Nothing Special   »   [go: up one dir, main page]

CN101729550B - Digital content safeguard system based on transparent encryption and decryption, and encryption and decryption method thereof - Google Patents

Digital content safeguard system based on transparent encryption and decryption, and encryption and decryption method thereof Download PDF

Info

Publication number
CN101729550B
CN101729550B CN2009102188809A CN200910218880A CN101729550B CN 101729550 B CN101729550 B CN 101729550B CN 2009102188809 A CN2009102188809 A CN 2009102188809A CN 200910218880 A CN200910218880 A CN 200910218880A CN 101729550 B CN101729550 B CN 101729550B
Authority
CN
China
Prior art keywords
digital content
module
encryption
decryption
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2009102188809A
Other languages
Chinese (zh)
Other versions
CN101729550A (en
Inventor
房鼎益
张汉宁
高丽
汤战勇
陈晓江
杭继春
高沛
苏琳
章哲
安娜
李磊
赵玉洁
杨朕
何路
陈�峰
王妮
胡伟
杨红
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Northwest University
Original Assignee
Northwest University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Northwest University filed Critical Northwest University
Priority to CN2009102188809A priority Critical patent/CN101729550B/en
Publication of CN101729550A publication Critical patent/CN101729550A/en
Application granted granted Critical
Publication of CN101729550B publication Critical patent/CN101729550B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention belongs to the field of information safety, providing a digital content safeguard system based on transparent encryption and decryption. The system comprises a transparent encryption and decryption module, an access control module, a monitoring module, a certificate authority module, a communication proxy module, a management center and a permission server module, wherein the transparent encryption and decryption module, the access control module and the monitoring module are on a client side, and the management center and the permission server module are on a server side; the client side and the server side are connected by the communication proxy module and the permission server module. Aiming at the safeguard system, the invention provides a dynamic encryption and decryption method which carries out encryption and access control to digital content as well as opens, reads and writes cipher texts. The method realizes transparent encryption and decryption to the digital content by realizing filtering driving on the bottom layer of an operating system and records an intact log to all operation of a user, thus improving system safety, and greatly improving encryption and decryption speed. Compared with the existing like products, the system of the invention has the advantages of safe and efficient encryption mode, fine grit access control, perfect log audit function and convenient and efficient management mode.

Description

Digital content safeguard system and encipher-decipher method based on transparent encryption and decryption
Technical field
The invention belongs to information security field, be specifically related to a kind of digital content safeguard system and encipher-decipher method based on transparent encryption and decryption.
Background technology
Along with the widespread usage of computer and the develop rapidly of Internet; More and more technological inventions, innovation etc. rely on computer technology; Therefore; The confidential document of a lot of cores with electronic stored in form on computers, even most enterprise key technical documentations itself is exactly the electronic document of design drawing, program source code etc.Therefore; Technological progress has brought new challenge to information security; Network technology popularize with being widely used of mobile office equipment, movable storage device, notebook computer etc., bring to people efficient with increased again simultaneously easily that information is intercepted, the danger of intercepting and capturing and illegal copies.Show according to the survey institute investigation result, every year a large amount of enterprise's sensitive datas can take place all and lose incident that it is extremely heavy that e-file is revealed the loss that enterprise caused.Relate to the state secret aspect and work as this situation, the loss that is caused is immeasurable especially.In order to prevent the secret leakage, enterprise has taked various file encryption measures, and the technology that also occurred simultaneously much file being encrypted occur.
Encryption and decryption technology is divided into static encryption and decryption and dynamic encryption and decryption, and static encryption and decryption is meant that during encrypting data to be encrypted are in unused state, and in a single day these data encrypt, and the user needs at first obtain expressly could using then through the static state deciphering before use; Dynamic encryption is transparent encryption and decryption technology, is meant data in use, and system carries out the encryption and decryption operation to data automatically; Do not change the user to the visit of file (open, reading and writing etc.) custom; Need not user's intervention, apparently, the file of access encrypted is basic identical with visit unencrypted file; Therefore these encrypt files are " transparent " concerning validated user; Promptly do not encrypt, but, can't use yet even obtained encrypt file through other nonconventional approaches for the user who does not have access rights like having.Because transparent encryption and decryption technology does not change user's use habit, and need not the safety that the too many intervention operation of user can realize file, thereby obtained in recent years using widely.
There has been the safety product of a lot of transparent encryption and decryption to realize protection in the market, but existed various deficiencies and defective digital content:
1, fail safe is low.Big number product is employed in operating system user attitude and accomplishes the encryption and decryption operation, and this mode fail safe is low, can cause digital content in use " expressly to land ", and promptly clear content is stored in the situation on the disk, is prone to cause giving away secrets and revealing of confidential information;
2, speed is low.Because in the encryption and decryption operation that operating system user attitude is accomplished, its speed ratio is lower, it is not high enough to cause handling file efficient; For example Shanghai Suo Yuan Docsecurity system does not adopt filter drive program and changes document format, makes encrypt file must use the application program operation of qualification, and speed is lower, and has influenced user's use habit;
3, the control of authority refinement is not enough.Though safety product can allow or refusing user's visit protected digit content mostly, to the control of authority of sectionalization more can not be provided, the safety product that " whole or zero " authority is provided of this static state can not satisfy current dynamic business demand.For example iron volume electronic document safety system though introduced the filtration drive technology, is not supported fine-grained control of authority, can't satisfy user's dynamic need;
4, monitoring mechanism shortcoming.The like product design is simpler mostly, does not have to realize the digital content usage behavior is carried out perfect track record.
Summary of the invention
For deficiency and the defective that overcomes above-mentioned existing encryption and decryption technology like product; The objective of the invention is to; A kind of digital content safeguard system and encipher-decipher method based on transparent encryption and decryption is provided; The present invention passes through in operating system bottom layer realization filtration drive, thereby realizes the transparent encryption and decryption to digital content, and the present invention combines transparent encryption and decryption technology, access control technology and Digital Right Management technology; Not only improved the fail safe of system, and encryption/decryption speed is greatly improved.
In order to realize above-mentioned task, the technical scheme that the present invention adopts is following:
A kind of digital content safeguard system based on transparent encryption and decryption is made up of client and service end, and client comprises:
Transparent encryption and decryption module, mutual with the communication agent module, be used to receive the encrypt digital content request that application program is sent through the communication agent module, and according to asking encrypt digital content; Opening, in the reading and writing operating process, dynamically obtaining required key, authority information from service end, and the digital content of being visited is being carried out dynamic encryption and decryption according to these information through the communication agent module;
The Certificate Authority module; Mutual with the communication agent module; Send the authentication information request to the service end permission server; Return identity information according to permission server login user is carried out authentication, obtain authority information from the service end permission server simultaneously, the user is controlled according to identity information and authority information; The user can carry out ciphertext mandate distribution for other users through the Certificate Authority module;
Monitoring module, mutual with the communication agent module, recording user is to the use of system, to the operation of digital content; Import the permission server of service end into and be kept in the database through the Operation Log of communication agent module, so that the use of digital content is audited and followed the trail of record;
Access control module, mutual with the communication agent module, be used for the user digital content process that conducts interviews is intercepted and captured the opening operation of application program to digital content, obtain the complete trails of digital content through the data structure of transparent encryption and decryption module structure; Obtain the content ID and the corresponding authority information of digital content according to the complete trails of digital content from the permission server of service end, according to the use of authority information control user to ciphertext;
The communication agent module is connected in order to the communication between other each modules of each module and service end of client, sends various requests or receives the request return information, transmits client and service end desired data, the isomery of shielding server;
Service end comprises:
Administrative center for the system manager provides the unified connection interface to the system user management, comprises and adds new user, interpolation user grouping, when the user registers user identity is verified, checks the Operation Log of user to digital content;
Permission server; Through the communication agent module with each module exchange message of client; Receive ID authentication request, authority information request or key information request that each module of client is sent, from database, obtain data, return to the information needed of each module of client according to respective request;
Database is in order to preserve client identity authentication information, the authority information of digital content, key information, User operation log;
The administrative center of service end is connected with database respectively with permission server, and service end is connected with permission server through the communication agent module with client.
Based on the digital content safeguard system of transparent encryption and decryption encryption protecting method, may further comprise the steps digital content:
Step 201: the user needs the digital content of encipherment protection through the application program selection, comprises selecting a file a plurality of files of disposable selection or select whole file;
Step 202: application program is sent enciphering request to the communication agent module;
Step 203: after the communication agent module is received enciphering request, be transmitted to transparent encryption and decryption module;
Step 204: after transparent encryption and decryption module is received request, request is kept in the request chained list of self maintained;
Step 205: when closing application program; The encrypt digital content that transparent encryption and decryption module is selected the user; And add encryption identification at the afterbody of digital content, and be used for distinguishing expressly and ciphertext, send encryption key to the permission server storage through the communication agent module simultaneously;
Step 206: after encrypting end, transparent encryption and decryption module writes disk to ciphertext and preserves.
Above-mentioned encryption identification part is following:
301: flag bit indicates that whether this content is protected content, takies 128 bytes;
302: content ID, digital content of unique identification is made up of current time, MAC Address and 16 random character sequence three parts, takies 256 bytes, and wherein the current time is accurate to second.
303: content type, be used for the initial form information of storing digital content, take 256 bytes.
304: AES, be used for storing the encryption algorithm type that this digital content adopts, so that when follow-up encryption and decryption operation, adopt identical algorithm, take 256 bytes.
305: reserved byte for follow-up expansion provides headspace, takies 128 bytes.
Method based on the ciphertext mandate distribution of the digital content safeguard system of transparent encryption and decryption may further comprise the steps:
Step 401: the user selects protected content through application program;
Step 402: user and authority information that the user need authorize through the application program selection, send authorization requests to the Certificate Authority module;
Step 403: the Certificate Authority module receives authorization requests, sends the renewal authority request through the communication agent module to permission server, comprises former authority is got common factor or union; Permission server upgrades user's authority information and return results;
Step 404: the Certificate Authority module is received the request return information, protected digital content is shared being distributed to authorized user through USB flash disk, email, network, and the user uses according to the authority of authorizing after receiving digital content.
Based on the dynamic encryption and decryption method of the digital content safeguard system of transparent encryption and decryption, dynamic encryption and decryption is opened in digital content, carry out in the reading and writing operation, wherein:
The digital content opening procedure may further comprise the steps:
Step 501: the protected digital content that the user need open through the application program selection;
Step 502: application program is sent the IRP_MJ_CREATE request to transparent encryption and decryption module;
Step 503: after transparent encryption and decryption module is intercepted and captured the IRP_MJ_CREATE request; Whether the afterbody of this digital content of structure IRP inquiry has encryption indicator, if any, show that this digital content is a ciphertext; Then the construction data structure writes down this document relevant information; So that in the subsequent operation of all being opened digital content, distinguish plaintext and ciphertext, empty system cache then, jump to step 504; If there is not encryption identification, then show not to be ciphertext to jump to step 506; The data structure of this transparent encryption and decryption module structure comprises with the lower part:
1) ListEntry is Windows kernel list structure;
2) FsContext, reality is the pointer of digital content controll block FCB, this digital content of unique sign;
3) Pid is for visiting the process ID of this digital content;
4) FilePath, the storing digital content complete trails;
Step 504: transparent encryption and decryption module is obtained content ID from the encryption identification of ciphertext; According to this content ID; Obtain authority information and the key information of user through the communication agent module from permission server, whether have authority to open this content, if having according to user's authority information judges to this ciphertext; Then use this content of corresponding secret key decryption, execution in step 505 then; Otherwise, will not decipher, application prompts user haves no right to open, and flow process finishes;
Step 505: access control module obtains right of digital content information through the communication agent module from permission server; Carry out fine-grained control of authority according to authority information; The availability that comprises menu, button, the control of pulling between the copy and paste of clipbook, the program, OLE exchanges data, screenshotss;
Step 506: be shown to the user to digital content;
Ciphertext is carried out read operation may further comprise the steps:
Step 601: application program is sent the IRP_MJ_READ request to the bottom filter drive program;
Step 602: after transparent encryption and decryption module is received the IRP_MJ_READ request; Judge whether Irp->Flags is IRP_NOCACH or IRP_PAGING_IO; Be execution in step 603 then, otherwise transparent encryption and decryption module does not process; But the default processing function PassThroughLowerDriver of call operation system, flow process finishes;
Step 603: preserve Read Irp and be with the Buffer pointer, application and the onesize SwapBuffer of Buffer;
Step 604: former Buffer is replaced with SwapBuffer, be provided with and accomplish routine ReadProcCompletion, wait for the return results that filter drive program is handled then;
Step 605: accomplish routine and be activated, transparent encryption and decryption module is deciphered the data among the SwapBuffer with key, and data copy among the former Buffer after will deciphering;
Step 606: reduction Irp Buffer pointer Irp->MdlAddress and Irp->UserBuffer;
Step 607: be shown to the user to the digital content after the deciphering;
Ciphertext is carried out write operation may further comprise the steps:
Step 701: application program is sent the IRP_MJ_WRITE request;
Step 702: transparent encryption and decryption module is intercepted and captured the IRP_MJ_WRITE request; Judge whether Irp->Flags is IRP_NOCACHE or IRP_PAGING_IO; It is execution in step 703 then; Otherwise PassThroughLowerDriver (Irp), transparent encryption and decryption module does not process, and directly turns back to end step;
Step 703: preserve Write Irp and be with the Buffer pointer, apply for onesize SwapBuffer;
Step 704: data among the Buffer are encrypted and data encrypted is copied among the SwapBuffer;
Step 705: former Buffer is replaced with SwapBuffer, be provided with and accomplish routine WriteProcCompletion, wait for the return results that the bottom filter drive program is handled;
Step 706: accomplish routine and be activated, reduction Irp Buffer pointer Irp->MdlAddress and Irp->UserBuffer;
Step 707: the digital content after system will encrypt is saved on the computer disk.
When in a plurality of digital contents of opening ciphertext being arranged; Step 503 is further comprising the steps of: transparent encryption and decryption module is created a new Archive sit to it when ciphertext is opened; Kernel list structure ListEntry in the data structure is chained list with the Archive sit series connection of all ciphertexts of opening; Plaintext and ciphertext in the digital content of opening with differentiation, when ciphertext was closed, its node was deleted.
In step 505, access control module obtains corresponding authority information through the communication agent module from permission server, and may further comprise the steps according to the process that authority information is carried out fine-grained control of authority:
Step 801: the user opens protected digit content through application program, and application program is sent the opening operation request of content;
Step 802: access control module is intercepted and captured the opening operation request of application program, obtains the complete trails of digital content through the data structure of transparent encryption and decryption module structure.
Step 803: access control module sends request through the communication agent module to permission server according to the complete trails of digital content, and permission server returns the content ID and the corresponding authority information of digital content.
Step 804: access control module is carried out fine-grained control of authority according to the authority information that obtains, and comprises the availability of menu, button, the control of modes such as pulling between the copy and paste of clipbook, the program, OLE exchanges data, screenshotss.
Compared with prior art, beneficial effect of the present invention is following:
1. cipher mode is safe and efficient.Because the present invention adopts the transparent encryption and decryption that realizes based on the bottom filtration drive; With traditional comparing in application layer realization encryption and decryption mode; This mode has improved the fail safe of system, and encryption/decryption speed has had very big lifting simultaneously, through testing: for the file of 35M; Traditional application layer realizes that encryption and decryption needs 2 minutes, realizes that encryption and decryption only needed for 6 seconds and the present invention is based on the bottom filtration drive.
2. fine granularity control of authority.The present invention is according to digital content owner's different demands; Write the COM plug-in unit and realize control important application software (like Word, Excel, AutoCad); To other The software adopted Hook technology of not supporting developing plug, authority is set flexibly, thereby has satisfied the ever-increasing demand of user.Individual or group all can be composed power; Authority specifically comprises control, several times read-only fully; Print several times, reproducible, can deposit in addition, can editor, Expiration Date, effective time etc., this provides the safety product of " all or zero " authorities for traditional static state is a very big breakthrough.
3. the daily record audit function is perfect.The present invention does detailed log record to the user to all operations of protected content (as open, preserve, deposit in addition, printing etc.), and comprehensive daily record audit function is provided, and the evidence obtaining of afterwards tracing that the concerning security matters digital content is leaked provides and provides powerful support for.
4. way to manage convenient and efficient.The administrative center of numeric security guard system of the present invention adopts the B/S structure, and web administration is flexible, is adapted at that any main frame is configured management for the keeper provides unified connection interface to system to the visit of administrative center in the environment for use; When the user registers user identity is verified; The Operation Log that inquiring user is detailed.
Description of drawings
Fig. 1 is a digital content safeguard system structure chart of the present invention;
Fig. 2 is the encipherment protection procedure chart to the digital content that needs protection;
Fig. 3 is the encryption identification structure chart;
Fig. 4 authorizes distribution procedure figure for the user with ciphertext;
Fig. 5 is the opening procedure flow chart of digital content;
The flow chart of Fig. 6 for ciphertext is carried out read operation;
Fig. 7 is for carrying out the flow chart of write operation to ciphertext;
The procedure chart that Fig. 8 conducts interviews and controls ciphertext for access control module;
Below in conjunction with accompanying drawing the present invention is done further explain.
Embodiment
The operating system that the present invention is suitable for has: Microsoft Windows XP, Microsoft Windows 2000, Microsoft Windows 2003, Microsoft Windows vista etc.; Hardware environment: Pentium (R) 3 CPU are more than the 256 MB of memory; Application software: Microsoft Office 2000/XP/2003/2007, Adobe Reader, AutoCAD etc.; The development language that is suitable for: C++, C, C#.
Referring to Fig. 1, a kind of digital content safeguard system based on transparent encryption and decryption comprises client and service end, wherein,
Client comprises following each unit:
Transparent encryption and decryption module, mutual with the communication agent module, be used to receive the encrypt digital content request that application program is sent through the communication agent module, and according to asking encrypt digital content; Opening, in the reading and writing operating process, dynamically obtaining required key, authority information from service end, and the digital content of being visited is being carried out dynamic encryption and decryption according to these information through the communication agent module;
The Certificate Authority module; Mutual with the communication agent module; Send the authentication information request to the service end permission server; Return identity information according to permission server login user is carried out authentication, obtain authority information from the service end permission server simultaneously, the user is controlled according to identity information and authority information; The user can carry out ciphertext mandate distribution for other users through the Certificate Authority module;
Monitoring module, mutual with the communication agent module, recording user is to the use of system, to the operation of digital content; Import the permission server of service end into and be kept in the database through the Operation Log of communication agent module, so that the use of digital content is audited and followed the trail of record;
Access control module, mutual with the communication agent module, be used for the user digital content process that conducts interviews is intercepted and captured the opening operation of application program to digital content, obtain the complete trails of digital content through the data structure of transparent encryption and decryption module structure; Obtain the content ID and the corresponding authority information of digital content according to the complete trails of digital content from the permission server of service end, according to the use of authority information control user to ciphertext;
The communication agent module; Communication in order between other each modules of each module and service end of client is connected, and sends various requests or receives the request return information, transmits client and service end desired data; The isomery of shielding server; If be that server has change, need not revise other module, only need to revise the communication agent module.
Service end provides a convenient and swift management control center safely and effectively for the system manager, and all client-requested all meet with a response through the service end permission server, and service end comprises following each unit:
Administrative center for the system manager provides the unified connection interface to the system user management, comprises and adds new user, interpolation user grouping, when the user registers user identity is verified, checks the Operation Log of user to digital content;
Permission server; Through communication agent with each module exchange message of client; Receive ID authentication request, authority information request or key information request that each module of client is sent, from database, obtain data, return to the information needed of each module of client according to respective request;
Database is in order to preserve client identity authentication information, the authority information of digital content, key information, User operation log;
The administrative center of service end is connected with database respectively with the permission server module, service end and the be connected exchange message of client through communication agent module and permission server module.
More than main interface between each module following:
Transparent encryption and decryption-communication agent interface: be used for transparent encryption and decryption module is sent request from information such as the authority obtain digital content and key to the communication agent module.Realize through DeviceIoControl.
Certificate Authority-communication agent interface: be used for the Certificate Authority module and send authentication message, obtain file permission information etc. to the communication agent module.Realize through pipe communication mechanism.
Monitoring-communication agent interface: be used for monitoring module and send the User operation log operation information, realize communication through com interface to the communication agent module.
Access control-communication agent interface: be used for access control module and send request, information such as the authority of acquisition file, client certificate to the communication agent module.Realize communication through Windows pipeline mechanism.
Communication agent-permission server interface: be used for of the request of communication agent module forwards, like information such as the authority information that obtains file, encryption key, User operation log from other modules of client.Realize communication through the SSL encryption channel.
There is not direct communication between permission server and the administrative center, separately with the direct communication of service end database.
Client is connected with application program, and the bottom filter drive program is realized through DeviceIoControl with communicating by letter of application program.
In this system; The access control of digital content is accomplished through the access control module of client, realizes the control to important application software (like Word, Excel, AutoCad) through writing the COM plug-in unit, to not supporting the The software adopted Hook technical intercept information of developing plug; And modes such as pulling between the copy and paste of clipbook, the program, OLE exchanges data, screenshotss are all controlled; Realize two purposes: the one, the exchanges data only import but no export between the application program that guarantees and the application program of non-concerning security matters, for example, as if Word document encrypted after; Its content just can not be adhered among the OutLook of non-concerning security matters, and perhaps pasting the content that is mess code; The 2nd, can carry out normal exchanges data between the encryption software, for example, cross Word and Excel and be protected process, then data can be duplicated from Word and pasted the Excel.Realize fine-grained access control by the way; And COM plug-in unit and the Hook of system and bottom filter drive program have the operating state authentication mechanism; In case the access control on upper strata and monitoring module are by malicious modification or destruction, transparent encryption and decryption service will stop automatically.
Referring to Fig. 2; Before each digital content is used; Need carry out encipherment protection to it according to its significance level; The digital content that does not need encipherment protection is expressly, needs encipherment protection and is ciphertext by the digital content after the transparent encryption and decryption module encrypt, may further comprise the steps based on the digital content safeguard system of the transparent encryption and decryption encryption protecting method to digital content:
Step 201: the user needs the digital content of encipherment protection through the application program selection, comprises selecting file, a plurality of files of disposable selection, selecting whole file, and the mode of operation of this selection is supported multiple mode, like right button, pull, property pages etc.;
Step 202: application program is sent enciphering request to the communication agent module;
Step 203: after the communication agent module is received enciphering request, be transmitted to transparent encryption and decryption module;
Step 204: after transparent encryption and decryption module is received request, request is kept in the request chained list of self maintained;
Step 205: when closing application program; The encrypt digital content that transparent encryption and decryption module is selected the user; And add encryption identification at the afterbody of digital content, and be used for distinguishing expressly and ciphertext, send encryption key to the permission server module stores through the communication agent module simultaneously;
Step 206: after encrypting end, transparent encryption and decryption module writes disk to ciphertext and preserves;
Referring to Fig. 3, during transparent encryption and decryption module encrypt file, the encryption identification that adds at tail of file comprises with the lower part:
301: flag bit indicates that whether this content is protected content, takies 128 bytes;
302: content ID, digital content of unique identification is made up of current time (being accurate to second), MAC Address and 16 random character sequence three parts, takies 256 bytes;
303: content type, be used for the initial form information of storing digital content, be MS001 like the Word document in the definition Office document, the Excel Doctype is MS002 etc., takies 256 bytes;
304: AES, be used for storing the encryption algorithm type that this digital content adopts, so that when follow-up encryption and decryption operation, adopt identical algorithm, take 256 bytes;
305: reserved byte for follow-up expansion provides headspace, takies 128 bytes.
Referring to Fig. 4, the method for a kind of ciphertext mandate of the digital content safeguard system based on transparent encryption and decryption distribution may further comprise the steps:
Step 401: the user selects protected content through application program;
Step 402: user and right to choose limit information that the user need authorize through the application program selection, send authorization requests to the Certificate Authority module;
Step 403: the Certificate Authority module receives authorization requests, sends the renewal authority request through the communication agent module to the service end permission server, comprises former authority is got common factor or union; Permission server upgrades user's authority information and return results;
Step 404: the Certificate Authority module is received the request return information, agent-protected file mode such as is shared through USB flash disk, email, network be distributed to authorized user, and the user uses according to the authority of authorizing after receiving file;
Windows NT system is IRP_MJ_CREATE to the at first corresponding Drive Layer of access process of digital content and equipment; The corresponding Drive Layer of last operation is IRP_MJ_CLOSE; Be the data disclosure of avoiding system cache to cause; In IRP_MJ_CREATE and IRP_MJ_CLOSE operation, all buffer memory is emptied processing; The read-write requests of the corresponding application program of IRP_MJ_READ and IRP_MJ_WRITE read and write operated data and is stored in IRP (I/O Request Packet is the fixed data form that request that the I/O manager sends according to application program is constructed).Transparent encryption and decryption is to accomplish in to the opening of data, reading and writing operation in system; In aforesaid operations; Upper level applications is sent corresponding read-write requests to transparent encryption and decryption module; Transparent encryption and decryption module filters out the read-write requests of application program to buffer memory, only non-buffer memory read-write requests is carried out corresponding operating, and system is through judging whether sign is that IRP_NOCACH and IRP_PAGING_IO judge whether to be non-buffer memory read-write in the read-write requests.
Based on the dynamic encryption and decryption method of the digital content safeguard system of transparent encryption and decryption, this method is opened in digital content, carry out in the reading and writing operation, wherein:
Referring to Fig. 5, the digital content opening procedure may further comprise the steps:
Step 501: the protected digital content that the user need open through the application program selection;
Step 502: application program is sent the IRP_MJ_CREATE request to transparent encryption and decryption module;
Step 503: after transparent encryption and decryption module is intercepted and captured the IRP_MJ_CREATE request; Whether the afterbody of this digital content of structure IRP inquiry has encryption indicator, if any, show that this file is a ciphertext; Then the construction data structure writes down this document relevant information; So that in the subsequent operation of all being opened digital content, distinguish plaintext and ciphertext, empty system cache then, jump to step 504; If there is not encryption identification, then show not to be ciphertext to jump to step 506; The data structure of this transparent encryption and decryption module structure comprises with the lower part:
1) ListEntry is Windows kernel list structure;
2) FsContext, reality is the pointer of digital content controll block FCB, this digital content of unique sign;
3) Pid is for visiting the process ID of this digital content;
4) FilePath, the storing digital content complete trails;
Step 504: transparent encryption and decryption module is obtained content ID from the encryption identification of ciphertext; Obtain user authority information and key information to this ciphertext through communication agent from permission server according to this content ID; Whether the authority information judges according to the user has authority to open this content; If have, then use this content of corresponding secret key decryption, execution in step 505 then; Otherwise, will not decipher, application prompts user haves no right to open;
Step 505: access control module obtains right of digital content information through communication agent from permission server; Carry out fine-grained control of authority according to authority information; The availability that comprises menu, button, the control of pulling between the copy and paste of clipbook, the program, OLE exchanges data, screenshotss;
Step 506: be shown to the user to digital content.
Referring to Fig. 6, ciphertext is carried out read operation may further comprise the steps:
Step 601: application program is sent the IRP_MJ_READ request to the bottom filter drive program;
Step 602: after transparent encryption and decryption module is received the IRP_mJ_READ request; Judge whether Irp->Flags is IRP_NOCACH or IRP_PAGING_IO; It is execution in step 603 then; Otherwise transparent encryption and decryption module does not process, but the default processing function PassThroughLowerDriver of call operation system;
Step 603: preserve Read Irp and be with the Buffer pointer, application and the onesize SwapBuffer of Buffer;
Step 604: former Buffer is replaced with SwapBuffer, be provided with and accomplish routine ReadProcCompletion, wait for the return results that the bottom filter drive program is handled then;
Step 605: accomplish routine and be activated, transparent encryption and decryption module is deciphered the data among the SwapBuffer with key, and data copy among the former Buffer after will deciphering;
Step 606: reduction Irp Buffer pointer Irp->MdlAddress and Irp->UserBuffer;
Step 607: be shown to the user to the digital content after the deciphering.
Referring to Fig. 7, ciphertext is carried out write operation may further comprise the steps:
Step 701: application program is sent the IRP_MJ_WRITE request;
Step 702: transparent encryption and decryption module is intercepted and captured the IRP_MJ_WRITE request; Judging whether Irp->Flags is IRP_NOCACHE or IRP_PAGING_IO, is execution in step 703 then, otherwise PassThroughLowerDriver (Irp); Transparent encryption and decryption module does not process, and directly returns;
Step 703: preserve Write Irp and be with the Buffer pointer, apply for onesize SwapBuffer;
Step 704: data among the Buffer are encrypted and data encrypted is copied among the SwapBuffer;
Step 705: former Buffer is replaced with SwapBuffer, be provided with and accomplish routine (WriteProcCompletion), wait for the return results that the bottom filter drive program is handled, whether successful like write operation, write how many bytes;
Step 706: accomplish routine and be activated, reduction Irp Buffer pointer Irp->MdlAddress and Irp->UserBuffer;
Step 707: the digital content after system will encrypt is saved on the computer disk.
In above-mentioned read-write process to digital content; The encryption and decryption operation is all carried out in SwapBuffer; Original I rp with the data buffer zone be expressly; And the read-write of disk is ciphertext, so not only guaranteed that clear data does not land but also avoided operating issuable the conflict with application's data.
In addition; When in a plurality of digital contents of opening ciphertext being arranged; Step 503 is further comprising the steps of: transparent encryption and decryption module is created a new Archive sit to it when ciphertext is opened, and the kernel list structure (ListEntry) in the data structure is chained list with the Archive sit series connection of all ciphertexts of opening, plaintext and ciphertext in the digital content of opening with differentiation; When ciphertext was closed, its node was deleted.
Referring to Fig. 8, access control module obtains corresponding authority information through communication agent from permission server in the step 505, and may further comprise the steps according to the process that authority information is carried out fine-grained control of authority:
Step 801: the user opens protected digit content through application program, and application program is sent the opening operation request of content;
Step 802: access control module is intercepted and captured the opening operation request of application program, obtains the complete trails of digital content through the data structure of transparent encryption and decryption module structure;
Step 803: access control module sends request through communication agent to permission server according to the complete trails of digital content, and permission server returns the content ID and the corresponding authority information of digital content;
Step 804: access control module is carried out fine-grained control of authority according to the authority information that obtains, and comprises the availability of menu, button, the control of modes such as pulling between the copy and paste of clipbook, the program, OLE exchanges data, screenshotss.
In order to reach the purpose that defence is in advance followed the trail of afterwards; Detailed Operation Log has been write down in all key operations that the client control module is carried out the user (as open, preserve, deposit in addition, printing etc.), and all journalizing information can be through administrative center's inquiry of service end.

Claims (7)

1. the digital content safeguard system based on transparent encryption and decryption is made up of client and service end, it is characterized in that:
Described client comprises:
Transparent encryption and decryption module, mutual with the communication agent module, be used to receive the encrypt digital content request that application program is sent through the communication agent module, and according to asking encrypt digital content; Opening, in the reading and writing operating process, dynamically obtaining required key, authority information from service end, and the digital content of being visited is being carried out dynamic encryption and decryption according to these information through the communication agent module;
The Certificate Authority module; Mutual with the communication agent module; Send the authentication information request to the service end permission server; Return identity information according to permission server login user is carried out authentication, obtain authority information from the service end permission server simultaneously, the user is controlled according to identity information and authority information; The user can carry out ciphertext mandate distribution for other users through the Certificate Authority module;
Monitoring module, mutual with the communication agent module, recording user is to the use of system, to the operation of digital content; Import the permission server of service end into and be kept in the database through the Operation Log of communication agent module, so that the use of digital content is audited and followed the trail of record;
Access control module, mutual with the communication agent module, be used for the user digital content process that conducts interviews is intercepted and captured the opening operation of application program to digital content, obtain the complete trails of digital content through the data structure of transparent encryption and decryption module structure; Obtain the content ID and the corresponding authority information of digital content according to the complete trails of digital content from the permission server of service end, according to the use of authority information control user to ciphertext;
The communication agent module; Communication in order between other each modules of each module and service end of client is connected, and sends various requests or receives the request return information, transmits client and service end desired data; The isomery of shielding server supports offline mode to use this system;
Described service end comprises:
Administrative center for the system manager provides the unified connection interface to the system user management, comprises and adds new user, interpolation user grouping, when the user registers user identity is verified, checks the Operation Log of user to digital content;
Permission server; Through the communication agent module with each module exchange message of client; Receive ID authentication request, authority information request or key information request that each module of client is sent, from database, obtain data, return to the information needed of each module of client according to respective request;
Database is in order to preserve client identity authentication information, the authority information of digital content, key information, User operation log;
The administrative center of service end is connected with database respectively with permission server, and service end is connected with permission server through the communication agent module with client.
2. the described digital content safeguard system based on transparent encryption and decryption of claim 1 is characterized in that to the encryption protecting method of digital content this method may further comprise the steps:
Step 201: the user needs the digital content of encipherment protection through the application program selection, comprises selecting a file a plurality of files of disposable selection or select whole file;
Step 202: application program is sent enciphering request to the communication agent module;
Step 203: after the communication agent module is received enciphering request, be transmitted to transparent encryption and decryption module;
Step 204: after transparent encryption and decryption module is received request, request is kept in the request chained list of self maintained;
Step 205: when closing application program; The encrypt digital content that transparent encryption and decryption module is selected the user; And add encryption identification at the afterbody of digital content, and be used for distinguishing expressly and ciphertext, send encryption key to the permission server storage through the communication agent module simultaneously;
Step 206: after encrypting end, transparent encryption and decryption module writes disk to ciphertext and preserves.
3. method as claimed in claim 2 is characterized in that, described encryption identification part is following:
301: flag bit indicates that whether this content is protected content, takies 128 bytes;
302: content ID, digital content of unique identification is made up of current time, MAC Address and 16 random character sequence three parts, takies 256 bytes, and wherein the current time is accurate to second;
303: content type, be used for the initial form information of storing digital content, take 256 bytes;
304: AES, be used for storing the encryption algorithm type that this digital content adopts, so that when follow-up encryption and decryption operation, adopt identical algorithm, take 256 bytes;
305: reserved byte for follow-up expansion provides headspace, takies 128 bytes.
4. the method for the ciphertext mandate distribution of the described digital content safeguard system based on transparent encryption and decryption of claim 1 is characterized in that, may further comprise the steps:
Step 401: the user selects protected content through application program;
Step 402: user and authority information that the user need authorize through the application program selection, send authorization requests to the Certificate Authority module;
Step 403: the Certificate Authority module receives authorization requests, sends the renewal authority request through the communication agent module to the service end permission server, comprises former authority is got common factor or union; Permission server upgrades user's authority information and return results;
Step 404: the Certificate Authority module is received the request return information, protected digital content is shared being distributed to authorized user through USB flash disk, email, network, and the user uses according to the authority of authorizing after receiving digital content.
5. the dynamic encryption and decryption method of the described digital content safeguard system based on transparent encryption and decryption of claim 1 is characterized in that, described dynamic encryption and decryption method is opened in digital content, carry out in the reading and writing operation, wherein:
Described digital content opening procedure may further comprise the steps:
Step 501: the protected digital content that the user need open through the application program selection;
Step 502: application program is sent the IRP_MJ_CREATE request to transparent encryption and decryption module;
Step 503: after transparent encryption and decryption module is intercepted and captured the IRP_MJ_CREATE request; Whether the afterbody of this digital content of structure IRP inquiry has encryption indicator, if any, show that this digital content is a ciphertext; Then the construction data structure writes down this document relevant information; So that in the subsequent operation of all being opened digital content, distinguish plaintext and ciphertext, empty system cache then, jump to step 504; If there is not encryption identification, then show not to be ciphertext to jump to step 506; The data structure of this transparent encryption and decryption module structure comprises with the lower part:
1) ListEntry is Windows kernel list structure;
2) FsContext, reality is the pointer of digital content controll block FCB, this digital content of unique sign;
3) Pid is for visiting the process ID of this digital content;
4) FilePath, the storing digital content complete trails;
Step 504: transparent encryption and decryption module is obtained content ID from the encryption identification of ciphertext; According to this content ID; Obtain authority information and the key information of user through the communication agent module from permission server, whether have authority to open this content, if having according to user's authority information judges to this ciphertext; Then use this content of corresponding secret key decryption, execution in step 505 then; Otherwise, will not decipher, application prompts user haves no right to open, and flow process finishes;
Step 505: access control module obtains right of digital content information through the communication agent module from permission server; Carry out fine-grained control of authority according to authority information; The availability that comprises menu, button, the control of pulling between the copy and paste of clipbook, the program, OLE exchanges data, screenshotss;
Step 506: be shown to the user to digital content;
Describedly ciphertext is carried out read operation may further comprise the steps:
Step 601: application program is sent the IRP_MJ_READ request to the bottom filter drive program;
Step 602: after transparent encryption and decryption module is received the IRP_MJ_READ request; Judge whether Irp->Flags is IRP_NOCACH or IRP_PAGING_IO; Be execution in step 603 then, otherwise transparent encryption and decryption module does not process; But the default processing function PassThroughLowerDriver of call operation system, flow process finishes;
Step 603: preserve Read Irp and be with the Buffer pointer, application and the onesize SwapBuffer of Buffer;
Step 604: former Buffer is replaced with SwapBuffer, be provided with and accomplish routine ReadProcCompletion, wait for the return results that filter drive program is handled then;
Step 605: accomplish routine and be activated, transparent encryption and decryption module is deciphered the data among the SwapBuffer with key, and data copy among the former Buffer after will deciphering;
Step 606: reduction Irp Buffer pointer Irp->MdlAddress and Irp->UserBuffer;
Step 607: be shown to the user to the digital content after the deciphering;
Describedly ciphertext is carried out write operation may further comprise the steps:
Step 701: application program is sent the IRP_MJ_WRITE request;
Step 702: transparent encryption and decryption module is intercepted and captured the IRP_MJ_WRITE request; Judge whether Irp->Flags is IRP_NOCACHE or IRP_PAGING_IO; It is execution in step 703 then; Otherwise PassThroughLowerDriver (Irp), transparent encryption and decryption module does not process, and directly turns back to end step;
Step 703: preserve Write Irp and be with the Buffer pointer, apply for onesize SwapBuffer;
Step 704: data among the Buffer are encrypted and data encrypted is copied among the SwapBuffer;
Step 705: former Buffer is replaced with SwapBuffer, be provided with and accomplish routine WriteProcCompletion, wait for the return results that the bottom filter drive program is handled;
Step 706: accomplish routine and be activated, reduction Irp Buffer pointer Irp->MdlAddress and Irp->UserBuffer;
Step 707: the digital content after system will encrypt is saved on the computer disk.
6. method as claimed in claim 5; It is characterized in that when in a plurality of digital contents of opening ciphertext being arranged, step 503 is further comprising the steps of: transparent encryption and decryption module is created a new Archive sit to it when ciphertext is opened; Kernel list structure ListEntry in the data structure is chained list with the Archive sit series connection of all ciphertexts of opening; Plaintext and ciphertext in the digital content of opening with differentiation, when ciphertext was closed, its node was deleted.
7. method as claimed in claim 5; It is characterized in that; In step 505, access control module obtains corresponding authority information through the communication agent module from permission server, and may further comprise the steps according to the process that authority information is carried out fine-grained control of authority:
Step 801: the user opens protected digit content through application program, and application program is sent the opening operation request of content;
Step 802: access control module is intercepted and captured the opening operation request of application program, obtains the complete trails of digital content through the data structure of transparent encryption and decryption module structure;
Step 803: access control module sends request through the communication agent module to permission server according to the complete trails of digital content, and permission server returns the content ID and the corresponding authority information of digital content;
Step 804: access control module is carried out fine-grained control of authority according to the authority information that obtains, and comprises the availability of menu, button, the control of modes such as pulling between the copy and paste of clipbook, the program, OLE exchanges data, screenshotss.
CN2009102188809A 2009-11-09 2009-11-09 Digital content safeguard system based on transparent encryption and decryption, and encryption and decryption method thereof Expired - Fee Related CN101729550B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2009102188809A CN101729550B (en) 2009-11-09 2009-11-09 Digital content safeguard system based on transparent encryption and decryption, and encryption and decryption method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2009102188809A CN101729550B (en) 2009-11-09 2009-11-09 Digital content safeguard system based on transparent encryption and decryption, and encryption and decryption method thereof

Publications (2)

Publication Number Publication Date
CN101729550A CN101729550A (en) 2010-06-09
CN101729550B true CN101729550B (en) 2012-07-25

Family

ID=42449751

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2009102188809A Expired - Fee Related CN101729550B (en) 2009-11-09 2009-11-09 Digital content safeguard system based on transparent encryption and decryption, and encryption and decryption method thereof

Country Status (1)

Country Link
CN (1) CN101729550B (en)

Families Citing this family (51)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102280929B (en) * 2010-06-13 2013-07-03 中国电子科技集团公司第三十研究所 System for information safety protection of electric power supervisory control and data acquisition (SCADA) system
CN101860438A (en) * 2010-06-30 2010-10-13 上海华御信息技术有限公司 Local data secret leakage prevention system and method based on secret-related data flow direction encryption
CN101977190B (en) * 2010-10-25 2013-05-08 北京中科联众科技股份有限公司 Digital content encryption transmission method and server side
CN102542182A (en) * 2010-12-15 2012-07-04 苏州凌霄科技有限公司 Device and method for controlling mandatory access based on Windows platform
CN102685086A (en) * 2011-04-14 2012-09-19 天脉聚源(北京)传媒科技有限公司 File access method and system
CN102202062B (en) * 2011-06-03 2013-12-25 苏州九州安华信息安全技术有限公司 Method and apparatus for realizing access control
CN103095482B (en) * 2011-11-07 2015-10-21 上海宝信软件股份有限公司 Program development maintenance system
CN103164659A (en) * 2011-12-13 2013-06-19 联想(北京)有限公司 Method for realizing data storage safety and electronic device
CN102609637A (en) * 2011-12-20 2012-07-25 北京友维科软件科技有限公司 Audit protection system for data leakage
CN102609667A (en) * 2012-02-22 2012-07-25 浙江机电职业技术学院 Automatic file encryption and decryption system and automatic file encryption and decryption method based on filter drive program
EP2820793B1 (en) * 2012-02-29 2018-07-04 BlackBerry Limited Method of operating a computing device, computing device and computer program
CN102739793B (en) * 2012-07-03 2016-05-18 厦门简帛信息科技有限公司 The management system of intelligent terminal, digital resource and method
CN103632107B (en) * 2012-08-23 2017-10-13 慧盾信息安全科技(苏州)股份有限公司 A kind of information of mobile terminal security protection system and method
CN103078866B (en) * 2013-01-14 2015-11-04 成都西可科技有限公司 Mobile platform transparent encryption method
CN103269343B (en) * 2013-05-21 2017-08-25 福建畅云安鼎信息科技有限公司 Business datum safety control platform
CN104243149B (en) * 2013-06-19 2018-05-29 北京搜狗科技发展有限公司 Encrypt and Decrypt method, device and server
CN104424404A (en) * 2013-09-07 2015-03-18 镇江金软计算机科技有限责任公司 Implementation method for realizing third-party escrow system through authorization management
CN103488949B (en) * 2013-09-17 2016-08-17 上海颐东网络信息有限公司 A kind of electronic document security system
CN103679050A (en) * 2013-12-31 2014-03-26 中国电子科技集团公司第三研究所 Security management method for enterprise-level electronic documents
WO2015122813A1 (en) * 2014-02-14 2015-08-20 Telefonaktiebolaget L M Ericsson (Publ) Caching of encrypted content
KR102356549B1 (en) 2014-03-12 2022-01-28 삼성전자주식회사 System and method for encrypting folder in device
CN104063633B (en) * 2014-04-29 2017-05-31 航天恒星科技有限公司 A kind of safety auditing system based on filtration drive
CN103995990A (en) * 2014-05-14 2014-08-20 江苏敏捷科技股份有限公司 Method for preventing electronic documents from divulging secrets
CN105337954A (en) * 2014-10-22 2016-02-17 航天恒星科技有限公司 Method and device for encryption and decryption of IP message in satellite communication
CN105471832A (en) * 2014-10-22 2016-04-06 航天恒星科技有限公司 Processing method and device of IP packet in satellite communication
CN104318175B (en) * 2014-10-28 2018-01-05 深圳市大成天下信息技术有限公司 A kind of document protection method, equipment and system
CN104680079A (en) * 2015-02-04 2015-06-03 上海信息安全工程技术研究中心 Electronic document security management system and electronic document security management method
CN104683477B (en) * 2015-03-18 2018-08-31 哈尔滨工程大学 A kind of shared file operation filter method based on SMB agreements
CN105893852A (en) * 2015-06-04 2016-08-24 济南亚东软件科技有限公司 First author leakage prevention application system based on Windows EFS transparent encryption
CN105095693A (en) * 2015-07-13 2015-11-25 江苏简果科技发展有限公司 Method and system for safely sharing digital asset based on Internet
CN105574429A (en) * 2015-11-30 2016-05-11 东莞酷派软件技术有限公司 File data encryption and decryption method and device and terminal
CN106209891A (en) * 2016-07-26 2016-12-07 广东道易鑫物联网科技有限公司 A kind of means of communication based on D BUS communications protocol
CN108334787B (en) * 2017-01-19 2022-04-01 珠海金山办公软件有限公司 Safety document management system
CN107196932A (en) * 2017-05-18 2017-09-22 北京计算机技术及应用研究所 Managing and control system in a kind of document sets based on virtualization
CN107466035B (en) * 2017-07-20 2019-11-15 奇安信科技集团股份有限公司 Method and device for simulating automatic test of wireless node
CN108111508A (en) * 2017-12-19 2018-06-01 浙江维融电子科技股份有限公司 A kind of print control instrument security protection system
CN109995735A (en) * 2017-12-31 2019-07-09 中国移动通信集团重庆有限公司 Downloading and application method, server, client, system, equipment and medium
CN108229190B (en) * 2018-01-02 2021-10-22 北京亿赛通科技发展有限责任公司 Transparent encryption and decryption control method, device, program, storage medium and electronic equipment
CN108399341B (en) * 2018-01-17 2020-10-30 中国地质大学(武汉) Windows dual file management and control system based on mobile terminal
CN108459973B (en) * 2018-04-03 2022-03-18 清华大学 Safety control method, device and system for processor
CN110971580B (en) * 2018-09-30 2022-05-17 北京国双科技有限公司 Authority control method and device
CN109558451B (en) * 2018-11-14 2022-06-10 咪咕文化科技有限公司 Data management method and system and storage medium
CN109670325B (en) * 2018-12-21 2023-03-28 北京思源理想控股集团有限公司 Device and method for encrypting and decrypting configuration file
CN109885994B (en) * 2019-01-08 2021-06-25 深圳禾思众成科技有限公司 Offline identity authentication system, device and computer readable storage medium
CN110752929B (en) * 2019-09-29 2022-04-22 华为终端有限公司 Application program processing method and related product
CN111159758A (en) * 2019-12-18 2020-05-15 深信服科技股份有限公司 Identification method, device and storage medium
CN111310213A (en) * 2020-02-20 2020-06-19 苏州浪潮智能科技有限公司 Service data protection method, device, equipment and readable storage medium
CN114338629A (en) * 2020-09-25 2022-04-12 北京金山云网络技术有限公司 Data processing method, device, equipment and medium
CN112632625A (en) * 2020-12-31 2021-04-09 深圳昂楷科技有限公司 Database security gateway system, data processing method and electronic equipment
CN113806785B (en) * 2021-10-11 2023-12-08 北京晓航众芯科技有限公司 Method and system for carrying out security protection on electronic document
CN115378659B (en) * 2022-07-28 2024-04-16 中国电子科技集团公司第三十研究所 High-reliability file encryption and fine-granularity access control method based on user identity

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1822014A (en) * 2006-03-23 2006-08-23 沈明峰 Protecting method for security files under cooperative working environment
CN101098224A (en) * 2006-06-28 2008-01-02 中色科技股份有限公司 Method for encrypting/deciphering dynamically data file
CN101271497A (en) * 2008-04-30 2008-09-24 李硕 Electric document anti-disclosure system and its implementing method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1822014A (en) * 2006-03-23 2006-08-23 沈明峰 Protecting method for security files under cooperative working environment
CN101098224A (en) * 2006-06-28 2008-01-02 中色科技股份有限公司 Method for encrypting/deciphering dynamically data file
CN101271497A (en) * 2008-04-30 2008-09-24 李硕 Electric document anti-disclosure system and its implementing method

Also Published As

Publication number Publication date
CN101729550A (en) 2010-06-09

Similar Documents

Publication Publication Date Title
CN101729550B (en) Digital content safeguard system based on transparent encryption and decryption, and encryption and decryption method thereof
CN102710633B (en) Cloud security management system of security electronic documents and method
CN103530570B (en) A kind of electronic document safety management system and method
CN101853363B (en) File protection method and system
CN100592313C (en) Electric document anti-disclosure system and its implementing method
JP4759513B2 (en) Data object management in dynamic, distributed and collaborative environments
CN100371847C (en) Method for ciphering and diciphering of file, safety managing storage apparatus and system method thereof
AU2008341026C1 (en) System and method for securing data
CN101547199B (en) Electronic document safety guarantee system and method
CN201682524U (en) Document transfer authority control system based on document filtering driver
CN104834835B (en) A kind of general digital rights protection method under windows platform
CN109063499B (en) Flexible configurable electronic file region authorization method and system
CN102999732A (en) Multi-stage domain protection method and system based on information security level identifiers
US20120233712A1 (en) Method and Device for Accessing Control Data According to Provided Permission Information
CN102799539A (en) Safe USB flash disk and data active protection method thereof
CN104239812A (en) Local area network data safety protection method and system
CN103413100A (en) File security protection system
CN101132275B (en) Safety system for implementing use right of digital content
KR20000000410A (en) System and method for security management on distributed PC
JP2008160485A (en) Document management system, document managing method, document management server, work terminal, and program
CN105205403B (en) Method, the system of control local area network file data based on file filter
KR20100040074A (en) Server and method for preventing information outflow from inside
CN104200173B (en) A kind of electronic document is trusted and method of controlling security and system
JP2008129803A (en) File server, program, recording medium, and management server
KR20070097655A (en) Digital information storage system, digital information security system, method for storing digital information and method for service digital information

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20120725

Termination date: 20141109

EXPY Termination of patent right or utility model