CN120012124A - Digital asset protection system and method - Google Patents

Abstract

The present invention relates to a digital asset protection system and method, belonging to the field of data asset protection technology. The system includes a data storage encryption unit, a network communication protection unit and a remote desktop control unit; the data storage encryption unit encrypts and decrypts electronic data and performs storage management, configures data protection keys and encryption and decryption strategies for storage protection data, and after the configuration is completed, the data is automatically encrypted and decrypted when performing read and write operations; the network communication protection unit is used to perform identity authentication and security authentication on users; the remote desktop control unit is responsible for security control of the remote desktop to ensure that only authorized users can access and operate the remote desktop. A multi-level, all-round digital asset protection system is formed to ensure the security of data during the storage process, transmission process, and data use process, and can effectively protect digital assets and prevent data leakage and illegal access.

Description

Digital asset protection system and method

Technical Field

The invention belongs to the technical field of data asset protection, and particularly relates to a digital asset protection system and method.

Background

In the traditional cloud service, a storage server is mainly used for storing electronic data such as various materials, pictures and videos in an application system, and the traditional cloud disk service is often used for storing data exceeding the capacity limit of a physical hard disk. However, with the continuous progress of network hacking technology in recent years, data leakage events such as hundred degree cloud disk data leakage events and the like frequently occur to servers and cloud disks in a cloud environment. Once sensitive data such as financial records, private photos, important documents and the like are revealed, not only economic losses can be caused, but also serious problems such as identity theft, reputation damage and the like can be caused. In addition, when an enterprise uses cloud disk storage to store business confidential or customer data, data leakage can have serious legal consequences and trust crisis. Routing storage devices are a common solution for storing electronic data, such as pictures, videos, documents, etc., in large, centralized quantities. Such devices integrate router and storage functions, allowing users to access data stored on a server remotely over a network. Such products rely primarily on several key technology components, integrated router and storage devices, cloud management platforms, remote access clients, and multi-user rights management. Through the combination of the technical components, a set of hardware equipment can be quickly constructed and deployed in home, and the storage service accessed at any time and any place is realized. Although such devices are hardware-based in storage, there is still a risk of the network connection being exposed and forced to crack.

Traditional cloud storage and physical storage servers generally employ international cryptographic algorithms to protect the storage and transmission of data, but as more and more international cryptographic algorithms are broken, the security of encrypted data is increasingly compromised. In addition, many applications have built-in cloud storage or physical storage functionality, and how to perform security upgrades on an existing basis becomes a tricky issue.

Disclosure of Invention

In order to solve the above problems in the prior art, the present invention provides a digital asset protection system and method, and the purpose of the present invention can be achieved by the following technical schemes:

a digital asset protection system comprises a data storage encryption unit, a network communication protection unit and a remote desktop control unit;

The data storage encryption unit comprises a key management module, a storage management module, a strategy management module and a data encryption and decryption module, wherein the key management module is used for acquiring an SM4 key from a national security device and encrypting and storing the SM4 key in a system for encrypting and decrypting electronic data;

The network communication protection unit comprises a national security SSL VPN module, a security authentication module and a flow monitoring protection module; the system comprises a national security SSL VPN module, a security authentication module, a traffic monitoring protection module and a public network, wherein the national security SSL VPN module is used for providing safe data transmission protection and tamper resistance for accessing home data in a public network for a user on the basis of national security equipment;

The remote desktop control unit comprises a client, a remote desktop service center, a national secret key negotiation module and a user identity multi-factor authentication module, wherein the client is connected with the remote desktop service center through a dialing function of the built-in national secret SSLVPN module and used for encrypting transmission and accessing stored data, the remote desktop service center carries out hierarchical authority management on application authorities and data authorities of users, the national secret key negotiation module is used for encrypting data encryption keys in data transmission of the client and the remote desktop service center, and the user identity multi-factor authentication module is used for controlling users to log in the client according to personal digital certificates and dynamic tokens issued by the system.

Specifically, the encryption and decryption policy of the policy management module is to perform encryption and decryption processing by adopting a symmetric encryption algorithm based on data transmission information of the client, the data storage encryption unit and the data storage area.

