system driver layer;
I/O manager request unit, for after file system filter layer feedback unit returns ciphertext, file system filter layer receives the ciphertext returned, and according to the cryptographic algorithm deciphering in security level identification, and the data after deciphering is passed to I/O manager;
These data, for after I/O manager request unit decrypting ciphertext, are passed to user side application programming interfaces by I/O manager, are completed read request by I/O manager response unit.
Best, the cryptographic algorithm of locking employing in said system between each module, unit adopts secret key encryption, and described establishment ciphertext is distributed by service end with the key of the encryption in access ciphertext, deciphering.
In sum, 3 deficiencies of the prior art described in corresponding background technology, beneficial effect of the present invention is:
1, for first defect, the technology that the present invention adopts is: after file system filter driver layer receives packet, initiatively send an IRP write request to file system driver layer, request adds the security level identification of regular length at file header, owing to including secret rank in security level identification, rank acquiescence according to creating user gives corresponding information level of confidentiality automatically, thus achieve information level of confidentiality partition by fine granularities, again according to reading and the flow process that circulates of describing before, just can realize fine granularity access, overcome the defect that can not to realize partition by fine granularities and fine granularity in background technology and access.
2, for second defect, as previously mentioned, due to security level identification at least in include three marks, be respectively security level identification, territory level of security, founder mark.In service end, keeper gives user right according to need of work in conjunction with minimization principle, produces founder's mark and its territory, place; Enterprise or concerning security matters mechanism carry out network area according to level of security difference and divide also, realize imagery show and the level of security using binary identification territory in the administration module of territory by self-scanning system; Security level identification is added by file system filter driver layer, the inside include file mark, founder's mark, reviser's mark, last reader's mark, authority information mark, territory level of security mark, cryptographic algorithm, file size.When operating fileinfo, comprise establishment, reading, amendment, circulation, capital causes the renewal of security level identification (mainly referring to last reader's mark in security level identification), by this content synchronization upgraded to service end audit database, just can reach the object of information trace.Contrast security level identification, territory level of security, founder mark, when occur may cause information leakage operation occur time, both carried out lack of competence operation, by this operation by intensive identification renewal to audit database, simultaneously eject report to the police warn.
3, for the 3rd defect, owing to present invention achieves information from the tracking control of full process mark generating-access-circulate-destroy this serial procedures, and be recorded in audit database, therefore when there is security incident, can examination be derived, accomplish responsibility investigation.
The foregoing is only embodiments of the invention; not thereby the scope of the claims of the present invention is limited; every utilize instructions of the present invention and accompanying drawing content to do equivalent structure or equivalent flow process conversion; or be directly or indirectly used in other relevant technical fields, be all in like manner included in scope of patent protection of the present invention.

Claims (9)

1. based on a multilevel field means of defence for information security level identification, it is characterized in that: comprise to perform by embedding file system filter layer between the I/O manager of the driver framework at kernel operating system and file system driver layer,
Ciphertext is created by authenticated,
After being included in the I/0 request bag request receiving and write, sending the I/0 request bag request write to file system driver layer, thus in file to be encrypted, add the step of it being preserved with ciphertext form after security level identification is encrypted by cryptographic algorithm again; Wherein, described security level identification includes founder's mark, file identification and territory level of security mark, and level of security mark in described territory is corresponding with establishment territory, user place, and described founder's mark is corresponding with the Permission Levels creating user;
User accesses ciphertext, comprises,
The authority of the security level identification and calling party that initiatively extract ciphertext to be visited compares, and only sends to file system driver layer the I/0 read when the permission match of security level identification and calling party and asks to wrap the step of asking to read ciphertext and then deciphering;
Ciphertext flow quantity control, comprises,
Multilevel field information flow control, when ciphertext circulates in multilevel field, whether the territory level of security then compared in the security level identification of ciphertext according to access strategy by kidnapping ciphertext identifies higher than current circulation territory, higher than then performing interception to ciphertext, otherwise ciphertext is performed to the step of clearance/forwarding;
Domain information traffic organising at the same level, when ciphertext circulates in same one-level territory, then comparing founder's mark in the security level identification of ciphertext whether higher than reception user according to access strategy by kidnapping ciphertext, being then interception is performed to ciphertext, otherwise the step of clearance/forwarding is performed to ciphertext;
User behavior is audited, and comprises,
The step sending warning under the log audit of user behavior and risky operation are carried out in identify label is designated according to the security level identification file of ciphertext.
2. as claimed in claim 1 based on the multilevel field means of defence of information security level identification, it is characterized in that: describedly create ciphertext by authenticated and specifically comprise step,
A1), by page reorientation, force users realizes handshake authentication by SSL security mechanism, sets up communication security passage, Connection Service end;
A2), user side call operation system read-write information function sends write request to I/0 manager;
A3), I/0 manager extract comprise process title, store path, start address, data length, data to be stored structure write request corresponding I/0 request bag, and by this I/0 ask bag be sent to file system filter layer;
A4) after, file system filter layer receives packet, the write request of an I/0 request bag is initiatively sent to file system driver layer, request adds security level identification at the file header of file to be encrypted, respective user creates security level identification chained list for preserving above-mentioned security level identification simultaneously, and security level identification chained list is updated to service end, complete encryption according to the cryptographic algorithm in security level identification;
A5), the IRP Packet Generation after encryption to file driving system, and to be preserved with ciphertext form with the classified information of security level identification by file system filter layer the most at last.
3., as claimed in claim 2 based on the multilevel field means of defence of information security level identification, it is characterized in that: described user accesses ciphertext and specifically comprises step,
B1), by page reorientation, force users realizes handshake authentication by SSL security mechanism, sets up communication security passage, Connection Service end;
B2), user side application call system kernel is set up the function interface provided and is sent read request to I/0 manager;
B3), I/0 manager extract comprise process title, store path, start address, data length structure read request corresponding I/0 request bag, and by this I/0 ask bag be sent to file system filter layer, wait the ciphertext returned to be read;
B4), file system filter layer sends security level identification reading command to file system driver layer, obtains the security level identification of this access ciphertext;
B5), the security level identification chained list of the file identification in security level identification and user is contrasted, if existing in security level identification chained list, then continue step, if nothing, then carry out the contrast of authority, if founder's mark is higher than reception user right, returns mistake, otherwise this ciphertext is updated to security level identification chained list and is synchronized to service end then continue step;
B6), I/0 asks bag to send to file system driver layer by file system filter layer;
B7) after, file system driver layer receives data, this access ciphertext is read and returns to file system filter layer;
B8), after file system filter layer receives the ciphertext returned, according to the cryptographic algorithm deciphering in security level identification, and the data after deciphering are passed to I/O manager;
B9), I/O manager by deciphering after data pass to user side application programming interfaces, complete read request.
4., as claimed in claim 1 based on the multilevel field means of defence of information security level identification, it is characterized in that: in described ciphertext flow quantity control, multilevel field information flow control comprises step further,
C1), compare the level of security height in the territory level of security mark in the security level identification of ciphertext and current circulation territory, height then performs interception, otherwise continues step;
C2), judge that whether receive user is the authority having this ciphertext of access, is continue step, otherwise returns mistake;
C3), clearance/forwarding is performed to ciphertext.
5. the multilevel field means of defence based on information security level identification as described in claim 1-4 any one, is characterized in that: described cryptographic algorithm adopts secret key encryption, and described establishment ciphertext is distributed by service end with the key of the encryption in access ciphertext, deciphering.
6. based on the system that the multilevel field of information security level identification protects, it is characterized in that: by embedding file system filter layer between the I/O manager of the driver framework at kernel operating system and file system driver layer, file system filter layer comprises:
Ciphertext module is created by authenticated, for after receiving the I/0 request bag request write, send the I/0 request bag request write to file system driver layer, thus add in file to be encrypted after security level identification is encrypted by cryptographic algorithm again it is preserved with ciphertext form;
Above-mentioned cryptographic algorithm is included in security level identification, security level identification also includes founder's mark, file identification and territory level of security mark, described territory level of security mark is corresponding with establishment territory, user place, and described founder's mark is corresponding with the Permission Levels creating user;
User accesses ciphertext module, and the authority comprising the security level identification and calling party initiatively extracting ciphertext to be visited compares, and only sends to file system driver layer the I/0 read when the permission match of security level identification and calling party and asks to wrap and ask to read ciphertext and then decipher;
Ciphertext circulation control module, comprises,
Multilevel field information flow control unit, for when ciphertext circulates in multilevel field, then whether identify higher than current circulation territory according to the territory level of security in the security level identification of the comparison ciphertext in access strategy by kidnapping ciphertext, higher than then performing interception to ciphertext, otherwise clearance/forwarding is performed to ciphertext;
Domain information traffic organising unit at the same level, for when ciphertext circulates in same one-level territory, then comparing founder's mark in the security level identification of ciphertext whether higher than reception user according to access strategy by kidnapping ciphertext, being then interception is performed to ciphertext, otherwise clearance/forwarding is performed to ciphertext;
User behavior Audit Module, sends warning for being designated according to the security level identification file of ciphertext under the log audit of user behavior and risky operation are carried out in identify label.
7. as claimed in claim 6 based on the system that the multilevel field of information security level identification protect, it is characterized in that: describedly specifically to be comprised by authenticated establishment ciphertext module,
Communication connection unit, for passing through page reorientation, force users realizes handshake authentication by SSL security mechanism, sets up communication security passage, and then Connection Service end forwards write request unit to;
Write request unit, for sending write request when user side call operation system read-write information function to I/0 manager;
Write request feedback unit, for when after the write request receiving write request unit, I/0 manager extract comprise process title, store path, start address, data length, data to be stored structure write request corresponding I/0 request bag, and by this I/0 ask bag be sent to file system filter layer;
Ciphertext creating unit, after receiving packet for file system filter layer, the write request of an I/0 request bag is initiatively sent to file system driver layer, request adds security level identification at the file header of file to be encrypted, respective user creates security level identification chained list for preserving above-mentioned security level identification simultaneously, and security level identification chained list is updated to service end, complete encryption according to the cryptographic algorithm in security level identification;
Dealing with encrypt code unit, for after ciphertext creating unit completes encryption, the IRP Packet Generation after encryption to file driving system, and to be preserved with ciphertext form with the classified information of security level identification by file system filter layer the most at last.
8., as claimed in claim 6 based on the system that the multilevel field of information security level identification protects, it is characterized in that: described user accesses ciphertext module and specifically comprises,
Communication connection unit, for passing through page reorientation, force users realizes handshake authentication by SSL security mechanism, sets up communication security passage, and then Connection Service end forwards read request unit to;
Read request unit, sends read request for setting up the function interface provided when user side application call system kernel to I/0 manager;
Read feedback unit, for when after the read request receiving read request unit, I/0 manager extract comprise process title, store path, start address, data length structure read request corresponding I/0 request bag, and ask bag to be sent to file system filter layer this I/0, wait the ciphertext returned to be read then to go to security level identification acquiring unit;
Security level identification acquiring unit, sends security level identification reading command for file system filter layer to file system driver layer, obtains the security level identification of this access ciphertext;
Level of confidentiality recognition unit, for after the security level identification of security level identification acquiring unit acquisition ciphertext, the security level identification chained list of the file identification in security level identification and user is contrasted, if existing in security level identification chained list, then continue step, if nothing, then carry out the contrast of authority, if founder's mark is higher than reception user right, returns mistake, otherwise this ciphertext is updated to security level identification chained list and is synchronized to service end and then forward file system filter layer request unit to;
File system filter layer request unit, asks bag to send to file system driver layer I/0 for file system filter layer;
File system filter layer response unit, for after receiving the I/0 request bag of file system filter layer request unit, this access ciphertext reads and returns to file system filter layer by file system driver layer;
I/O manager request unit, for after file system filter layer response unit returns ciphertext, file system filter layer receives the ciphertext returned, and according to the cryptographic algorithm deciphering in security level identification, and the data after deciphering is passed to I/O manager;
Data after deciphering, for after I/O manager request unit decrypting ciphertext, are passed to user side application programming interfaces by I/O manager, are completed read request by I/O manager response unit.
9. the system of the protection of the multilevel field based on information security level identification as described in claim 6-8 any one, is characterized in that: described cryptographic algorithm adopts secret key encryption, described establishment ciphertext is distributed by service end with the key of the encryption in access ciphertext, deciphering.
CN201210483076.5A 2012-11-23 2012-11-23 Multi-stage domain protection method and system based on information security level identifiers Active CN102999732B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210483076.5A CN102999732B (en) 2012-11-23 2012-11-23 Multi-stage domain protection method and system based on information security level identifiers

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210483076.5A CN102999732B (en) 2012-11-23 2012-11-23 Multi-stage domain protection method and system based on information security level identifiers

Publications (2)

Publication Number Publication Date
CN102999732A CN102999732A (en) 2013-03-27
CN102999732B true CN102999732B (en) 2015-04-22

Family

ID=47928286

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210483076.5A Active CN102999732B (en) 2012-11-23 2012-11-23 Multi-stage domain protection method and system based on information security level identifiers

Country Status (1)

Country Link
CN (1) CN102999732B (en)

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106156046B (en) * 2015-03-27 2021-03-30 中国移动通信集团云南有限公司 Information management method, device and system and analysis equipment
CN104869119B (en) * 2015-05-19 2019-02-01 上海大学 The isolation of network file and access control method in script engine
CN105447397A (en) * 2016-01-07 2016-03-30 成都卫士通信息产业股份有限公司 File security level identification method based on kernel module
CN106060003A (en) * 2016-05-09 2016-10-26 北京航天数控系统有限公司 Network boundary unidirectional isolated transmission device
CN108664797A (en) * 2017-03-30 2018-10-16 北京北信源软件股份有限公司 It is a kind of for pdf documents into rower it is close and verification method and device
WO2019056327A1 (en) * 2017-09-22 2019-03-28 苏州大成有方数据科技有限公司 Safe electronic file management system
CN107657162A (en) * 2017-09-22 2018-02-02 苏州大成有方数据科技有限公司 A kind of safe electronic document management system
CN107770191B (en) * 2017-11-03 2020-08-11 黑龙江工业学院 Enterprise financial management system with safety protection
CN108376227B (en) * 2017-12-29 2021-07-20 北京智芯微电子科技有限公司 File access method and system of security chip
CN110059488A (en) * 2018-01-19 2019-07-26 普天信息技术有限公司 Security level identification management method and device
CN108334770B (en) * 2018-03-06 2019-01-29 石家庄裕兆科技有限公司 Mobile terminal safety guard system
CN111527506B (en) * 2018-12-03 2023-09-29 戴斯数字有限责任公司 Data interaction platform utilizing dynamic relationship cognition
CN109858205A (en) * 2018-12-29 2019-06-07 深圳市雁联移动科技有限公司 A kind of safe Enhancement Method and device suitable for enterprise mobile working portal
CN110474873B (en) * 2019-07-09 2021-06-29 杭州电子科技大学 Electronic file access control method and system based on knowledge range encryption
CN110516451B (en) * 2019-07-24 2021-03-02 杭州电子科技大学 Block chain-based derived ciphertext piece secret level change and decryption reminding notification method
CN111368269B (en) * 2020-02-29 2022-03-29 杭州电子科技大学 Fine-grained access control method based on dense point labeling
CN112989377A (en) * 2021-03-12 2021-06-18 深圳供电局有限公司 Method and system for performing authority processing on encrypted document

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1928881A (en) * 2006-09-26 2007-03-14 南京擎天科技有限公司 Computer data security protective method
EP2006792A2 (en) * 2007-06-21 2008-12-24 Siemens Aktiengesellschaft Encryption and decryption methods and a PLC system using said methods

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8468344B2 (en) * 2009-05-26 2013-06-18 Raytheon Company Enabling multi-level security in a single-level security computing system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1928881A (en) * 2006-09-26 2007-03-14 南京擎天科技有限公司 Computer data security protective method
CN100449560C (en) * 2006-09-26 2009-01-07 南京擎天科技有限公司 Computer data security protective method
EP2006792A2 (en) * 2007-06-21 2008-12-24 Siemens Aktiengesellschaft Encryption and decryption methods and a PLC system using said methods

Also Published As

Publication number Publication date
CN102999732A (en) 2013-03-27

Similar Documents

Publication Publication Date Title
CN102999732B (en) Multi-stage domain protection method and system based on information security level identifiers
Abouelmehdi et al. Big data security and privacy in healthcare: A Review
US11528142B2 (en) Methods, systems and computer program products for data protection by policing processes accessing encrypted data
CN101853363B (en) File protection method and system
JP4089171B2 (en) Computer system
US9348984B2 (en) Method and system for protecting confidential information
CN103763313B (en) File protection method and system
CN104680079A (en) Electronic document security management system and electronic document security management method
US20140019753A1 (en) Cloud key management
US8601580B2 (en) Secure operating system/web server systems and methods
CN103268456B (en) Method and device for file safety control
US11693981B2 (en) Methods and systems for data self-protection
CN201682524U (en) Document transfer authority control system based on document filtering driver
US11295029B1 (en) Computer file security using extended metadata
CN105827574A (en) File access system, file access method and file access device
CN104778954B (en) A kind of CD subregion encryption method and system
CN106682521B (en) File transparent encryption and decryption system and method based on driver layer
CN104219077A (en) Information management system for middle and small-sized enterprises
CN111046405B (en) Data processing method, device, equipment and storage medium
Herrera Montano et al. Survey of Techniques on Data Leakage Protection and Methods to address the Insider threat
CN105809043A (en) Data security protection method of computer
CN113901507B (en) Multi-party resource processing method and privacy computing system
CN115048662A (en) File protection method, device, equipment and storage medium
CN201805447U (en) Electronic information management platform system of Intranet
Kumar et al. Top vulnerabilities in cloud computing

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP01 Change in the name or title of a patent holder

Address after: C District No. 89 Copper Road Software Avenue Gulou District of Fuzhou city in Fujian province 350003 Building No. 25

Patentee after: Fuchun Polytron Technologies Inc

Address before: C District No. 89 Copper Road Software Avenue Gulou District of Fuzhou city in Fujian province 350003 Building No. 25

Patentee before: Fuchun Communication Co., Ltd.

CP01 Change in the name or title of a patent holder