CN103763313A - File protection method and system - Google Patents
File protection method and system Download PDFInfo
- Publication number
- CN103763313A CN103763313A CN201410004266.3A CN201410004266A CN103763313A CN 103763313 A CN103763313 A CN 103763313A CN 201410004266 A CN201410004266 A CN 201410004266A CN 103763313 A CN103763313 A CN 103763313A
- Authority
- CN
- China
- Prior art keywords
- document
- application
- encryption
- client
- decryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention discloses a file protection device which is arranged on a client side. The client side is provided with an operating system. The operating system is divided into a user space layer and a kernel layer. The file protection device comprises an encryption and decryption module and a self-protection module. The encryption and decryption module runs on the user space layer and monitors operation which is conducted on files by an application on the client side. When the file content is read by the application, the encryption and decryption module obtains encrypted file content from the client side, decrypts the encrypted file content, and places the decrypted content into a temporary storage space to be read by the application. When the file content is stored in the application, the encryption and decryption module encrypts the content in the temporary storage space and stores the encrypted file. The self-protection module runs in the kernel layer and monitors the temporary storage space so that other applications except the application can be prevented from having access to the temporary storage space. The invention further discloses a file protection system with the file protection device and a corresponding file protection method.
Description
Technical field
The present invention relates to computer and internet arena, relate in particular to a kind of technology that prevents that document from being leaked.
Background technology
Universal and development along with computer technology and network technology, the life that abundant network data resource is people brings great convenience, also many puzzlements have been brought simultaneously, for example, in enterprise, the file that employee relates to some corporate secret at an easy rate sends to outside enterprise, thereby causes file to be divulged a secret.Therefore, need a kind of document of can protecting to prevent the scheme of document content unofficial biography.
At present provide various schemes to prevent that the document on computing equipment from being divulged a secret.A kind of scheme is special software to be installed on computing equipment carry out shutoff hardware interface (as USB interface, infrared interface etc.) and close procotol (FTP, HTTP etc.) to stop to outside transmission electronic document.Yet, in this scheme, exist outside technical deficiency.First, this scheme needs shutoff hardware interface and closes procotol, sacrifices the availability of computer.Secondly, along with computer technology development, new technology New Deal is constantly updated, and this kind of scheme is difficult to prevent by the document of new storage medium and the host-host protocol problem of divulging a secret in the very first time.
Another scheme is in network, to dispose rights management software, and the reader of configure dedicated reads document simultaneously, thereby prevents that electronic document from being divulged a secret.This scheme can arrange the authority that user processes electronic document, and the user who has so only has the authority reading, and some users have read, revise, the multiple authority such as printing.So both reached and prevented that file from being divulged a secret, also reached sharing of company's knowledge accumulation and file.Manager downloads the authorities such as document function starts to control the reading of user, stores, copies, output from user, make every user can only touch the limited document in the own scope of business, prevent bootlegging between user, copy, external distribution, optical disc copy.Although this scheme can not be subject to the impact of storage medium and host-host protocol, which need to produce the file format that electronic document manual switch is become after file to dedicated reader, so complex operation.In addition, this mode, because needs user manually carrys out format transformation, therefore can not prevent that user from initiatively divulging a secret.
What therefore, need is a kind of can addressing the above problem and the document protection scheme of substantially transparent concerning user.
Summary of the invention
For this reason, the invention provides a kind of new scheme to try hard to solve or at least alleviate the problem existing above.
According to an aspect of the present invention, provide a kind of document protection equipment, resided in client.In this client, have operating system, this operating system is divided into user's space layer and inner nuclear layer.The document protection equipment comprises: encryption and decryption module, at user's space layer, move, the operation of the application of monitoring in client to document, when document content is read in application, from client, obtain the document content of encryption and be decrypted, decryption content is placed in interim memory space and is read for application; When application memory document content, the content in interim memory space is encrypted, and the document of storage encryption; And self-shield module, in inner nuclear layer, move, monitor interim memory space, to prevent except this interim memory space of other application access this application.
Alternatively, in document protection equipment according to the present invention, self-shield module is also monitored described encryption and decryption module, and when encryption and decryption module quits work, described self-shield module will empty the decryption content in described interim memory space.
Alternatively, document protection equipment according to the present invention also comprises rule management, is couple to encryption and decryption module, and this rule management comprises that various application carry out the rule of various document functions; And encryption and decryption template is when monitoring application to the operation of document, obtains the document function rule being associated with this application from rule management, and determine whether this application can carry out the document operation.
Alternatively, document protection equipment according to the present invention also comprises Client Agent module, is suitable for communicating with document protection server, and is couple to encryption and decryption module, with the document function record that encryption and decryption module is monitored, sends to document protection server.Client Agent module also comprises authentication parts, be suitable for via with communicating by letter of document protection server, client being authenticated, and the client terminal start-up encryption and decryption module that only allows authentication to pass through is carried out document function.
Alternatively, in document protection equipment according to the present invention, wherein encryption and decryption module, when communicating with self-shield module, is added the check information of self in communication data to, so that self-shield module is determined the identity of encryption and decryption module according to this information.