The identity authentication method of the security authentication module comprises the steps of binding identity information of a user with a public key through a digital certificate issued by a system to the user, verifying a digital signature of the digital certificate through an authentication center, if the digital signature passes, sending random character string information to the user through a dynamic password technology by the system, signing the random character string information through a user private key by the user, sending back identity authentication information, and carrying out identity recognition analysis on the user by the system according to the identity authentication information.

The security policy of the traffic monitoring protection module is that traffic data of key nodes of a network boundary and a network gateway are subjected to matching analysis based on a rule base, the rule base comprises normal traffic baseline rules, security policy rules, abnormal monitoring rules, equipment and application rules, the normal traffic baseline rules are used for defining traffic rate, protocol types and data packet sizes under normal conditions, the security policy rules comprise organized security policies for allowing and rejecting rules of specific ports and protocols, the abnormal monitoring rules are used for identifying characteristics of known attacks in combination with rules of an intrusion detection system and an intrusion protection system, and the equipment and the application rules are used for in-depth analysis of traffic of an application layer protocol.

A digital asset protection method, comprising:

A user initiates a remote desktop connection request through a client, and the client establishes encryption connection with a remote desktop service center through a built-in national security SSL VPN module dialing function;

After receiving the connection request, the remote desktop service center carries out hierarchical authority management on the application authority and the data authority of the user according to the identity information and the authority level of the user, so that the user can only access authorized data and applications;

After the user successfully logs in, the national secret key negotiation module intervenes to negotiate an encryption key used for the data transmission with the client and the remote desktop service center;

When a user starts to operate the remote desktop and performs data reading and writing operations, the storage management module automatically encrypts and decrypts the data according to the encryption and decryption strategy configured by the strategy management module, so that the safety of the data in the storage and transmission processes is ensured;

The flow monitoring protection module in the network communication protection unit monitors network flow in real time, performs flow data matching analysis on the network boundary and key nodes of the gateway, immediately starts a security policy to intercept once abnormal flow or attack behavior is found, and sends an alarm message to a user;

after the user finishes the operation and disconnects the remote desktop connection, the system records the operation log for subsequent audit and analysis.

The beneficial effects of the invention are as follows:

By the intervention of the national secret key negotiation module, the unique encryption key is ensured to be used for each data transmission, and the security in the data transmission process is greatly improved. The dynamic key negotiation mechanism effectively prevents the risk of key leakage, and even if the key is intercepted, an attacker cannot decrypt data by using the intercepted key due to timeliness of the key. The introduction of the user identity multi-factor authentication module not only requires the user to input a password, but also needs to use a personal digital certificate and a dynamic token, and the multi-authentication mode greatly improves the security of user identity authentication. Even if the password is cracked, an attacker cannot pass the authentication without the corresponding digital certificate and dynamic token, so that the account security of the user is protected. In the aspect of data operation, the storage management module automatically encrypts and decrypts the data according to the encryption and decryption strategy configured by the strategy management module, so that confidentiality and integrity of the data in the storage and transmission processes are ensured. The automated process reduces errors and omission of human operations while avoiding risk of data leakage due to improper operation.

The system can solve the problems of safety of electronic data storage, safety of sensitive information and safety of remote access of all people in a user. The system can be built on the basis of the existing route storage equipment, only corresponding national security equipment and the system are needed to be supplemented, the cost of users is reduced in the aspect of economy, meanwhile, the system can be compatible with various storage equipment and network environments, has higher adaptability, and greatly reduces the risk of electronic data leakage.

Drawings

The present invention is further described below with reference to the accompanying drawings for the convenience of understanding by those skilled in the art.

FIG. 1 is a schematic diagram of a digital asset protection system of the present invention;

FIG. 2 is a flow chart of data encryption and decryption for the digital asset protection method of the present invention;

FIG. 3 is a flow chart of a national secret SSLVPN handshake message of the digital asset protection method of the present invention;

fig. 4 is a flow chart of key agreement of the cryptographic algorithm of the digital asset protection method of the present invention.

Detailed Description

In order to further describe the technical means and effects adopted by the invention for achieving the preset aim, the following detailed description is given below of the specific implementation, structure, characteristics and effects according to the invention with reference to the attached drawings and the preferred embodiment.

Referring to FIG. 1, a digital asset protection system includes a data storage encryption unit, a network communication protection unit, and a remote desktop control unit;

The data storage encryption unit comprises a key management module, a storage management module, a strategy management module and a data encryption and decryption module, wherein the key management module is used for acquiring an SM4 key from a national security device and encrypting and storing the SM4 key in a system for encrypting and decrypting electronic data;

The network communication protection unit comprises a national security SSL VPN module, a security authentication module and a flow monitoring protection module; the system comprises a national security SSL VPN module, a security authentication module, a traffic monitoring protection module and a public network, wherein the national security SSL VPN module is used for providing safe data transmission protection and tamper resistance for accessing home data in a public network for a user on the basis of national security equipment;

The remote desktop control unit comprises a client, a remote desktop service center, a national secret key negotiation module and a user identity multi-factor authentication module, wherein the client is connected with the remote desktop service center through a dialing function of the built-in national secret SSLVPN module and used for encrypting transmission and accessing stored data, the remote desktop service center carries out hierarchical authority management on application authorities and data authorities of users, the national secret key negotiation module is used for encrypting data encryption keys in data transmission of the client and the remote desktop service center, and the user identity multi-factor authentication module is used for controlling users to log in the client according to personal digital certificates and dynamic tokens issued by the system.

In this embodiment, the client may be installed in a mainstream desktop such as Windows, linux, android, iOS, harmonyOS and a mobile operating system in the current mainstream, and connected to a remote desktop service center in the home through a dialing function of a built-in national secret SSLVPN, to encrypt, transmit and access stored data. And in the remote desktop service center, different remote desktop access services are opened according to the application rights and the data rights of different users, so that the minimum range access of the data is realized. In the national secret key negotiation function, the client and the remote description service center can directly use the national secret key negotiation protocol to transfer the encryption key of encrypted data, and the key is only used for current data transmission. In the user identity multi-factor authentication function, each user can log in the client by using an internal personal digital certificate issued by the system or performing identity verification through a dynamic token, remotely access the encrypted data and the remote desktop in the home, and ensure that the data is prevented from unauthorized access. The service provided by the module is suitable for the scene of member sharing information, supports multi-equipment synchronization and remote desktop access, ensures privacy safety, and is suitable for the digital asset management requirements of various individuals in daily life.

Specifically, the encryption and decryption policy of the policy management module is to perform encryption and decryption processing by adopting a symmetric encryption algorithm based on data transmission information of the client, the data storage encryption unit and the data storage area.

In this embodiment, as shown in fig. 2, the encryption and decryption process flow is shown by taking the application of Harmony as an example, the encryption and decryption algorithm is used for completing encryption and decryption operations according to the specification of the symmetric key encryption and decryption algorithm, in the data storage and transmission scene, the encryption and decryption process is performed by calling the symmetric key of the encryption and decryption algorithm of AES and 128 bits in key length, calling the symmetric key of the encryption and decryption algorithm of the cryptoframe, and setting the parameters of 'AES128|gcm|pkcs7', setting the symmetric key type of AES128, setting the grouping mode of GCM and the filling mode of PKCS 7as Cipher examples, and in the digital asset protection system, setting the encryption and decryption operation by adopting AES128 as the symmetric key type, and GCM as the grouping mode, and setting the Cipher examples. The construction of this instance is the core of the encryption and decryption operation, which ensures the security of the data during storage and transmission. To further enhance the security of data, as shown in fig. 4, a cryptographic SM2 algorithm key negotiation procedure is employed to generate a key based on a Key Derivation Function (KDF). Through the KDF, a plurality of sub-keys can be derived based on one main key, and the sub-keys are used for different encryption operations, so that the repeated use of a single key is avoided, and the risk of key leakage is reduced. In practical application, the system dynamically selects a proper encryption algorithm and key according to the operation instruction of the user. For example, when a user needs to upload a file to the cloud, the system automatically triggers an encryption process, and encrypts the file by using the established Cipher instance. When the encrypted data is stored in the cloud, the encrypted data cannot be read even if the encrypted data is acquired by an unauthorized third party. In addition, the system also supports periodic updates of keys to address security challenges of long-term storage data. By periodically replacing the key, even if the old key is cracked, an attacker cannot decrypt the new data, thereby ensuring the long-term security of the user asset. By combining with a flexible key management strategy, comprehensive data security protection is provided for users. Whether personal privacy information or important files are provided, the personal privacy information or important files can be properly protected in the system, and the user is ensured to enjoy digital life convenience without worrying about data security problems.

The identity authentication method of the security authentication module comprises the steps of binding identity information of a user with a public key through a digital certificate issued by a system to the user, verifying a digital signature of the digital certificate through an authentication center, if the digital signature passes, sending random character string information to the user through a dynamic password technology by the system, signing the random character string information through a user private key by the user, sending back identity authentication information, and carrying out identity recognition analysis on the user by the system according to the identity authentication information.

The security policy of the traffic monitoring protection module is that traffic data of key nodes of a network boundary and a network gateway are subjected to matching analysis based on a rule base, the rule base comprises normal traffic baseline rules, security policy rules, abnormal monitoring rules, equipment and application rules, the normal traffic baseline rules are used for defining traffic rate, protocol types and data packet sizes under normal conditions, the security policy rules comprise organized security policies for allowing and rejecting rules of specific ports and protocols, the abnormal monitoring rules are used for identifying characteristics of known attacks in combination with rules of an intrusion detection system and an intrusion protection system, and the equipment and the application rules are used for in-depth analysis of traffic of an application layer protocol.

A digital asset protection method, comprising:

A user initiates a remote desktop connection request through a client, and the client establishes encryption connection with a remote desktop service center through a built-in national security SSL VPN module dialing function;

After receiving the connection request, the remote desktop service center carries out hierarchical authority management on the application authority and the data authority of the user according to the identity information and the authority level of the user, so that the user can only access authorized data and applications;

After the user successfully logs in, the national secret key negotiation module intervenes to negotiate an encryption key used for the data transmission with the client and the remote desktop service center;

When a user starts to operate the remote desktop and performs data reading and writing operations, the storage management module automatically encrypts and decrypts the data according to the encryption and decryption strategy configured by the strategy management module, so that the safety of the data in the storage and transmission processes is ensured;

The flow monitoring protection module in the network communication protection unit monitors network flow in real time, performs flow data matching analysis on the network boundary and key nodes of the gateway, immediately starts a security policy to intercept once abnormal flow or attack behavior is found, and sends an alarm message to a user;

after the user finishes the operation and disconnects the remote desktop connection, the system records the operation log for subsequent audit and analysis.

The computer storage media of embodiments of the invention may take the form of any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. The computer readable storage medium can be, for example but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the computer-readable storage medium include an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.

The computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, either in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.

Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing. Computer program code for carrying out operations of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider).

The present invention is not limited in any way by the above-described preferred embodiments, but is not limited to the above-described preferred embodiments, and any person skilled in the art will appreciate that the present invention can be embodied in the form of a program for carrying out the method of the present invention, while the above disclosure is directed to equivalent embodiments capable of being altered or modified in a slight manner, any and all concise modifications, equivalent variations and alterations of the above embodiments are still within the scope of the present disclosure, all as may be made without departing from the scope of the present disclosure.

Claims (10)

1. A digital asset protection system, characterized in that it includes: a data storage encryption unit, a network communication protection unit and a remote desktop control unit; The data storage encryption unit encrypts and decrypts the electronic data and performs storage management, configures the data protection key and encryption and decryption strategy for the storage protection data, and after the configuration is completed, the data is automatically encrypted and decrypted when performing read and write operations; The network communication protection unit is used to perform identity authentication and security authentication on users; The remote desktop control unit is responsible for performing security control on the remote desktop to ensure that only authorized users can access and operate the remote desktop. 2. The system according to claim 1 is characterized in that the data storage encryption unit includes a key management module, a storage management module, a policy management module and a data encryption and decryption module; the key management module obtains the SM4 key from the national secret security device and encrypts and stores it in the system, so as to encrypt and decrypt the electronic data; the storage management module is used to obtain user data management protection information, extract the corresponding storage protection data according to the user data management protection information and perform storage management; the policy management module is used to configure data protection keys and encryption and decryption policies for the storage protection data, and the storage protection data is automatically encrypted and decrypted when the read and write operations are performed after the configuration is completed. 3. The system according to claim 1 is characterized in that the network communication protection unit includes a national secret SSL VPN module, a security authentication module, and a traffic monitoring protection module; the national secret SSL VPN module is used to provide users with secure data transmission protection and anti-tampering capabilities when accessing home data in the public network based on national secret security equipment; the security authentication module authenticates the user based on national secret PKI technology and dynamic password technology; the traffic monitoring protection module monitors network traffic based on security policies, automatically intercepts risky or abnormal connection requests and data, and sends an alarm message to the user when an abnormality is found. 4. The system according to claim 1 is characterized in that the remote desktop control unit includes a client, a remote desktop service center, a national secret key negotiation module, and a user identity multi-factor authentication module; the client is connected to the remote desktop service center through the dial-up function of the built-in national secret SSLVPN module, for encrypting the transmission and access to stored data; the remote desktop service center performs hierarchical authority management on the user's application permissions and data permissions; the national secret key negotiation module is used to encrypt the encryption key of the data in the data transmission between the client and the remote desktop service center; the user identity multi-factor authentication module is used to control the user to log in to the client according to the personal digital certificate and dynamic token issued by the system. 5. The system according to claim 1 is characterized in that the encryption and decryption strategy of the policy management module is based on the data transmission information of the client, data storage encryption unit, and data storage area using a symmetric encryption algorithm for encryption and decryption processing. 6. The system according to claim 1 is characterized in that the identity authentication method of the security authentication module is: the user's identity information is bound to the public key through the digital certificate issued by the system, and the digital signature of the digital certificate is verified by the authentication center. If the verification is passed, the system sends random string information to the user through dynamic password technology, and the user signs the random string information with the user's private key and then sends back the identity authentication information. The system performs identity identification and analysis on the user based on the identity authentication information. 7. The system according to claim 1 is characterized in that the security policy of the traffic monitoring and protection module is to match and analyze the traffic data of key nodes at network boundaries and network entrances and exits based on a rule base. 8. The system according to claim 7 is characterized in that the rule base includes normal traffic baseline rules, security policy rules, anomaly monitoring rules, equipment and application rules. 9. The system according to claim 8 is characterized in that the rule base includes normal traffic baseline rules, security policy rules, anomaly monitoring rules, equipment and application rules; the normal traffic baseline rules are used to define the traffic rate, protocol type, and data packet size under normal circumstances; the security policy rules contain the organization's security policy, which is used to allow and deny rules for specific ports and protocols; the anomaly monitoring rules combine the rules of intrusion detection systems and intrusion prevention systems to identify the characteristics of known attacks; the equipment and application rules are used to perform in-depth analysis of the traffic of application layer protocols. 10. A digital asset protection method applied to the digital asset protection system according to any one of claims 1 to 9, characterized in that it comprises: The user initiates a remote desktop connection request through the client, and the client establishes an encrypted connection with the remote desktop service center through the dial-up function of the built-in national secret SSL VPN module; After receiving the connection request, the remote desktop service center performs hierarchical permission management on the user's application permissions and data permissions based on the user's identity information and permission level; After the user successfully logs in, the national secret key negotiation module intervenes and negotiates with the client and the remote desktop service center to determine the encryption key for this data transmission; at the same time, the user identity multi-factor authentication module requires the user to use the personal digital certificate and dynamic token issued by the system for login verification; When the user starts to operate the remote desktop and reads and writes data, the storage management module automatically encrypts and decrypts the data according to the encryption and decryption policies configured by the policy management module; The traffic monitoring protection module in the network communication protection unit monitors network traffic in real time, performs traffic data matching analysis on key nodes at the network boundary and ingress and egress, and sends warning messages to users; After the user completes the operation and disconnects the remote desktop connection, the system records the operation log.