CN103763313B - File protection method and system - Google Patents
File protection method and system Download PDFInfo
- Publication number
- CN103763313B CN103763313B CN201410004266.3A CN201410004266A CN103763313B CN 103763313 B CN103763313 B CN 103763313B CN 201410004266 A CN201410004266 A CN 201410004266A CN 103763313 B CN103763313 B CN 103763313B
- Authority
- CN
- China
- Prior art keywords
- document
- encryption
- application
- client
- decryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The invention discloses a file protection device which is arranged on a client side. The client side is provided with an operating system. The operating system is divided into a user space layer and a kernel layer. The file protection device comprises an encryption and decryption module and a self-protection module. The encryption and decryption module runs on the user space layer and monitors operation which is conducted on files by an application on the client side. When the file content is read by the application, the encryption and decryption module obtains encrypted file content from the client side, decrypts the encrypted file content, and places the decrypted content into a temporary storage space to be read by the application. When the file content is stored in the application, the encryption and decryption module encrypts the content in the temporary storage space and stores the encrypted file. The self-protection module runs in the kernel layer and monitors the temporary storage space so that other applications except the application can be prevented from having access to the temporary storage space. The invention further discloses a file protection system with the file protection device and a corresponding file protection method.
Description
Technical field
The present invention relates to computer and internet arena, more particularly to a kind of technology for preventing document from being leaked.
Background technology
With the popularization and development of computer technology and network technology, abundant network data resource is the life band of people
Great convenience is carried out, while also bringing many puzzlements, for example, in enterprise, some are easily related to enterprise by employee
The secret file of industry is sent to outside enterprise, so as to cause file to be divulged a secret.Accordingly, it would be desirable to one kind can protect document to prevent text
The scheme of shelves content unofficial biography.
It is provided various schemes to prevent the document in computing device from getting compromised.A kind of scheme is set in calculating
For upper special software is installed to block hardware interface(Such as USB interface, infrared interface)With closing procotol(FTP、HTTP
Deng)To prevent to outside transmission electronic document.However, existing in this scheme outside technical deficiency.First, the program is needed
Block hardware interface and close procotol, sacrifice the availability of computer.Secondly, as computer technology constantly develops,
The new agreement of new technique is constantly updated, and this kind of scheme is difficult to prevent the text by new storage medium and host-host protocol in the very first time
Shelves are divulged a secret problem.
Another scheme is to dispose rights management software in a network, while configuring special reader to read text
Shelves, so as to prevent electronic document from getting compromised.The program can arrange the authority that user processes electronic document, and the user so having is only
Possess the authority of reading, and some users possess various authorities such as reading, modification, printing.So both having reached prevents file quilt
Divulge a secret, also reached Corporate Intellectual accumulation shared with file.Manager starts control and uses from user download document function
The authorities such as reading, storage, duplication, the output of person so that the limited document in oneself scope of business can only be touched per user,
Prevent bootlegging between user, externally copy, distribution, optical disc copy.Although this scheme will not be by storage medium and biography
The impact of defeated agreement, but which need produce file after by electronic document manual switch into dedicated reader file format,
Therefore it is cumbersome.In addition, this mode is due to needing user to carry out format transformation manually, therefore user master can not be prevented
It is dynamic to divulge a secret.
Therefor it is required that it is a kind of can solve the above problems and for user substantially transparent document protection side
Case.
The content of the invention
For this purpose, the present invention provides a kind of new scheme to try hard to solve the problems, such as or at least alleviate above.
According to an aspect of the invention, there is provided a kind of document protection equipment, is resident on the client.In the client
With operating system, the operating system is divided into user's space layer and inner nuclear layer.The document protection equipment includes:Encryption and decryption mould
Block, in the operation of user's space layer, monitors operation of the application on the client to document, when document content is read in application, from
The document content of encryption is obtained in client and is decrypted, decryption content is placed in temporary memory space so that application is read
Take;When application memory document content, the content in temporary memory space is encrypted, and stores the document of encryption;And
Self-shield module, runs in inner nuclear layer, temporary memory space is monitored, to prevent the other application in addition to the application from accessing
The temporary memory space.
Alternatively, in document protection equipment of the invention, self-shield module is also carried out to the encryption/decryption module
Monitoring, when encryption/decryption module quits work, the self-shield module will be emptied in the decryption in the temporary memory space
Hold.
Alternatively, document protection equipment of the invention also includes rule management, is couple to encryption/decryption module, the rule
Then manager includes that various applications carry out the rule of various document functions;And encryption and decryption template is being monitored using to document
During operation, the document function rule being associated with the application is obtained from rule management, and determine whether the application can enter
Row the document is operated.
Alternatively, document protection equipment of the invention also includes Client Agent module, is suitable to be taken with document protection
Business device is communicated, and is couple to encryption/decryption module, and the document function record that encryption/decryption module is monitored is sent to text
Shelves protection server.Client Agent module also includes authentication part, is suitable to via the communication with document protection server
To be authenticated to client, and the client terminal start-up encryption/decryption module that certification passes through only is allowed to carry out document function.