According to another aspect of the present invention, provide a kind of document protection method, be suitable for moving in client.In client, have operating system, this operating system is divided into user's space layer and inner nuclear layer.The document guard method comprises step: the operation of the application in the monitoring of user's space layer in client to document, when document content is read in application, from client, obtain the document content of encryption and be decrypted, decryption content is placed in interim memory space and is read for application; When application memory document content, the content in interim memory space is encrypted, and the document of storage encryption; And in inner nuclear layer, monitor interim memory space, prevent except this interim memory space of other application access this application.
Alternatively; document protection method according to the present invention also comprises step: the step in inner nuclear layer supervisory user space layer monitoring application to the operation of document; when the policer operation of user's space layer quits work, will empty the decryption content in described interim memory space.
Alternatively; in document protection method according to the present invention; application in user's space layer monitoring in client also comprises the step of the operation of document: when monitoring application to the operation of document; obtain the document function rule being associated with this application, and determine whether this application can carry out the document operation.
Alternatively, document protection method according to the present invention also comprises step: communicate with document protection server, so that the document function record being monitored at user's space layer is sent to document protection server; And via with communicating by letter of document protection server, client being authenticated, and only allow described in client terminal start-up that authentication passes through the step of the application in client to the operation of document in the monitoring of user's space layer.
According to an aspect in addition of the present invention, a kind of file protection system is provided, comprise document protection server; And one or more client, be connected with document protection server communication, and in client resident with good grounds document protection equipment of the present invention.
According to document protection scheme of the present invention; document is stored with encrypted test mode in the memory of computing equipment; and when document function is carried out in application; just can application layer again encryption and decryption module decrypts become expressly by being used for operation; and when application operating completes; document content can just complete encryption in application layer, and stores in computing equipment with encrypted test mode.Therefore, according in the solution of the present invention, during the processing at document content in whole operating system, encrypt the earliest and deciphering the latest, shorten to greatest extent the accessible paths of cleartext information in memory space.In addition, because encryption and decryption module utilizes the HOOK technology of application layer to complete in application layer, with at inner nuclear layer, carry out HOOK and compare, reduced the complexity that program realizes, avoided driving in the implementation of layer file transparent encryption and decryption, may cause because any treatment of details is improper the phenomenon of the frequent blue screen of system to occur.
In addition; in document protection scheme according to the present invention; the interim memory space of plaintext after safeguarding store decrypted by the self-shield module at inner nuclear layer; simultaneously also by self-shield module, guarantee that the encryption and decryption module of client layer normally works; thereby the plaintext that can prevent interim memory space is maliciously stolen, the encryption and decryption scheme of its fail safe and pure inner nuclear layer is basic identical.
In addition; in document protection scheme according to the present invention; can utilize the record of application operating document can upload on file protect server provided by the invention user of service in a computing equipment; therefore; administrative staff are audit user of service's document function situation of generating report forms on request; like this when document is divulged a secret, can trace back to the document source of divulging a secret, thereby further guarantee the fail safe of document.
Accompanying drawing explanation
In order to realize above-mentioned and relevant object; in conjunction with description and accompanying drawing below, some illustrative aspect is described herein; the variety of way that can put into practice principle disclosed herein has been indicated in these aspects, and all aspects and equivalent aspect thereof are intended to fall in the scope of theme required for protection.Read in conjunction with the drawings detailed description below, above-mentioned and other object of the present disclosure, Characteristics and advantages will become more obvious.Spread all over the disclosure, identical Reference numeral is often referred to identical parts or element of generation.
Fig. 1 shows the schematic diagram of file protection system according to an embodiment of the invention;
Fig. 2 shows the schematic diagram of document protection equipment according to an embodiment of the invention; And
Fig. 3 shows the schematic flow sheet of document protection method according to an embodiment of the invention.
Embodiment
Exemplary embodiment of the present disclosure is described below with reference to accompanying drawings in more detail.Although shown exemplary embodiment of the present disclosure in accompanying drawing, yet should be appreciated that and can realize the disclosure and the embodiment that should do not set forth limits here with various forms.On the contrary, it is in order more thoroughly to understand the disclosure that these embodiment are provided, and can by the scope of the present disclosure complete convey to those skilled in the art.
Fig. 1 shows the schematic diagram of file protection system 100 according to an embodiment of the invention.As shown in Figure 1, file protection system 100 comprises document protection server 110 and one or more client 120-140 being connected with 110 communications of document protection server by network.All resident in each client 120-140 have document protection equipment 200.Client 120-140 can be any equipment that can process electronic data in this area, includes but not limited to desktop computer, notebook computer, personal digital assistant, intelligent mobile terminal, panel computer etc.In client 110 and 120, conventionally move modern operating system, utilize operating system to carry out the hardware resource in Management Calculation equipment.In general, modern operating system can be divided into user's space layer and inner nuclear layer.The interface of each hardware component in inner nuclear layer processing and client 120-140, thus to user's space layer, provide a unified Processing Interface.Generally speaking, at inner nuclear layer, can't pay close attention to the problems such as user right, but pay close attention to how to carry out interface with various hardware efficiently, such as transceiver network data etc.User's space layer provides functions such as user management, process scheduling and memory management to user or the application of client, thereby facilitates the various upper operations of client 120-140 that are applied in.Document protection equipment 200 is not only in the operation of user's space layer, and its some parts move in the inner nuclear layer of operating system.
Alternatively, document protection server 110 also comprises authentication parts 114, is suitable for the user at each client place to carry out authentication, thereby guarantees that the user who only has authentication to pass through just can use client to bring in and carry out document function.
In addition; document protection server 110 can also comprise rule memory 116, has wherein stored different user and has used the various rules that should be used for carrying out document function, for example, for general user; can browse and revise word document with word Word, but can not printed document.And for general financial staff, can utilize Exel spreadsheet to open, browse financial documentation, but can not browse exploitation document.And for the Chief Financial Officer of company, for financial documentation, there are whole authorities.Document protection server 110 is the rule of storage in update rule memory 116 as required, and sends to corresponding client, so that document protection equipment 200 can be determined according to this rule the authority etc. of document function.
Fig. 2 shows the schematic diagram of document protection equipment 200 according to an embodiment of the invention.As shown in Figure 2, document protection equipment 200 comprises encryption and decryption module 210 and self-shield module 220.
In the user's space layer of the operating system of encryption and decryption module 210 in client 120-140, move the operation of the application of monitoring in client to document.When application is will read document content time, encryption and decryption module 210 is obtained the document content of encryption and is decrypted from client, in the memory of for example client, and decryption content is placed in interim memory space and is read for application.And when application will be stored document content, encryption and decryption module 210 is encrypted the content in interim memory space, and the document of encryption is stored in the memory of client.
The encryption and decryption operation of encryption and decryption module 210 is sightless for upper layer application, transparent in other words conj.or perhaps.When being applied in when opening or editing specified documents, encryption and decryption module will be encrypted unencrypted file automatically, and the file of having encrypted is deciphered automatically.Document is stored with encrypted test mode on the permanent memory of client, and when application operating, in interim memory space, with clear-text way, exists.Once the document leaves the environment of file protection system, because application cannot obtain the service of automatic deciphering, cannot open these documents, thereby play the effect of protection document content.
Encryption and decryption module 210 needs and operating system is combined closely.In general, this encryption and decryption technology can be divided into kernel level encryption and application layer is encrypted two classes.Kernel level adopts filter Driver on FSD technology conventionally, and application layer adopts application layer API HOOK(to be commonly called as hook conventionally) technology, its reason is all to take over file I/O (read-write) operation, the read-write operation of applying by supervision, carries out dynamic encryption and decryption to document.Because these operations all complete automatically at bottom, may be in a slight decrease except speed, user in occupation mode with there is no at ordinary times difference.
The basic principle that encryption and decryption is processed is that encryption opportunity should be as far as possible early, and evening as far as possible on deciphering opportunity.Only have in the time of the firm generation of application confidential data and just encrypt immediately, and until application needs the eve of usage data just to decipher it, could farthest reduce the possibility that confidential information is intercepted midway.Based on above-mentioned consideration, encryption and decryption module 210 is to move in application layer at user's space layer, and adopts application layer APIHOOK technology.When various application operate document, encryption and decryption module 210 utilizes API HOOK can intercept and capture in advance at the system API place of application layer to comprise the operation requests such as document is revised, cliped and pasted, screenshotss, printing, thereby the encryption and decryption that can fulfil document content ahead of schedule is processed.
According to one embodiment of present invention, encryption and decryption module 210 can adopt any encryption and decryption technology of this area to carry out the operation of document encryption and decryption, and does not depart from protection scope of the present invention.
In addition, in encryption and decryption module 210 inside, encryption and decryption operation is designed to can not be split, if cryptographic operation lost efficacy or maliciously forbidden, decryption oprerations was also lost efficacy simultaneously, thereby had guaranteed to walk around separately encryption flow.If can guarantee thus, can read encrypted document, all documents that produce are all forced encrypted; If the document producing is not encrypted, cannot read any encrypted document.
Self-shield module 220 is moved in the inner nuclear layer of operating system.When encryption and decryption module 210 monitors application to the operation of document; will be by storage document content memory space position informing expressly to self-shield module 220; self-shield module 220 can be monitored this interim memory space; to prevent except this interim memory space of other application access this application, thereby guarantee that the plaintext in interim memory space can be by unauthorized access.For example; when disabled user attempts to visit the plaintext in interim memory space by non-protected application; self-protection module 216 judges whether this application is shielded application at once, if be that shielded application is just forbidden that this is quoted and visited this interim memory space.
Therefore in addition, because encryption and decryption module 210 is in application layer in user's space, be difficult to guarantee that the process of self or in-process thread are not stopped by force, be also difficult to guarantee that self module do not extractd by force or replace by malicious user.This,, by causing malicious user likely by the special tool(s) of kernel-driven level, stops this module by force, reduces the anti-attack strength of encrypting and deciphering system.And the guard process of inner nuclear layer is difficult to be bypassed; anti-attack strength is far above application layer; therefore according to one embodiment of present invention; can also to encryption and decryption module 210, be monitored by self-shield module 220; when encryption and decryption module 210 is due to a variety of causes; for example, when being deleted by force or being stopped quitting work by force, self-shield module 220 will empty the clear content in interim memory space immediately, thereby prevents that document from leaking.
Profit in this way; by the self-shield module 220 at inner nuclear layer and the mutual cooperation between the encryption and decryption module 210 of user's space layer; both can guarantee that the basic principle that encryption and decryption is processed can realize, and can also guarantee the fail safe of these modules in operating system simultaneously.
According to one embodiment of present invention, self-shield module 220 is started by encryption and decryption module 210.Encryption and decryption module 210 can, by relevant information, send to self-shield module 220 such as information such as interim memory space positions.The information of receiving in order to ensure self-shield module 220 is from encryption and decryption module 210; alternatively; encryption and decryption module 210 is when communicating with self-shield module 220; the check information of self is added in communication data; so that self-shield module 220 is determined the identity of encryption and decryption module 210 according to this information, thereby prevent that malicious user from forging the identity of encryption and decryption module self-shield module 220 is controlled.
According to one embodiment of present invention, document protection equipment 200 can also comprise rule management 230.Rule management 230 is couple to encryption and decryption module 210, and wherein stores the rule that document function is carried out in various application.For example rule management 230 can be safeguarded a protected list of application; encryption and decryption module 210 is monitoring application while carrying out document read-write operation like this; can determine that this application is whether in protected list of application according to rule management 230; and only in being applied in this protected list of application time, just allow this application to carry out document function.In rule management 230, can also comprise the mode that each application can be carried out document function, for example, some application can only opening document and can not edit etc.Encryption and decryption module 210 can be controlled according to the rule in rule management the document function authority of application.
In order to communicate with document protection server 110, alternatively, document protection equipment 200 also comprises Client Agent module 240.This proxy module 240 is couple to encryption and decryption module 210 and communicates with document protection server 110; so that the document function that encryption and decryption module 210 is monitored record sends to document protection server 110; for example store in log memory 112; thereby can follow-up this operation note be analyzed, determine the document that document is divulged a secret path and may be divulged a secret.
Rule management 230 also can be couple to Client Agent module 240, thereby from document protection server 110, especially rule memory 116 obtains the rule of up-to-date application operating document and the rule in rule management 230 is upgraded.
Client Agent module 240 also comprises authentication parts 242; it utilizes the authentication parts 114 in document protection server 110 to carry out alternately; thereby to client; especially the user in client authenticates, and the client terminal start-up encryption and decryption module 210 that only allows authentication to pass through is carried out document function.In addition, rule management 230 also obtains and the profile operation rules that authenticates the user that passes through and be associated from document protection server 110 via Client Agent module 240.Like this, first encryption and decryption module 210, when the document function that monitors application, can determine the user of the enterprising line operate of client, and according to rule relevant with this user in rule management 230, determine that whether the document operation has authority, if there is no authority, refuses this operation.
According to document protection equipment 220 of the present invention; by the application layer in operating system, dispose encryption and decryption module; and dispose self-shield module at inner nuclear layer, monitor encryption and decryption module and deposit interim memory space expressly; thereby can, when guaranteeing the shortest path that clear data is deposited in whole system, can also guarantee safety and the reliability of whole document protection equipment.
Fig. 3 shows the schematic flow sheet of document protection method 300 according to an embodiment of the invention.Document protection method 300 is suitable for carrying out in the client described in Fig. 1, is particularly suited in the document protection equipment 200 shown in Fig. 2 carrying out, thereby can protects various documents in client to leak preventing.
Document protection method 300 starts from step S310.In step S310, the operation of the application of the user's space layer of the operating system of moving in client monitoring in client to document.When application is will read document content time, from client, in the memory of for example client, obtain the document content of encryption and be decrypted, decryption content is placed in interim memory space and is read for application.And when application will be stored document content, the content in interim memory space is encrypted, and the document of encryption is stored in the memory of client.
Encryption and decryption operation in step S310 is sightless for upper layer application, transparent in other words conj.or perhaps.When being applied in when opening or editing specified documents, will automatically to unencrypted file, be encrypted, the file of having encrypted is deciphered automatically.Document is stored with encrypted test mode on the permanent memory of client, and when application operating, in interim memory space, with clear-text way, exists.Once the document leaves the environment of file protection system, because application cannot obtain the service of automatic deciphering, cannot open these documents, thereby play the effect of protection document content.
Encryption and decryption action need and operating system in step S310 are combined closely.In general, this encryption and decryption technology can be divided into kernel level encryption and application layer is encrypted two classes.Kernel level adopts filter Driver on FSD technology conventionally, and application layer adopts application layer API HOOK(to be commonly called as hook conventionally) technology, its reason is all to take over file I/O (read-write) operation, the read-write operation of applying by supervision, carries out dynamic encryption and decryption to document.Because these operations all complete automatically at bottom, may be in a slight decrease except speed, user in occupation mode with there is no at ordinary times difference.
The basic principle that encryption and decryption is processed is that encryption opportunity should be as far as possible early, and evening as far as possible on deciphering opportunity.Only have in the time of the firm generation of application confidential data and just encrypt immediately, and until application needs the eve of usage data just to decipher it, could farthest reduce the possibility that confidential information is intercepted midway.Based on above-mentioned consideration, step S310 is being to move in application layer at user's space layer, and adopts application layer API HOOK technology.When various application operate document, step S310 can utilize API HOOK can intercept and capture in advance at the system API place of application layer to comprise the operation requests such as document is revised, cliped and pasted, screenshotss, printing, thereby the encryption and decryption that can fulfil document content ahead of schedule is processed.
According to one embodiment of present invention, step S310 can adopt any encryption and decryption technology of this area to carry out the operation of document encryption and decryption, and does not depart from protection scope of the present invention.
In addition, in step S310, encryption and decryption operation is designed to can not be split, if cryptographic operation lost efficacy or maliciously forbidden, decryption oprerations was also lost efficacy simultaneously, thereby had guaranteed to walk around separately encryption flow.If can guarantee thus, can read encrypted document, all documents that produce are all forced encrypted; If the document producing is not encrypted, cannot read any encrypted document.
Meanwhile, in step S320, in inner nuclear layer, monitor interim memory space, prevent except this interim memory space of other application access this application.When monitoring application to the operation of document in step S310, will obtain storage document content memory space position expressly, in step S320, can monitor this interim memory space, to prevent except this interim memory space of other application access this application, thereby guarantee that the plaintext in interim memory space can be by unauthorized access.For example; when disabled user attempts to visit the plaintext in interim memory space by non-protected application; in step S320, can judge whether this application is shielded application, if be that shielded application is just forbidden that this is quoted and visited this interim memory space at once.
In addition, because the encryption and decryption in step S310 operates in user's space, be to carry out in application layer, be therefore difficult to guarantee that the process of self or in-process thread are not stopped by force, be also difficult to guarantee that this operation do not extractd by force or replace by malicious user.This,, by causing malicious user likely by the special tool(s) of kernel-driven level, stops this operation by force.And the guard process of inner nuclear layer is difficult to be bypassed, anti-attack strength, far above application layer, therefore according to one embodiment of present invention, can also comprise step 330.In step S330, at inner nuclear layer, described step S310 is monitored, for example, when step S310 is due to a variety of causes, when being deleted by force or being stopped quitting work by force, will empty immediately the clear content in interim memory space, thereby prevent that document from leaking.
In this way, the monitoring mechanism of inner nuclear layer and the mutual cooperation between the encryption and decryption operation of user's space layer, both can guarantee that the basic principle that encryption and decryption is processed can realize, and can also guarantee the fail safe of these modules in operating system simultaneously to profit.
According to one embodiment of present invention, the policer operation of inner nuclear layer is started by step S310.In step S310, can, by relevant information, such as information such as interim memory space positions, send to inner nuclear layer.The information of receiving in order to ensure inner nuclear layer operates from encryption and decryption, alternatively, in step S310 and when inner nuclear layer communicates, the check information of self is added in communication data, so that inner nuclear layer determines that according to this information these requests are from step S310, thereby prevent that malicious user from forging the identity of encryption and decryption operation and cheating inner nuclear layer.
According to one embodiment of present invention, in step S310, in the monitoring of user's space layer, the application in client also comprises the step of the operation of document, when monitoring application to the operation of document, obtain the document function rule being associated with this application, and determine whether this application can carry out the document operation.In client, especially in document protection equipment (the especially rule management 230 of Fig. 2), store the rule that document function is carried out in various application.For example document protection equipment can be safeguarded a protected list of application; in step S310, monitor like this and apply while carrying out document read-write operation; can determine that this application is whether in protected list of application; and only in being applied in this protected list of application time, just allow this application to carry out document function.In document protection equipment, can also comprise the mode that each application can be carried out document function, for example, some application can only opening document and can not edit etc.In step S310, can control according to the rule in rule management the document function authority of application.
In order to communicate with document protection server 110; alternatively; document protection method 300 also comprises step S340; in step S340; communicate with document protection server, so that the document function record being monitored at user's space layer is sent to document protection server, for example, store in log memory 112; thereby can follow-up this operation note be analyzed, determine the document that document is divulged a secret path and may be divulged a secret.
In addition, can also be from document protection server 110, especially rule memory 116 obtains the rule of up-to-date application operating document and the rule in document protection equipment is upgraded.
Alternatively, document protection method 300 also comprises step S350.In step S350, via with communicating by letter of document protection server, client being authenticated, and only allow to authenticate the operation in the client terminal start-up step S310 passing through.In step S350, carry out alternately with the authentication parts 114 in document protection server 110, thereby to client, especially the user in client authenticates, and the client who only allows authentication to pass through brings in and carries out document function.In addition, can also obtain and the profile operation rules that authenticates the user that passes through and be associated from document protection server 110.Like this, in step S310, when the document function that monitors application, can first determine the user of the enterprising line operate of client, and according to the rule relevant with this user, determine that whether the document operation has authority, if there is no authority, refuses this operation.
According to document protection method 300 of the present invention; by the application layer in operating system, carry out encryption and decryption operation; and operate and deposit interim memory space expressly in inner nuclear layer monitoring encryption and decryption; thereby can, when guaranteeing the shortest path that clear data is deposited in whole system, can also guarantee safety and the reliability of whole document protection equipment.
In the specification that provided herein, a large amount of details have been described.Yet, can understand, embodiments of the invention can not put into practice in the situation that there is no these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
B10, the document protection method as described in B8 or 9; wherein said in user's space layer monitoring, the application in client also comprises the step of the operation of document: when monitoring application to the operation of document; obtain the document function rule being associated with this application, and determine whether this application can carry out the document operation.B11, as the document protection method as described in any in B8-10, also comprise step: communicate with document protection server, so that the document function record being monitored at user's space layer is sent to document protection server.B12, the document protection method as described in B11; also comprise step: via with communicating by letter of document protection server, client being authenticated, and only allow described in client terminal start-up that authentication passes through the step of the application in client to the operation of document in the monitoring of user's space layer.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand one or more in each inventive aspect, in the above in the description of exemplary embodiment of the present invention, each feature of the present invention is grouped together into single embodiment, figure or sometimes in its description.Yet, the method for the disclosure should be construed to the following intention of reflection: the present invention for required protection requires than the more features of the feature of clearly recording in each claim.Or rather, as reflected in claims below, inventive aspect is to be less than all features of disclosed single embodiment above.Therefore, claims of following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are to be understood that the module of the equipment in example disclosed herein or unit or assembly can be arranged in as in the equipment described in this embodiment, or alternatively can be positioned in one or more equipment different from equipment in this example.Module in aforementioned exemplary can be combined as a module or can be divided into a plurality of submodules in addition.
Those skilled in the art are appreciated that and can the module in the equipment in embodiment are adaptively changed and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and can put them into a plurality of submodules or subelement or sub-component in addition.At least some in such feature and/or process or unit are mutually repelling, and can adopt any combination to combine all processes or the unit of disclosed all features in this specification (comprising claim, summary and the accompanying drawing followed) and disclosed any method like this or equipment.Unless clearly statement in addition, in this specification (comprising claim, summary and the accompanying drawing followed) disclosed each feature can be by providing identical, be equal to or the alternative features of similar object replaces.
In addition, those skilled in the art can understand, although embodiment more described herein comprise some feature rather than further feature included in other embodiment, the combination of the feature of different embodiment means within scope of the present invention and forms different embodiment.For example, in the following claims, the one of any of embodiment required for protection can be used with compound mode arbitrarily.
In addition, at this, be described as can be by the processor of computer system or the method for being implemented by other device of carrying out described function or the combination of method element for some in described embodiment.Therefore, there is the device that is formed for implementing the method or method element for implementing the processor of the necessary instruction of described method or method element.In addition, the element described herein of device embodiment is the example as lower device: this device is used for implementing by order to implement the performed function of element of the object of this invention.
As used in this, unless made separate stipulations, use ordinal number " first ", " second ", " 3rd " etc. to describe the different instances that common object only represents to relate to similar object, and be not intended that object that hint is described like this must have on upper, space of time, sequence aspect or with any alternate manner to definite sequence.
Although described the present invention according to the embodiment of limited quantity, benefit from description above, those skilled in the art understand, in the scope of the present invention of describing thus, it is contemplated that other embodiment.In addition, it should be noted that the language using in this specification is mainly for object readable and instruction is selected, rather than select in order to explain or to limit theme of the present invention.Therefore,, in the situation that do not depart from the scope and spirit of appended claims, many modifications and changes are all apparent for those skilled in the art.For scope of the present invention, disclosing that the present invention is done is illustrative, and nonrestrictive, scope of the present invention is limited by appended claims.
Claims (10)
1. a document protection equipment, resides in client, in this client, has operating system, and this operating system is divided into user's space layer and inner nuclear layer, and the document protection equipment comprises:
Encryption and decryption module, in the operation of user's space layer, the operation of the application of monitoring in client to document, when document content is read in application, from client, obtain the document content of encryption and be decrypted, decryption content is placed in interim memory space and is read for application; When application memory document content, the content in interim memory space is encrypted, and the document of storage encryption; And
Self-shield module is moved in inner nuclear layer, monitors interim memory space, to prevent except this interim memory space of other application access this application.
2. document protection equipment as claimed in claim 1, wherein said self-shield module is also monitored described encryption and decryption module, and when encryption and decryption module quits work, described self-shield module will empty the decryption content in described interim memory space.
3. the document protection equipment as described in claim 1 or 2, also comprises rule management, is couple to encryption and decryption module, and comprises that various application carry out the rule of various document functions; And
Described encryption and decryption template, when monitoring application to the operation of document, is obtained the document function rule being associated with this application from described rule management, and determines whether this application can carry out the document operation.
4. as the document protection equipment as described in any in claim 1-3; also comprise Client Agent module; be suitable for communicating with document protection server, and be couple to described encryption and decryption module, with the document function record that described encryption and decryption module is monitored, send to document protection server.
5. document protection equipment as claimed in claim 4; described Client Agent module also comprises authentication parts; be suitable for via with communicating by letter of document protection server, client being authenticated, and the client terminal start-up encryption and decryption module that only allows authentication to pass through is carried out document function.
6. document protection equipment as claimed in claim 5, described Client Agent module also obtains from described document protection server the document function rule being associated with this client, and stores described rule management into.
7. as the document protection equipment as described in any in claim 1-6; wherein said encryption and decryption module is when communicating with self-shield module; the check information of self is added in communication data, so that self-shield module is determined the identity of encryption and decryption module according to this information.
8. a document protection method, is suitable for moving in client, in this client, has operating system, and this operating system is divided into user's space layer and inner nuclear layer, and the document guard method comprises step:
The operation of application in the monitoring of user's space layer in client to document when document content is read in application, obtained the document content of encryption and is decrypted from client, and decryption content is placed in interim memory space and is read for application; When application memory document content, the content in interim memory space is encrypted, and the document of storage encryption; And
In inner nuclear layer, monitor interim memory space, prevent except this interim memory space of other application access this application.
9. document protection method as claimed in claim 8; also comprise step: at inner nuclear layer, monitor the step of described user's space layer monitoring application to the operation of document; when the policer operation of described user's space layer quits work, will empty the decryption content in described interim memory space.
10. a file protection system, comprises
Document protection server; And
One or more client, is connected with described document protection server communication, and resident just like the document protection equipment described in any in claim 1-7 in client.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410004266.3A CN103763313B (en) | 2014-01-03 | 2014-01-03 | File protection method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410004266.3A CN103763313B (en) | 2014-01-03 | 2014-01-03 | File protection method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103763313A true CN103763313A (en) | 2014-04-30 |
| CN103763313B CN103763313B (en) | 2017-05-10 |
Family
ID=50530473
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410004266.3A Active CN103763313B (en) | 2014-01-03 | 2014-01-03 | File protection method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103763313B (en) |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104318175A (en) * | 2014-10-28 | 2015-01-28 | 深圳市大成天下信息技术有限公司 | Document protecting method, document protecting devices and document protecting system |
| CN104361265A (en) * | 2014-10-28 | 2015-02-18 | 深圳市大成天下信息技术有限公司 | Document protection method, device and system |
| CN104361294A (en) * | 2014-10-28 | 2015-02-18 | 深圳市大成天下信息技术有限公司 | Document protection method, device and system |
| CN104408376A (en) * | 2014-10-28 | 2015-03-11 | 深圳市大成天下信息技术有限公司 | File protection method, equipment and system |
| CN104680079A (en) * | 2015-02-04 | 2015-06-03 | 上海信息安全工程技术研究中心 | Electronic document security management system and electronic document security management method |
| CN105790962A (en) * | 2014-12-24 | 2016-07-20 | 华为技术有限公司 | Conference document obtaining method, apparatus, and system |
| CN105893846A (en) * | 2016-04-22 | 2016-08-24 | 北京金山安全软件有限公司 | Method and device for protecting target application program and electronic equipment |
| CN106060010A (en) * | 2016-05-11 | 2016-10-26 | 广东七洲科技股份有限公司 | Android platform transparent encryption and decryption system |
| CN106250072A (en) * | 2016-07-26 | 2016-12-21 | 北京明朝万达科技股份有限公司 | A kind of mobile terminal safety Method of printing and system |
| CN106295397A (en) * | 2016-07-29 | 2017-01-04 | 无锡永中军安科技有限公司 | A kind of document function information tracking method |
| CN106973035A (en) * | 2017-02-09 | 2017-07-21 | 成都九安科技有限公司 | A kind of document outgoing control system |
| CN107423634A (en) * | 2017-06-30 | 2017-12-01 | 武汉斗鱼网络科技有限公司 | File decryption method, apparatus, computer-readable recording medium and equipment |
| CN111274579A (en) * | 2020-01-15 | 2020-06-12 | 湖北工程学院 | Enterprise document encryption protection system based on computer |
| CN112784223A (en) * | 2021-01-28 | 2021-05-11 | 深信服科技股份有限公司 | Application program protection method, device, medium and user behavior control method |
| CN113609080A (en) * | 2021-07-22 | 2021-11-05 | 深圳市元征未来汽车技术有限公司 | File processing method and device, terminal equipment and medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1822014A (en) * | 2006-03-23 | 2006-08-23 | 沈明峰 | Protecting method for security files under cooperative working environment |
| CN1928881A (en) * | 2006-09-26 | 2007-03-14 | 南京擎天科技有限公司 | Computer data security protective method |
| CN101072102A (en) * | 2007-03-23 | 2007-11-14 | 南京联创网络科技有限公司 | Information leakage preventing technology based on safety desktop for network environment |
| US20130104192A1 (en) * | 2005-02-18 | 2013-04-25 | Credant Technologies, Inc. | System and method for intelligence based security |
-
2014
- 2014-01-03 CN CN201410004266.3A patent/CN103763313B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130104192A1 (en) * | 2005-02-18 | 2013-04-25 | Credant Technologies, Inc. | System and method for intelligence based security |
| CN1822014A (en) * | 2006-03-23 | 2006-08-23 | 沈明峰 | Protecting method for security files under cooperative working environment |
| CN1928881A (en) * | 2006-09-26 | 2007-03-14 | 南京擎天科技有限公司 | Computer data security protective method |
| CN101072102A (en) * | 2007-03-23 | 2007-11-14 | 南京联创网络科技有限公司 | Information leakage preventing technology based on safety desktop for network environment |
Cited By (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104318175A (en) * | 2014-10-28 | 2015-01-28 | 深圳市大成天下信息技术有限公司 | Document protecting method, document protecting devices and document protecting system |
| CN104361265A (en) * | 2014-10-28 | 2015-02-18 | 深圳市大成天下信息技术有限公司 | Document protection method, device and system |
| CN104361294A (en) * | 2014-10-28 | 2015-02-18 | 深圳市大成天下信息技术有限公司 | Document protection method, device and system |
| CN104408376A (en) * | 2014-10-28 | 2015-03-11 | 深圳市大成天下信息技术有限公司 | File protection method, equipment and system |
| CN107967430A (en) * | 2014-10-28 | 2018-04-27 | 深圳市大成天下信息技术有限公司 | A kind of document protection method, equipment and system |
| CN104318175B (en) * | 2014-10-28 | 2018-01-05 | 深圳市大成天下信息技术有限公司 | A kind of document protection method, equipment and system |
| CN107967430B (en) * | 2014-10-28 | 2019-10-18 | 深圳市大成天下信息技术有限公司 | A kind of document protection method, equipment and system |
| CN104361294B (en) * | 2014-10-28 | 2017-08-25 | 深圳市大成天下信息技术有限公司 | A kind of document protection method, equipment and system |
| CN105790962A (en) * | 2014-12-24 | 2016-07-20 | 华为技术有限公司 | Conference document obtaining method, apparatus, and system |
| CN104680079A (en) * | 2015-02-04 | 2015-06-03 | 上海信息安全工程技术研究中心 | Electronic document security management system and electronic document security management method |
| CN105893846A (en) * | 2016-04-22 | 2016-08-24 | 北京金山安全软件有限公司 | Method and device for protecting target application program and electronic equipment |
| CN106060010A (en) * | 2016-05-11 | 2016-10-26 | 广东七洲科技股份有限公司 | Android platform transparent encryption and decryption system |
| CN106250072A (en) * | 2016-07-26 | 2016-12-21 | 北京明朝万达科技股份有限公司 | A kind of mobile terminal safety Method of printing and system |
| CN106295397A (en) * | 2016-07-29 | 2017-01-04 | 无锡永中军安科技有限公司 | A kind of document function information tracking method |
| CN106973035A (en) * | 2017-02-09 | 2017-07-21 | 成都九安科技有限公司 | A kind of document outgoing control system |
| CN107423634B (en) * | 2017-06-30 | 2018-11-09 | 武汉斗鱼网络科技有限公司 | File decryption method, apparatus, computer readable storage medium and equipment |
| CN107423634A (en) * | 2017-06-30 | 2017-12-01 | 武汉斗鱼网络科技有限公司 | File decryption method, apparatus, computer-readable recording medium and equipment |
| CN111274579A (en) * | 2020-01-15 | 2020-06-12 | 湖北工程学院 | Enterprise document encryption protection system based on computer |
| CN111274579B (en) * | 2020-01-15 | 2022-07-01 | 湖北工程学院 | Enterprise document encryption protection system based on computer |
| CN112784223A (en) * | 2021-01-28 | 2021-05-11 | 深信服科技股份有限公司 | Application program protection method, device, medium and user behavior control method |
| CN113609080A (en) * | 2021-07-22 | 2021-11-05 | 深圳市元征未来汽车技术有限公司 | File processing method and device, terminal equipment and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103763313B (en) | 2017-05-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103763313A (en) | File protection method and system | |
| CN101512490B (en) | Securing data in a networked environment | |
| CN109416720A (en) | Across resetting attended operation system secret | |
| US8863305B2 (en) | File-access control apparatus and program | |
| US7849512B2 (en) | Method and system to create secure virtual project room | |
| EP1596269A2 (en) | A system and method for rendering selective presentation of documents | |
| EP3356978B1 (en) | Applying rights management policies to protected files | |
| KR101745843B1 (en) | Methods and devices for protecting private data | |
| CN104361291B (en) | Data processing method and device | |
| CN103632107A (en) | Mobile terminal information safety protection system and method | |
| US10210337B2 (en) | Information rights management using discrete data containerization | |
| US10726104B2 (en) | Secure document management | |
| JP2005222155A (en) | Secret document management device, secret document management method, and secret document management program | |
| TWI381285B (en) | Rights management system for electronic files | |
| CN105205403A (en) | Method and system for managing and controlling file data of local area network based on file filtering | |
| KR100939106B1 (en) | Method for preventing unauthorized copies of data stored in removable storage apparatus and system adapted to the same | |
| Birnstill et al. | Building blocks for identity management and protection for smart environments and interactive assistance systems | |
| Kumar et al. | A model-driven platform for service security and framework for data security and privacy using key management in cloud computing | |
| KR102592625B1 (en) | Content security system based on sandbox technology | |
| JP2006178724A (en) | Method for controlling access to shared file, system, server apparatus, and program | |
| KR20230098156A (en) | Encrypted File Control | |
| Beley et al. | A Management of Keys of Data Sheet in Data Warehouse | |
| CN116127501A (en) | User private data protection method, system and medium based on user private container | |
| Syed et al. | Notice of Violation of IEEE Publication Principles: The rise of Bring Your Own Encryption (BYOE) for secure data storage in Cloud databases | |
| JP2006139475A (en) | Secret information protection system for existing application |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |