CN104102885A - Kernel filter driver based data security isolation method - Google Patents
Kernel filter driver based data security isolation method Download PDFInfo
- Publication number
- CN104102885A CN104102885A CN201410272385.7A CN201410272385A CN104102885A CN 104102885 A CN104102885 A CN 104102885A CN 201410272385 A CN201410272385 A CN 201410272385A CN 104102885 A CN104102885 A CN 104102885A
- Authority
- CN
- China
- Prior art keywords
- file
- user
- operating system
- driver
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6209—Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
Abstract
The invention belongs to the technical field of computer information security, and particularly relates to an electronic document encryption and decryption method. A kernel filter driver based data security isolation method comprises the following steps: when a user opens a file, executing security check on a process used by the user to open the file by using the kernel driver program and application layer program of an operating system, if the process is not a security process, then refusing to open the file; otherwise, further determining whether the file to be opened by the user is a file protected by encryption or not; If the file is not a file protected by encryption, then opening the file, and reading file data; If the file is a file protected by encryption, then further determining whether the process has a permission to use the file data or not, confirming and opening the file, and reading the file data; or just allowing the process to open the file but not read the file data. According to the kernel filter driver based data security isolation method provided by the invention, an unauthorized user process does not have access to the protected encrypted electronic documents, so that the shortcomings of the existing encryption method are overcome, and the security of the encrypted electronic documents is improved.
Description
Technical field
The invention belongs to computer information safety technique field, particularly electronic document encipher-decipher method.
Background technology
Although conventional electronic document encipher-decipher method has been taked a series of safeguard measure to electronic document, the electronic document of encrypting starts, to thorough deletion, to be kept at all the time on current terminal computer from document creation.As long as obtain these data file encryptions, although be ciphertext mess code, owing to wherein having comprised the full content of primary electron document, so always there is in theory technological means can be reverted to primary electron document expressly.
Summary of the invention
The object of the invention is: a kind of safer encrypted electronic document protection method is provided, effectively ensures encrypted electronic document security.
Technical scheme of the present invention is: a kind of data security partition method driving based on Kernel Filtering, and it uses the client-side program that comprises operating system nucleus driver, application layer program, and a strategic server, and carries out following steps:
A, in the time that user opens file, described operating system nucleus driver obtains the request that user opens file and the process using, and this progress information is sent to described application layer program;
B, described application layer program are obtained security procedure list from described strategic server, user's used process that opens file is carried out to safety check, and check results is returned to described operating system nucleus driver;
If the described check results of C shows user, the used process that opens file is not security procedure, and described operating system nucleus driver is refused this process and opened file; Otherwise carry out D step;
D, described operating system nucleus driver further judge whether the file that user will open is the file that is subject to encipherment protection; If not the file that is subject to encipherment protection, open this file, read this file data, offer user; If be subject to the file of encipherment protection, carry out E step;
This information is returned to described application layer program by E, described operating system nucleus driver, described application layer program is obtained the permissions list of process by described strategic server, judge whether this process has the authority that uses file data, and judged result is returned to described operating system nucleus driver;
If the described judged result of F shows this process and have the authority of file data of use, described operating system nucleus driver shines upon file index and file data, opens this file, reads this file data, offers user; Otherwise allow this process to open file, and file reading data not only provide to user the null file that does not comprise any file data.
The present invention makes unauthorized user process cannot touch protected encrypted electronic document, thereby has overcome the deficiency of existing encipher-decipher method, has improved the security of encrypted electronic document.
Brief description of the drawings
Accompanying drawing 1 is process flow diagram of the present invention.
Embodiment
Referring to accompanying drawing 1, a kind of data security partition method driving based on Kernel Filtering, it uses the client-side program that comprises operating system nucleus driver, application layer program, and a strategic server, and carries out following steps:
A, in the time that user opens file, described operating system nucleus driver obtains the request that user opens file and the process using, and this progress information is sent to described application layer program;
B, described application layer program are obtained security procedure list from described strategic server, user's used process that opens file is carried out to safety check, and check results is returned to described operating system nucleus driver;
If the described check results of C shows user, the used process that opens file is not security procedure, and described operating system nucleus driver is refused this process and opened file; Otherwise carry out D step;
D, described operating system nucleus driver further judge whether the file that user will open is the file that is subject to encipherment protection; If not the file that is subject to encipherment protection, open this file, read this file data, offer user; If be subject to the file of encipherment protection, carry out E step;
This information is returned to described application layer program by E, described operating system nucleus driver, described application layer program is obtained the permissions list of process by described strategic server, judge whether this process has the authority that uses file data, and judged result is returned to described operating system nucleus driver;
If the described judged result of F shows this process and have the authority of file data of use, described operating system nucleus driver shines upon file index and file data, opens this file, reads this file data, offers user; Otherwise allow this process to open file, and file reading data not only provide to user the null file that does not comprise any file data.
Claims (1)
1. the data security partition method driving based on Kernel Filtering, it uses the client-side program that comprises operating system nucleus driver, application layer program, and a strategic server, and carries out following steps:
A, in the time that user opens file, described operating system nucleus driver obtains the request that user opens file and the process using, and this progress information is sent to described application layer program;
B, described application layer program are obtained security procedure list from described strategic server, user's used process that opens file is carried out to safety check, and check results is returned to described operating system nucleus driver;
If the described check results of C shows user, the used process that opens file is not security procedure, and described operating system nucleus driver is refused this process and opened file; Otherwise carry out D step;
D, described operating system nucleus driver further judge whether the file that user will open is the file that is subject to encipherment protection; If not the file that is subject to encipherment protection, open this file, read this file data, offer user; If be subject to the file of encipherment protection, carry out E step;
This information is returned to described application layer program by E, described operating system nucleus driver, described application layer program is obtained the permissions list of process by described strategic server, judge whether this process has the authority that uses file data, and judged result is returned to described operating system nucleus driver;
If the described judged result of F shows this process and have the authority of file data of use, described operating system nucleus driver shines upon file index and file data, opens this file, reads this file data, offers user; Otherwise allow this process to open file, and file reading data not only provide to user the null file that does not comprise any file data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410272385.7A CN104102885A (en) | 2014-06-19 | 2014-06-19 | Kernel filter driver based data security isolation method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410272385.7A CN104102885A (en) | 2014-06-19 | 2014-06-19 | Kernel filter driver based data security isolation method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104102885A true CN104102885A (en) | 2014-10-15 |
Family
ID=51671028
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410272385.7A Pending CN104102885A (en) | 2014-06-19 | 2014-06-19 | Kernel filter driver based data security isolation method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104102885A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110232261A (en) * | 2019-06-03 | 2019-09-13 | 浙江大华技术股份有限公司 | Operating method, document handling apparatus and the equipment with store function of APMB package |
| CN111339543A (en) * | 2020-02-27 | 2020-06-26 | 深信服科技股份有限公司 | File processing method and device, equipment and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6477544B1 (en) * | 1999-07-16 | 2002-11-05 | Microsoft Corporation | Single instance store for file systems |
| US20030056095A1 (en) * | 2001-09-14 | 2003-03-20 | International Business Machines Corporation | Securing decrypted files in a shared environment |
| CN101853363A (en) * | 2010-05-07 | 2010-10-06 | 北京飞天诚信科技有限公司 | File protection method and system |
| CN101901313A (en) * | 2010-06-10 | 2010-12-01 | 中科方德软件有限公司 | Linux file protection system and method |
| CN102185836A (en) * | 2011-04-15 | 2011-09-14 | 哈尔滨工业大学 | Standalone electronic document protection system based on information stream model |
| CN102194074A (en) * | 2011-04-26 | 2011-09-21 | 北京思创银联科技股份有限公司 | Computer protection method based on process right |
| CN103476025A (en) * | 2012-06-08 | 2013-12-25 | 中国电信股份有限公司 | Progress management method, progress management system and mobile terminal |
-
2014
- 2014-06-19 CN CN201410272385.7A patent/CN104102885A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6477544B1 (en) * | 1999-07-16 | 2002-11-05 | Microsoft Corporation | Single instance store for file systems |
| US20030056095A1 (en) * | 2001-09-14 | 2003-03-20 | International Business Machines Corporation | Securing decrypted files in a shared environment |
| CN101853363A (en) * | 2010-05-07 | 2010-10-06 | 北京飞天诚信科技有限公司 | File protection method and system |
| CN101901313A (en) * | 2010-06-10 | 2010-12-01 | 中科方德软件有限公司 | Linux file protection system and method |
| CN102185836A (en) * | 2011-04-15 | 2011-09-14 | 哈尔滨工业大学 | Standalone electronic document protection system based on information stream model |
| CN102194074A (en) * | 2011-04-26 | 2011-09-21 | 北京思创银联科技股份有限公司 | Computer protection method based on process right |
| CN103476025A (en) * | 2012-06-08 | 2013-12-25 | 中国电信股份有限公司 | Progress management method, progress management system and mobile terminal |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110232261A (en) * | 2019-06-03 | 2019-09-13 | 浙江大华技术股份有限公司 | Operating method, document handling apparatus and the equipment with store function of APMB package |
| CN111339543A (en) * | 2020-02-27 | 2020-06-26 | 深信服科技股份有限公司 | File processing method and device, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6941146B2 (en) | Data security service | |
| CN103189872B (en) | Safety in networked environment and the effectively method and apparatus of Content Selection | |
| KR101475462B1 (en) | System for synchronizing cloud storage and files encrypted with an encryption key of the user | |
| KR101928913B1 (en) | Systems and methods for detecting sensitive information leakage while preserving privacy | |
| US9391980B1 (en) | Enterprise platform verification | |
| JP6678457B2 (en) | Data security services | |
| CN106100836B (en) | A kind of method and system of industrial user's authentication and encryption | |
| CN103581196B (en) | Distributed document transparent encryption method and transparent decryption method | |
| CN105117635B (en) | A kind of safety system and method for local data | |
| CN104794388B (en) | application program access protection method and application program access protection device | |
| CN105740725A (en) | File protection method and system | |
| WO2018213239A1 (en) | Stacked encryption | |
| WO2021016205A1 (en) | Computer file security using extended metadata | |
| CN105989304A (en) | File storage method, file reading method, file storage apparatus and file reading apparatus | |
| CN104102885A (en) | Kernel filter driver based data security isolation method | |
| GB201305600D0 (en) | Security | |
| WO2018033017A1 (en) | Terminal state conversion method and system for credit granting | |
| KR101630462B1 (en) | Apparatus and Method for Securing a Keyboard | |
| CN105376242A (en) | Cloud terminal data access authentication method, cloud terminal data access authentication system and cloud terminal management system | |
| Dan et al. | Toward an AI chatbot-driven advanced digital locker | |
| CN110474930B (en) | Information transmission-based secure interaction method and device | |
| CN105681341A (en) | Security configuration method of Tomact cipher suite of SSR | |
| KR20170053459A (en) | Encryption and decryption method for protecting information | |
| CN110263553B (en) | Database access control method and device based on public key verification and electronic equipment | |
| KR101473410B1 (en) | Method for Accessing Recording Area of Digital Certificate |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20141015 |