Alternatively, in document protection equipment of the invention, wherein encryption/decryption module is being carried out with self-shield module
During communication, the check information of itself is added in communication data, so that self-shield module determines encryption and decryption mould according to the information
The identity of block.
According to another aspect of the present invention, there is provided a kind of document protection method, it is suitable to run on the client.Client
There is operating system, the operating system is divided into user's space layer and inner nuclear layer in end.The document guard method includes step:
Operation of the user's space layer monitoring application on the client to document, when document content is read in application, obtains from client
Take the document content of encryption and be decrypted, decryption content is placed in temporary memory space so that application is read;Work as application
During store document content, the content in temporary memory space is encrypted, and stores the document of encryption;And in inner nuclear layer
Monitoring temporary memory space, prevents the other application in addition to the application from accessing the temporary memory space.
Alternatively, document protection method of the invention also includes step:In inner nuclear layer monitoring user's space layer monitoring
Using the step of operation to document, when the policer operation of user's space layer quits work, the interim storage will be emptied
Decryption content in space.
Alternatively, in document protection method of the invention, in user's space layer monitoring application on the client
To also including the step of the operation of document:When monitoring using to the operation of document, the document being associated with the application is obtained
Operation ruless, and determine whether the application can carry out the document operation.
Alternatively, document protection method of the invention also includes step:Communicated with document protection server, with
The document function monitored in user's space layer record is sent to into document protection server;And via taking with document protection
The communication of business device only allows to be supervised in user's space layer described in the client terminal start-up that certification passes through being authenticated client
Control application on the client is to the step of the operation of document.
It is of the invention to also have on one side, there is provided a kind of file protection system, including document protection server;With
And one or more client, it is connected with document protection server communication, and be populated with the client according to the present invention
Document protection equipment.
Document protection scheme of the invention, document is stored in the memorizer of computing device with encrypted test mode, and
During using carrying out document function, just in application layer, again encryption/decryption module be decrypted into plaintext by application to operate for meeting, and work as and apply behaviour
When completing, document content can just complete encryption in application layer, and be stored in computing device with encrypted test mode.Therefore, in root
According to the solution of the present invention, during process of the document content in whole operation system, encryption is decrypted earliest the latest, maximum
Limit shortens accessible paths of the cleartext information in memory space.Further, since encryption/decryption module utilizes application in application layer
The HOOK technologies of layer are completed, and compared with HOOK is carried out in inner nuclear layer, reduce the complexity of program realization, it is to avoid driving layer text
In the implementation of the transparent encryption and decryption of part, because of any treatment of details it is improper and cause the phenomenon of the frequent blue screen of system send out
It is raw.
In addition, in document protection scheme of the invention, solution is stored to safeguard by the self-shield module of inner nuclear layer
The temporary memory space of close rear plaintext, while the encryption/decryption module normal work of client layer is also guaranteed by self-shield module, from
And can prevent the plaintext of temporary memory space from maliciously being stolen, the basic phase of encryption and decryption scheme of its safety and pure inner nuclear layer
Together.
Additionally, in document protection scheme of the invention, the user of service in a computing device can be utilized
The record of application operating document can be uploaded on the file protection server of present invention offer, therefore, management personnel can be on request
Form is generated come the document function situation of the user of service that audits, so when document gets compromised, document can be traced back to and divulged a secret
Source, has thereby further ensured that the safety of document.
Description of the drawings
In order to realize above-mentioned and related purpose, some illustrative sides are described herein in conjunction with explained below and accompanying drawing
Face, these aspects indicate various modes that can be to put into practice principles disclosed herein, and all aspects and its equivalent aspect
It is intended to fall under in the range of theme required for protection.By being read in conjunction with the accompanying detailed description below, the disclosure it is above-mentioned
And other purposes, feature and advantage will be apparent from.Throughout the disclosure, identical reference generally refers to identical
Part or element.
Fig. 1 shows the schematic diagram of file protection system according to an embodiment of the invention;
Fig. 2 shows the schematic diagram of document protection equipment according to an embodiment of the invention;And
Fig. 3 shows the schematic flow sheet of document protection method according to an embodiment of the invention.
Specific embodiment
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although showing the disclosure in accompanying drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure and should not be by embodiments set forth here
Limited.On the contrary, there is provided these embodiments are able to be best understood from the disclosure, and can be by the scope of the present disclosure
Complete conveys to those skilled in the art.
Fig. 1 shows the schematic diagram of file protection system according to an embodiment of the invention 100.As shown in figure 1, document
Protection system 100 includes document protection server 110 and one or more passes through network and document protection server 110 leads to
Connected client 120-140 of letter.Document protection equipment 200 is populated with each client 120-140.Client 120-
140 can be any equipment that can process electronic data in this area, including but not limited to desktop computer, notebook type meter
Calculation machine, personal digital assistant, intelligent mobile terminal, panel computer etc..The generally modern operation of operation in client 110 and 120
System, using operating system to manage computing device in hardware resource.In general, modern operating system can be divided into use
Family space layer and inner nuclear layer.The interface of each hardware component in inner nuclear layer process and client 120-140, so as to user's space
Layer provides a unified Processing Interface.In general, in inner nuclear layer, the problems such as user right can't be paid close attention to, but close
How note efficiently enters line interface, such as transceiver network data etc. with various hardware.User from user's space layer to client or
Person applies and provides such as function such as user management, process scheduling and memory management, so as to facilitate various application in client
Run on 120-140.Document protection equipment 200 not only runs in user's space layer, and its some part is in behaviour
Make to be run in the inner nuclear layer of system.
Document protection equipment 200 in document protection server 110 and each client 120-140, especially client
Communicated, checked on the miscellaneous equipment that the document such that it is able to guarantee in the client can not be outside client, changed
Deng.According to an embodiment, being not installed with the client of document protection equipment 200 can not open document.In addition, document protection
Server 110 also includes log memory 112.In each client document protection equipment 200 monitored, each is using right
The operation note of document can all be sent to document protection server 110 and store in log memory 112.So, discovery is worked as
When certain document is leaked, can determine which client be likely to be according to the operation note stored in log memory 112
End there occurs leaks.Additionally can carry out statistical analysiss to determine by the operation note to storing in log memory 112
The risk that document is leaked.
Alternatively, document protection server 110 also includes authentication part 114, is suitable to the use at each client
Family carries out authentication, so that it is guaranteed that the user that only certification passes through just can carry out document function using client.
In addition, document protection server 110 can also include rule memory 116, wherein store different user using
Various applications carrying out the rule of document function, such as general user, it is possible to use word Words come clear
Word document is look at and changed, but is unable to printed document.And for general financial staff, then can be using at Exel forms
Manage software to open, browse financial documentation, but exploitation document can not be browsed.And for the Chief Financial Officer of company, for
Financial documentation has whole authorities.Document protection server 110 can as needed update the rule stored in rule memory 116
Then, and corresponding client is sent to, so that document protection equipment 200 can determine the authority of document function according to the rule
Deng.
Fig. 2 shows the schematic diagram of document protection equipment 200 according to an embodiment of the invention.As shown in Fig. 2 document
Protection equipment 200 includes encryption/decryption module 210 and self-shield module 220.
Run in the user's space layer of operating system of the encryption/decryption module 210 in client 120-140, monitor in client
Operation of the application on end to document.When application will read document content, encryption/decryption module 210 is from client, such as visitor
The document content of encryption is obtained in the memorizer at family end and is decrypted, will decryption content be placed in temporary memory space for
Using reading.And when store document content is wanted in application, encryption/decryption module 210 carries out the content in temporary memory space to add
It is close, and the document of encryption is stored in the memorizer of client.
It is sightless, or perhaps transparent that the encryption and decryption of encryption/decryption module 210 is operated for upper layer application.When
Apply open or edit specify document when, encryption/decryption module will be encrypted to unencrypted file automatically, to what is encrypted
File is decrypted automatically.Document is stored on the permanent memory of client with encrypted test mode, and in application operating, is deposited temporarily
With clear-text way presence in storage space.Once the document leaves the environment of file protection system, because application cannot be obtained automatically
The service of decryption and these documents cannot be opened, so as to play protection document content effect.
Encryption/decryption module 210 needs and operating system is combined closely.In general, this encryption and decryption technology can be divided into kernel
Level encryption and application layer encrypt two classes.Kernel level generally adopts filter Driver on FSD technology, application layer generally to adopt application layer API
HOOK(It is commonly called as hook)Technology, its reason is all adapter file I/O(Read-write)Operation, by the read-write operation of supervision application, to document
Dynamically encrypted and decrypted.Because these operations are all automatically performed in bottom, in addition to speed possibility is in a slight decrease, user
With no difference at ordinary times in occupation mode.
One basic principle of encryption and decryption process is that encryption opportunity should be as early as possible, and decryption opportunity should be as late as possible.Only
Have and just encrypted immediately when application just produces confidential data, and until application needs just to be decrypted using the eve of data
It, could farthest reduce the possibility that confidential information is intercepted.Based on above-mentioned consideration, encryption/decryption module 210 with
Family space layer is to run in application layer, and using application layer APIHOOK technology.When various applications are operated to document, plus
Deciphering module 210 can be intercepted and captured in advance at system API of application layer using API HOOK change, clip and paste including document, screenshotss,
The operation requests such as printing, the encryption and decryption such that it is able to fulfil document content ahead of schedule is processed.
According to one embodiment of present invention, encryption/decryption module 210 can using any encryption and decryption technology of this area come
Document encryption and decryption operation is carried out, without deviating from protection scope of the present invention.
In addition, inside encryption/decryption module 210, encryption and decryption operation is designed to can not be split, if cryptographic operation failure
Or maliciously disabled, then decryption oprerations are also failed simultaneously, and ensuring that cannot individually bypass encryption flow.Thus can ensure
If encrypted document can be read, all documents for producing force encrypted;If the document for producing is not encrypted, cannot read and appoint
What encrypted document.
Self-shield module 220 is run in the inner nuclear layer of operating system.Whenever encryption/decryption module 210 is monitored using to text
During the operation of shelves, will be by the memory space position informing of store document content plaintext to self-shield module 220, self-shield module
220 can monitor the temporary memory space, to prevent the other application in addition to the application from accessing the temporary memory space, so as to
Guarantee that the plaintext in temporary memory space will not be by unauthorized access.For example, when disabled user attempt by non-protected application come
When accessing the plaintext in temporary memory space, the horse back of self-protection module 216 judges whether the application is shielded application, such as
The whether shielded application of fruit just forbids the reference to access the temporary memory space.
Further, since encryption/decryption module 210 is in application layer in user's space, therefore, it is difficult to ensure itself process or
Thread is not by force termination in process, it is also difficult to ensure that own module is not extractd by force or replaced by malicious user.This will cause
Malicious user possibly through kernel-driven level special tool(s), the force termination module reduces the attack resistance of encrypting and deciphering system
Intensity.And the guard process of inner nuclear layer is difficult to be bypassed, attack resistance intensity is far above application layer, therefore one of the invention
Embodiment, can be to be monitored, when encryption/decryption module 210 is due to various by self-shield module 220 to encryption/decryption module 210
Reason, such as when being deleted by force or quit work by force termination, self-shield module 220 will immediately empty interim storage
Clear content in space, so as to prevent document from leaking.
By means of which, by the self-shield module 220 in inner nuclear layer and the encryption/decryption module 210 in user's space layer it
Between cooperate, both can ensure that encryption and decryption process basic principle it is achieved that while can also ensure that these modules exist
Safety in operating system.
According to one embodiment of present invention, self-shield module 220 is started by encryption/decryption module 210.Encryption/decryption module 210
Can be by relevant information, such as information such as temporary memory space position is sent to self-shield module 220.In order to ensure self-shield module
220 information for receiving are that alternatively, encryption/decryption module 210 is being carried out with self-shield module 220 from encryption/decryption module 210
During communication, the check information of itself is added in communication data, so that self-shield module 220 determines encryption and decryption according to the information
The identity of module 210, is controlled so as to prevent the identity of malicious user forgery encryption/decryption module to self-shield module 220.
According to one embodiment of present invention, document protection equipment 200 can also include rule management 230.Rule pipe
Reason device 230 is couple to encryption/decryption module 210, and the various applications that are wherein stored with carry out the rule of document function.Such as rule
Manager 230 can safeguard a protected list of application, and such encryption/decryption module 210 is being monitored using carrying out document read-write
During operation, the application can be determined according to rule management 230 whether in protected list of application, and only applied
When in the protected list of application, the application is just allowed to carry out document function.Each application can also be included in rule management 230
The mode of document function can be carried out, for example, some applications can only open document and can not edit.Encryption/decryption module 210 can be with
Rule in rule management come control apply document function authority.
In order to be communicated with document protection server 110, alternatively, document protection equipment 200 also includes client generation
Reason module 240.The proxy module 240 is couple to encryption/decryption module 210 and is communicated with document protection server 110, with
Just the document function record for encryption/decryption module 210 being monitored is sent to document protection server 110, and for example storage is to daily record
In memorizer 112, determining that such that it is able to subsequently be analyzed to the operation note document is divulged a secret path and may get compromised
Document.
Rule management 230 can also be couple to Client Agent module 240, so as to from document protection server 110, especially
It is that rule memory 116 obtains the rule of newest application operating document and the rule in rule management 230 is carried out more
Newly.
Client Agent module 240 also includes authentication part 242, and it utilizes the body in document protection server 110
Part certification part 114 is interacted, and so as to be authenticated the user in client, especially client, and only allows to recognize
The client terminal start-up encryption/decryption module 210 that passes through of card is carrying out document function.In addition, rule management 230 is also via client
Proxy module 240 obtains the profile operation ruless being associated with the user that certification passes through from document protection server 110.This
Sample, encryption/decryption module 210 can first determine the user operated in client when the document function applied is monitored,
And whether authority is had determining the document operation according to rule relevant with the user in rule management 230, if do not had
Authority, then refuse the operation.
Document protection equipment 220 of the invention, by the application layer deployment encryption/decryption module in operating system, and
Inner nuclear layer dispose self-shield module come monitor encryption/decryption module and storage plaintext temporary memory space, such that it is able to guarantee it is bright
While the shortest path that literary data are deposited in the entire system, it can also be ensured that the safety and reliability of whole document protection equipment
Property.
Fig. 3 shows the schematic flow sheet of document protection method 300 according to an embodiment of the invention.Document protection side
Method 300 is suitable to be performed in the client described in Fig. 1, is particularly suited for being performed in the document protection equipment 200 shown in Fig. 2, from
And various documents on the client can be protected to prevent from leaking.
Document protection method 300 starts from step S310.In step S310, the use of the operating system run on the client
Operation of the family space layer monitoring application on the client to document.When application will read document content, from client, example
As obtained the document content of encryption in the memorizer of client and being decrypted, decryption content is placed in temporary memory space
So that application is read.And when store document content is wanted in application, the content in temporary memory space is encrypted, and will encryption
Document store in the memorizer of client.
It is sightless, or perhaps transparent that encryption and decryption in step S310 is operated for upper layer application.When should
Used in open or edit specify document when, unencrypted file will be encrypted automatically, the file to having encrypted is decrypted automatically.
Document is stored on the permanent memory of client with encrypted test mode, and in application operating, with bright in temporary memory space
Literary mode is present.Once the document leaves the environment of file protection system, because application cannot obtain the service of automatic decryption
These documents cannot be opened, so as to play the effect of protection document content.
Encryption and decryption operation in step S310 needs and operating system is combined closely.In general, this encryption and decryption technology
Kernel level encryption can be divided into and application layer encrypts two classes.Kernel level generally adopts filter Driver on FSD technology, application layer generally to adopt
With application layer API HOOK(It is commonly called as hook)Technology, its reason is all adapter file I/O(Read-write)Operation, by the reading of supervision application
Write operation, is dynamically encrypted and is decrypted to document.Because these operations are all automatically performed in bottom, except speed may be slightly
There is reduction outer, user is in occupation mode and at ordinary times without difference.
One basic principle of encryption and decryption process is that encryption opportunity should be as early as possible, and decryption opportunity should be as late as possible.Only
Have and just encrypted immediately when application just produces confidential data, and until application needs just to be decrypted using the eve of data
It, could farthest reduce the possibility that confidential information is intercepted.Based on above-mentioned consideration, step S310 is empty in user
Interbed is to run in application layer, and using application layer API HOOK technologies.When various applications are operated to document, step
S310 can in advance be intercepted and captured at system API of application layer using API HOOK and be changed, clips and pastes including document, screenshotss, beating
The operation requests such as print, the encryption and decryption such that it is able to fulfil document content ahead of schedule is processed.
According to one embodiment of present invention, step S310 can enter style of writing using any encryption and decryption technology of this area
Shelves encryption and decryption operation, without deviating from protection scope of the present invention.
In addition, in step S310, encryption and decryption operation is designed to can not be split, if cryptographic operation fails or is disliked
Meaning disabling, then decryption oprerations are also failed simultaneously, and ensuring that cannot individually bypass encryption flow.If thus can ensure to read
Encrypted document, the then all documents for producing force encrypted;If the document for producing is not encrypted, cannot read any encrypted
Document.
Meanwhile, in step s 320, temporary memory space is monitored in inner nuclear layer, prevent other in addition to the application
Using the access temporary memory space.Whenever monitoring to apply the operation to document in step S310, storage will be obtained
The memory space position of document content plaintext, can monitor in step s 320 the temporary memory space, to prevent except the application
Other application in addition accesses the temporary memory space, so that it is guaranteed that the plaintext in temporary memory space will not be by unauthorized access.
For example, when disabled user attempt by non-protected application to access temporary memory space in plaintext when, in step s 320
Whether can at once judge whether the application is shielded application, forbid the reference to access this if shielded application if
Temporary memory space.
Further, since the encryption and decryption operation in step S310 is carried out in user's space is application layer, therefore, it is difficult to ensureing
Thread is not by force termination in itself process or process, it is also difficult to ensure that the operation is not extractd by force or replaced by malicious user
Change.This will cause special tool(s) of the malicious user possibly through kernel-driven level, the force termination operation.And inner nuclear layer is anti-
Shield program is difficult to be bypassed, and attack resistance intensity is far above application layer, therefore according to one embodiment of present invention, can also include
Step 330.In step S330, step S310 is monitored in inner nuclear layer, when step S310 is due to a variety of causes, example
When such as being deleted by force or quit work by force termination, the clear content in temporary memory space will be immediately emptied, from
And prevent document from leaking.
By means of which, the monitoring mechanism of inner nuclear layer and the mutual association between the encryption and decryption operation of user's space layer
Make, both can ensure that the basic principle of encryption and decryption process it is achieved that while these modules can also be ensured in an operating system
Safety.
According to one embodiment of present invention, the policer operation of inner nuclear layer is started by step S310.In step S310, meeting
Relevant information, such as information such as temporary memory space position are sent to into inner nuclear layer.In order to ensure the information that inner nuclear layer is received is
From encryption and decryption operation, alternatively, in step S310 and when inner nuclear layer is communicated, the check information of itself is added to
In communication data, so that inner nuclear layer determines these requests from step S310 according to the information, so as to prevent malicious user from forging
The identity of encryption and decryption operation is cheating inner nuclear layer.
According to one embodiment of present invention, the application in the monitoring of user's space layer on the client in step S310 is right
The step of operation of document also includes, when monitoring using operation to document, obtains the document being associated with the application and grasps
Make rule, and determine whether the application can carry out the document operation.In client, especially document protection equipment(Especially
The rule management 230 of Fig. 2)In the various applications that are stored with carry out the rule of document function.For example document protection equipment can be tieed up
One protected list of application of shield, so monitors using when carrying out document read-write operation, it may be determined that should in step S310
Using whether in protected list of application, and only when applying in the protected list of application, the application is just allowed to enter
Row document function.Can also include that each application can carry out the mode of document function in document protection equipment, for example, some applications are only
Document can be opened and can not be edited.Rule that can be in rule management in step S310 is come the document that controls to apply
Operating right.
In order to be communicated with document protection server 110, alternatively, document protection method 300 also includes step S340,
In step S340, communicated with document protection server, by the document function monitored in user's space layer record
Document protection server is sent to, such as in storing log memory 112, such that it is able to subsequently carry out to the operation note point
Analyse to determine that document is divulged a secret path and the document that may get compromised.
Further, it is also possible to obtain newest application operating from document protection server 110, especially rule memory 116
The rule of document is simultaneously updated to the rule in document protection equipment.
Alternatively, document protection method 300 also includes step S350.In step S350, via with document protection service
The communication of device only allows the operation in client terminal start-up step S310 that certification passes through being authenticated to client.
In step S350, interact with the authentication part 114 in document protection server 110, so as to client, especially
User in client is authenticated, and only allows the client that certification passes through to carry out document function.Furthermore it is also possible to from
Document protection server 110 obtains the profile operation ruless being associated with the user that certification passes through.So, in step S310
In when the document function applied is monitored, can first determine the user operated in client, and according to the user
Whether relevant rule has authority determining the document operation, if without authority, refusing the operation.
Document protection method 300 of the invention, by the application layer in operating system encryption and decryption operation is carried out, and
Inner nuclear layer monitoring encryption and decryption operation and the temporary memory space of storage plaintext, such that it is able to guarantee clear data in whole system
While the shortest path of middle storage, it can also be ensured that the security and the reliability of whole document protection equipment.
In description mentioned herein, a large amount of details are illustrated.It is to be appreciated, however, that the enforcement of the present invention
Example can be put into practice in the case of without these details.In some instances, known method, knot is not been shown in detail
Structure and technology, so as not to obscure the understanding of this description.
B10, the document protection method as described in B8 or 9, wherein described monitor on the client in user's space layer
Using also including the step of operation to document:When monitoring using to the operation of document, what acquisition was associated with the application
Document function rule, and determine whether the application can carry out the document operation.B11, the document as described in any one in B8-10
Guard method, also including step:Communicated with document protection server, by the document monitored in user's space layer behaviour
Note down and be sent to document protection server.B12, the document protection method as described in B11, also including step:Via and document
The communication of protection server is only allowed empty in user described in the client terminal start-up that certification passes through being authenticated to client
Interbed monitoring application on the client is to the step of the operation of document.
Similarly, it will be appreciated that in order to simplify the disclosure and help understand one or more in each inventive aspect, exist
Above in the description of the exemplary embodiment of the present invention, each feature of the present invention is grouped together into single enforcement sometimes
In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention:I.e. required guarantor
The feature more features that the application claims ratio of shield is expressly recited in each claim.More precisely, as following
As claims reflect, inventive aspect is all features less than single embodiment disclosed above.Therefore, abide by
Thus the claims for following specific embodiment are expressly incorporated in the specific embodiment, wherein each claim itself
As the separate embodiments of the present invention.
Those skilled in the art should be understood the module or unit or group of the equipment in example disclosed herein
Part can be arranged in equipment as depicted in this embodiment, or alternatively can be positioned at and the equipment in the example
In one or more different equipment.Module in aforementioned exemplary can be combined as a module or be segmented in addition multiple
Submodule.
Those skilled in the art are appreciated that can be carried out adaptively to the module in the equipment in embodiment
Change and they are arranged in one or more equipment different from the embodiment.Can be the module or list in embodiment
Unit or component are combined into a module or unit or component, and can be divided in addition multiple submodule or subelement or
Sub-component.In addition at least some in such feature and/or process or unit is excluded each other, can adopt any
Combination is to this specification(Including adjoint claim, summary and accompanying drawing)Disclosed in all features and so disclosed appoint
Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification(Including adjoint power
Profit requires, makes a summary and accompanying drawing)Disclosed in each feature can be by providing identical, equivalent or the alternative features of similar purpose carry out generation
Replace.
Although additionally, it will be appreciated by those of skill in the art that some embodiments described herein include other embodiments
In included some features rather than further feature, but the combination of the feature of different embodiments means in of the invention
Within the scope of and form different embodiments.For example, in the following claims, embodiment required for protection appoint
One of meaning can in any combination mode using.
Additionally, some heres in the embodiment be described as can be by the processor of computer system or by performing
The combination of method or method element that other devices of the function are implemented.Therefore, with for implementing methods described or method
The processor of the necessary instruction of element forms the device for implementing the method or method element.Additionally, device embodiment
Element described in this is the example of following device:The device is used to implement by performed by the element for the purpose for implementing the invention
Function.
As used in this, unless specifically stated so, come using ordinal number " first ", " second ", " the 3rd " etc.
Description plain objects are merely representative of and are related to the different instances of similar object, and are not intended to imply that the object being so described must
Must have the time it is upper, spatially, sequence aspect or given order in any other manner.
Although describing the present invention according to the embodiment of limited quantity, above description, the art are benefited from
It is interior it is clear for the skilled person that in the scope of the present invention for thus describing, it can be envisaged that other embodiments.Additionally, it should be noted that
Language used in this specification primarily to readable and teaching purpose and select, rather than in order to explain or limit
Determine subject of the present invention and select.Therefore, in the case of without departing from the scope of the appended claims and spirit, for this
Many modifications and changes will be apparent from for the those of ordinary skill of technical field.For the scope of the present invention, to this
The done disclosure of invention is illustrative and not restrictive, and it is intended that the scope of the present invention be defined by the claims appended hereto.
Claims (8)
1. a kind of document protection equipment, is resident on the client, has operating system in the client, and the operating system is divided into
User's space layer and inner nuclear layer, the document protection equipment includes:
Encryption/decryption module, in the operation of user's space layer, monitors operation of the application on the client to document, when text is read in application
During shelves content, the document content of encryption is obtained from client and is decrypted, decryption content is placed on into temporary memory space
In for application read;When application memory document content, the content in temporary memory space is encrypted, and stores encryption
Document;And
Self-shield module, runs in inner nuclear layer, temporary memory space is monitored, to prevent the other application in addition to the application
The temporary memory space is accessed, the self-shield module is also monitored to the encryption/decryption module, when encryption/decryption module stops
During work, the self-shield module will empty the decryption content in the temporary memory space.
2. document protection equipment as claimed in claim 1, also including rule management, is couple to encryption/decryption module, and including
Various applications carry out the rule of various document functions;And
The encryption and decryption template is obtained when monitoring using to the operation of document, from the rule management and applies phase with this
The document function rule of association, and determine whether the application can carry out the document operation.
3. document protection equipment as claimed in claim 2, also including Client Agent module, is suitable to and document protection server
Communicated, and be couple to the encryption/decryption module, the document function record that the encryption/decryption module is monitored is sent
To document protection server.
4. document protection equipment as claimed in claim 3, the Client Agent module also includes authentication part, is suitable to
Client is authenticated via the communication with document protection server, and only allows the client terminal start-up that certification passes through to add
Deciphering module carries out document function.
5. document protection equipment as claimed in claim 4, the Client Agent module is also from the document protection server
The document function rule that acquisition is associated with the client, and store to the rule management.
6. document protection equipment as claimed in claim 5, wherein the encryption/decryption module is being communicated with self-shield module
When, the check information of itself is added in communication data, so that self-shield module determines encryption/decryption module according to the information
Identity.
7. a kind of document protection method, is suitable to run on the client, has operating system in the client, and the operating system is drawn
It is divided into user's space layer and inner nuclear layer, the document guard method includes step:
In operation of the user's space layer monitoring application on the client to document, when document content is read in application, from client
The document content of encryption is obtained in end and is decrypted, decryption content is placed in temporary memory space so that application is read;
When application memory document content, the content in temporary memory space is encrypted, and stores the document of encryption;
Temporary memory space is monitored in inner nuclear layer, prevents the other application in addition to the application from accessing the interim storage empty
Between;And
Operation of the user's space layer monitoring application to document is monitored in inner nuclear layer, when the policer operation of the user's space layer
When quitting work, the decryption content in the temporary memory space will be emptied.
8. a kind of file protection system, including
Document protection server;And
One or more client, is connected with the document protection server communication, and is resident just like power in the client
Profit requires in 1-6 the document protection equipment described in any one.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410004266.3A CN103763313B (en) | 2014-01-03 | 2014-01-03 | File protection method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410004266.3A CN103763313B (en) | 2014-01-03 | 2014-01-03 | File protection method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103763313A CN103763313A (en) | 2014-04-30 |
| CN103763313B true CN103763313B (en) | 2017-05-10 |
Family
ID=50530473
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410004266.3A Active CN103763313B (en) | 2014-01-03 | 2014-01-03 | File protection method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103763313B (en) |
Families Citing this family (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104408376A (en) * | 2014-10-28 | 2015-03-11 | 深圳市大成天下信息技术有限公司 | File protection method, equipment and system |
| CN104361294B (en) * | 2014-10-28 | 2017-08-25 | 深圳市大成天下信息技术有限公司 | A kind of document protection method, equipment and system |
| CN104361265A (en) * | 2014-10-28 | 2015-02-18 | 深圳市大成天下信息技术有限公司 | Document protection method, device and system |
| CN104318175B (en) * | 2014-10-28 | 2018-01-05 | 深圳市大成天下信息技术有限公司 | A kind of document protection method, equipment and system |
| CN105790962B (en) * | 2014-12-24 | 2020-02-14 | 华为技术有限公司 | Method, device and system for acquiring conference document |
| CN104680079A (en) * | 2015-02-04 | 2015-06-03 | 上海信息安全工程技术研究中心 | Electronic document security management system and electronic document security management method |
| CN105893846A (en) * | 2016-04-22 | 2016-08-24 | 北京金山安全软件有限公司 | Method and device for protecting target application program and electronic equipment |
| CN106060010A (en) * | 2016-05-11 | 2016-10-26 | 广东七洲科技股份有限公司 | Android platform transparent encryption and decryption system |
| CN106250072A (en) * | 2016-07-26 | 2016-12-21 | 北京明朝万达科技股份有限公司 | A kind of mobile terminal safety Method of printing and system |
| CN106295397A (en) * | 2016-07-29 | 2017-01-04 | 无锡永中军安科技有限公司 | A kind of document function information tracking method |
| CN106973035A (en) * | 2017-02-09 | 2017-07-21 | 成都九安科技有限公司 | A kind of document outgoing control system |
| CN107423634B (en) * | 2017-06-30 | 2018-11-09 | 武汉斗鱼网络科技有限公司 | File decryption method, apparatus, computer readable storage medium and equipment |
| CN111274579B (en) * | 2020-01-15 | 2022-07-01 | 湖北工程学院 | Enterprise document encryption protection system based on computer |
| CN112784223A (en) * | 2021-01-28 | 2021-05-11 | 深信服科技股份有限公司 | Application program protection method, device, medium and user behavior control method |
| CN113609080A (en) * | 2021-07-22 | 2021-11-05 | 深圳市元征未来汽车技术有限公司 | File processing method and device, terminal equipment and medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1822014A (en) * | 2006-03-23 | 2006-08-23 | 沈明峰 | Protecting method for security files under cooperative working environment |
| CN1928881A (en) * | 2006-09-26 | 2007-03-14 | 南京擎天科技有限公司 | Computer data security protective method |
| CN101072102A (en) * | 2007-03-23 | 2007-11-14 | 南京联创网络科技有限公司 | Information leakage preventing technology based on safety desktop for network environment |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007142615A2 (en) * | 2005-02-18 | 2007-12-13 | Credant Technologies, Inc. | System and method for intelligence based security |
-
2014
- 2014-01-03 CN CN201410004266.3A patent/CN103763313B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1822014A (en) * | 2006-03-23 | 2006-08-23 | 沈明峰 | Protecting method for security files under cooperative working environment |
| CN1928881A (en) * | 2006-09-26 | 2007-03-14 | 南京擎天科技有限公司 | Computer data security protective method |
| CN101072102A (en) * | 2007-03-23 | 2007-11-14 | 南京联创网络科技有限公司 | Information leakage preventing technology based on safety desktop for network environment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103763313A (en) | 2014-04-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103763313B (en) | File protection method and system | |
| US11431495B2 (en) | Encrypted file storage | |
| US11347880B1 (en) | Applying an authorization policy across multiple application programs with requests submitted through an HTTP-based API | |
| US20220286448A1 (en) | Access to data stored in a cloud | |
| EP3356978B1 (en) | Applying rights management policies to protected files | |
| CN101729550A (en) | Digital content safeguard system based on transparent encryption and decryption method thereof | |
| TWI493950B (en) | Conditional electric document right management system and method | |
| CN104361291B (en) | Data processing method and device | |
| CN104077244A (en) | Process isolation and encryption mechanism based security disc model and generation method thereof | |
| US10616225B2 (en) | Controlling access rights of a document using enterprise digital rights management | |
| US20150026465A1 (en) | Methods And Devices For Protecting Private Data | |
| US10210337B2 (en) | Information rights management using discrete data containerization | |
| CN101320414A (en) | Electronic document information security control system and method thereof | |
| CN109063499A (en) | A kind of electronic record area authorization method and system that flexibly can configure | |
| CN111131216A (en) | File encryption and decryption method and device | |
| KR20130108679A (en) | Data sharing system using a tablets apparatus and controlling method therefor | |
| US10546142B2 (en) | Systems and methods for zero-knowledge enterprise collaboration | |
| CN107967430B (en) | A kind of document protection method, equipment and system | |
| CN103488755A (en) | File system access method and system | |
| TWI381285B (en) | Rights management system for electronic files | |
| CN105205403A (en) | Method and system for managing and controlling file data of local area network based on file filtering | |
| EP2790123B1 (en) | Generating A Data Audit Trail For Cross Perimeter Data Transfer | |
| JP2006178724A (en) | Method for controlling access to shared file, system, server apparatus, and program | |
| CN116686316A (en) | Encrypted file control | |
| JP2012119809A (en) | Image formation device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |