[go: up one dir, main page]

CN1889426B - Method and system for realizing network safety storing and accessing - Google Patents

Method and system for realizing network safety storing and accessing Download PDF

Info

Publication number
CN1889426B
CN1889426B CN2005100805849A CN200510080584A CN1889426B CN 1889426 B CN1889426 B CN 1889426B CN 2005100805849 A CN2005100805849 A CN 2005100805849A CN 200510080584 A CN200510080584 A CN 200510080584A CN 1889426 B CN1889426 B CN 1889426B
Authority
CN
China
Prior art keywords
client
server
key
information
file package
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Lifetime
Application number
CN2005100805849A
Other languages
Chinese (zh)
Other versions
CN1889426A (en
Inventor
杨文兵
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Lenovo Beijing Ltd
Original Assignee
Lenovo Beijing Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Lenovo Beijing Ltd filed Critical Lenovo Beijing Ltd
Priority to CN2005100805849A priority Critical patent/CN1889426B/en
Publication of CN1889426A publication Critical patent/CN1889426A/en
Application granted granted Critical
Publication of CN1889426B publication Critical patent/CN1889426B/en
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

This invention discloses a method for realizing safe storing and access of networks, which configures a cryptographic key device in advance containing the ID information of user identities, a server end generates related file packets based on the information and stores it including the following steps: a, when the device accesses a customer end, the customer end sends the ID information in the device to the server, which verifies the user identity ID, b, the customer end maps the file packets in the server related to said user to the local customer end, c, the customer end processes the information mapped to the local customer end and transmits the processed information to the file packet in the server. This invention also discloses a system for realizing safe storage and access.

Description

一种实现网络安全存储与访问的方法及系统 A method and system for realizing network security storage and access

技术领域technical field

本发明涉及计算机安全技术领域,更确切地说是涉及一种实现网络安全存储与访问的方法及系统。The present invention relates to the technical field of computer security, and more specifically relates to a method and system for realizing network security storage and access.

背景技术Background technique

随着社会的不断发展、进步,各个行业的竞争也日益激烈。如何在激烈的竞争环境中降低成本、提高工作效率成为每个企业所追求的目标之一。With the continuous development and progress of society, the competition in various industries is becoming increasingly fierce. How to reduce costs and improve work efficiency in the fierce competition environment has become one of the goals pursued by every enterprise.

比如,目前几乎所有公司都需要为员工配备计算机,但实际上并不是每个员工每天都需要使用计算机,对于公司中的销售人员来说更是如此,他们只是偶尔回到公司才会使用计算机。鉴于这种情况,为提高计算机的使用效率以降低成本,企业往往会为4~5个员工配备一台计算机。这样,如果公司中有20人的话,则只需配备4~5台公用的计算机就可以满足一般的办公要求了。For example, almost all companies now need to equip employees with computers, but in fact not every employee needs to use computers every day, especially for salespeople in the company, who only use computers when they come back to the company occasionally. In view of this situation, in order to improve the efficiency of computer use and reduce costs, companies often equip 4 to 5 employees with a computer. In this way, if there are 20 people in the company, it only needs to be equipped with 4 to 5 public computers to meet the general office requirements.

但如果为多个员工配置一台计算机,则可能会出现使用同一台计算机的两个或两个以上的员工都需要在公司使用计算机,但另外一台计算机却没有人用的情况。这种情况下,其中一人要想使用空闲的计算机,则必须将自己的数据拷贝到该空闲计算机上,或者将自己的数据设置为共享文件,显然实际操作起来非常麻烦,并且数据的安全也得不到保障,比如在数据传输过程中很有可能会出现泄密的问题。However, if one computer is configured for multiple employees, it may happen that two or more employees using the same computer need to use the computer in the company, but no one uses the other computer. In this case, if one of them wants to use an idle computer, he must copy his own data to the idle computer, or set his own data as a shared file. Obviously, the actual operation is very troublesome, and the safety of the data must also be There is no guarantee, for example, there may be leaks during data transmission.

为此,许多公司建立了用于存储员工数据文件的服务器,以便每个员工可以使用任意一台计算机获取自身存储在服务器上的数据。但这种方案同样存在安全性问题:对于一般传统的数据目录共享方式来说,服务器上存储的用户数据是未加密的,攻击者可以通过攻击服务器取走数据原文,从而给用户和公司带来严重的损失。另外,目前的这种方式在将数据通过网络存储到服务器上时,还可能会出现网络传输过程中的泄密问题。For this reason, many companies have set up servers for storing employee data files, so that each employee can use any computer to obtain the data stored on the server. However, this solution also has security problems: for the general traditional data directory sharing method, the user data stored on the server is unencrypted, and the attacker can take away the original data by attacking the server, thereby bringing users and the company. serious loss. In addition, when the current method stores data on the server through the network, there may also be a problem of leaking during network transmission.

发明内容Contents of the invention

有鉴于此,本发明所要解决的主要问题在于提供一种实现网络安全存储与访问的方法,以使用户可以通过计算机安全、方便地访问服务器。In view of this, the main problem to be solved by the present invention is to provide a method for implementing network security storage and access, so that users can access servers safely and conveniently through computers.

本发明同时还提供了一种实现网络安全存储与访问的系统。The invention also provides a system for realizing network security storage and access.

为解决上述问题,本发明提供了以下技术方案:In order to solve the above problems, the present invention provides the following technical solutions:

本发明的一种实现网络安全存储与访问的方法,预先配置密钥装置,所述密钥装置中存有用户身份的标识信息,服务器端根据该用户身份的标识信息生成相应的文件包,并保存所述用户身份标识信息;该方法进一步包括以下步骤:A method for realizing network security storage and access according to the present invention includes pre-configuring a key device, in which identification information of a user identity is stored, and the server side generates a corresponding file package according to the identification information of the user identity, and Save the user identity information; the method further includes the following steps:

a.在密钥装置接入客户端时,客户端将所述密钥装置中用户身份的标识信息发送给服务器,由服务器对接收到的用户身份标识进行验证;a. When the key device is connected to the client, the client sends the identification information of the user identity in the key device to the server, and the server verifies the received user identity;

b.客户端在服务器验证通过后,将服务器中与该用户相关的文件包映射到本客户端;判断用户的访问是否针对服务器中与该用户相关的文件包,如果是,则执行步骤c;b. After the client is authenticated by the server, map the file package related to the user in the server to the client; judge whether the user's access is aimed at the file package related to the user in the server, and if so, perform step c;

c.客户端对映射到本客户端的文件包中的信息进行处理,并将处理后的信息发送到服务器中的文件包。c. The client processes the information in the file package mapped to the client, and sends the processed information to the file package in the server.

所述密钥装置中保存的用户身份标识信息为公钥。The user identity information stored in the key device is a public key.

所述服务器端根据用户身份的标识信息生成相应的文件包、并保存所述用户身份标识信息的步骤包括:根据用户身份的标识信息生成相应的文件包,为该文件包分配对称密钥,并用该对称密钥对文件包进行加密,之后用所述公钥为对称密钥加密,并保存所述文件包、用户的公钥以及加密的对称密钥;The step of generating a corresponding file package according to the identification information of the user identity at the server end and storing the user identity identification information includes: generating a corresponding file package according to the identification information of the user identity, assigning a symmetric key to the file package, and using The symmetric key encrypts the file package, and then uses the public key to encrypt the symmetric key, and saves the file package, the user's public key and the encrypted symmetric key;

步骤b中,所述客户端将与用户相关的文件包映射到本客户端包括:客户端从服务器获取加密的对称密钥,并通过解密处理获取加密前的对称密钥,之后从服务器下载与用户相关的文件包,并利用获取的对称密钥对该文件包进行解密处理,然后将解密后的文件包映射到本客户端;In step b, the client mapping the file package related to the user to the client includes: the client obtains the encrypted symmetric key from the server, and obtains the pre-encrypted symmetric key through decryption processing, and then downloads the encrypted symmetric key from the server. User-related file packages, and use the obtained symmetric key to decrypt the file package, and then map the decrypted file package to the client;

步骤c中,所述客户端将处理后的信息发送到服务器中的文件包为:客户端对处理后的信息用步骤b所获取的对称密钥进行加密,并将加密后的信息发送到所述文件包中。In step c, the file package that the client sends the processed information to the server is: the client encrypts the processed information with the symmetric key obtained in step b, and sends the encrypted information to the server. in the file package.

所述步骤b中,所述客户端通过解密处理获取加密前的对称密钥为:In the step b, the client obtains the pre-encrypted symmetric key through decryption processing as follows:

客户端从密钥装置中获取公钥,并通过该公钥对加密的对称密钥进行解密处理;The client obtains the public key from the key device, and uses the public key to decrypt the encrypted symmetric key;

或者将该加密的对称密钥发送给密钥装置,由该密钥装置利用自身保存的公钥对该加密的对称密钥进行解密处理。Or send the encrypted symmetric key to the key device, and the key device uses the public key stored by itself to decrypt the encrypted symmetric key.

所述密钥装置中进一步存有私钥;The private key is further stored in the key device;

步骤b中,所述客户端通过解密处理获取加密前的对称密钥为:In step b, the client obtains the pre-encrypted symmetric key through decryption processing as follows:

客户端从密钥装置中获取私钥,并通过该私钥对加密的对称密钥解密处理;The client obtains the private key from the key device, and uses the private key to decrypt the encrypted symmetric key;

或者由客户端将加密的对称密钥发送给密钥装置,由密钥装置通过所述私钥对该加密的对称密钥进行解密获取加密前的对称密钥,并将所述对称密钥发送给客户端。Or the client sends the encrypted symmetric key to the key device, and the key device uses the private key to decrypt the encrypted symmetric key to obtain the pre-encrypted symmetric key, and sends the symmetric key to to the client.

所述步骤a中,所述服务器对接收到的用户身份标识进行验证包括:客户端将所述公钥发送给服务器,服务器判断自身保存的用户身份标识信息中是否存有该公钥,如果有,则确定验证通过,否则,确定验证未通过。In the step a, the server verifying the received user identity includes: the client sends the public key to the server, and the server judges whether the public key exists in the user identity information saved by itself, and if there is , it is determined that the verification has passed, otherwise, it is determined that the verification has not passed.

所述密钥装置中进一步存有私钥;The private key is further stored in the key device;

步骤a中,所述服务器在确定验证通过之前,进一步包括:In step a, before the server determines that the verification is passed, it further includes:

a1.服务器生成一个长数字,用所述公钥对该长数字进行加密,并将加密后的长数字传输给客户端;a1. The server generates a long number, encrypts the long number with the public key, and transmits the encrypted long number to the client;

a2.客户端通过密钥装置中的私钥对该加密后的长数字进行解密,得到相应的长数字,用私钥生成该长数字的签名,之后将该签名发送给服务器;a2. The client decrypts the encrypted long number with the private key in the key device to obtain the corresponding long number, generates a signature of the long number with the private key, and then sends the signature to the server;

a3.服务器用所述公钥验证该签名是否正确,如果正确,则确定验证通过;否则,确定验证未通过。a3. The server uses the public key to verify whether the signature is correct, and if it is correct, it is determined that the verification is passed; otherwise, it is determined that the verification is not passed.

所述步骤b中,客户端将服务器中的相关文件包映射到本客户端为:将服务器中的相关文件包映射为本客户端中的虚拟磁盘;In the step b, the client maps the relevant file packages in the server to the client as follows: mapping the relevant file packages in the server to the virtual disk in the client;

步骤c中,所述客户端对映射到本客户端的文件包中的信息进行处理包括:通过该虚拟磁盘的驱动程序对所述信息进行处理。In step c, the client processing the information in the file package mapped to the client includes: processing the information through a driver program of the virtual disk.

所述步骤c之后进一步包括:在密钥装置与客户端分离后,通知服务器关闭映射到本客户端的文件包。After the step c, it further includes: after the key device is separated from the client, informing the server to close the file package mapped to the client.

本发明的一种实现网络安全存储与访问的系统,该系统包括密钥装置、客户端和服务器,其中,A system for implementing network security storage and access according to the present invention, the system includes a key device, a client and a server, wherein,

密钥装置中存有用户身份的标识信息,用于将自身保存的用户身份标识信息发送到服务器;The identification information of the user identity is stored in the key device, which is used to send the user identification information stored by itself to the server;

客户端,用于在密钥装置接入时,通过服务器对所述密钥装置中的用户身份标识进行验证,以及在服务器验证通过后,将服务器中与该用户相关的文件包映射到本客户端,并判断用户的访问是否针对服务器中与该用户相关的文件包,如果是,则对该文件包中的信息进行处理;The client is used to verify the user identity in the key device through the server when the key device is connected, and map the file package related to the user in the server to the client after the server verification is passed. terminal, and determine whether the user's access is aimed at the file package related to the user in the server, and if so, process the information in the file package;

服务器,用于保存用户身份标识信息、为用户分配相应的文件包,对密钥装置中的用户身份标识信息进行验证,以及在验证通过后,将相应文件包中的信息发送给客户端。The server is configured to store user identity information, distribute corresponding file packages to users, verify the user identity information in the key device, and send the information in the corresponding file package to the client after the verification is passed.

所述客户端进一步用于将服务器中与该用户相关的文件包在本客户端中映射为虚拟磁盘或虚拟目录;The client is further used to map the file package related to the user in the server to a virtual disk or a virtual directory in the client;

所述客户端中包括用户身份标识确认模块、访问控制模块及网络虚拟驱动模块,其中,The client includes a user identity confirmation module, an access control module and a network virtual driver module, wherein,

用户身份标识确认模块,用于将所述密钥装置中的用户身份标识发送到服务器,并接收服务器返回的验证信息,以及将验证信息发送给访问控制模块;A user identity confirmation module, configured to send the user identity in the key device to the server, receive the verification information returned by the server, and send the verification information to the access control module;

访问控制模块,用于在接收到验证通过信息后,将接收到的针对虚拟磁盘或虚拟目录的访问请求发送到网络虚拟驱动模块;The access control module is configured to send the received access request for the virtual disk or virtual directory to the network virtual driver module after receiving the verification passing information;

网络虚拟驱动模块,用于根据所述访问请求获取服务器的相应文件包中的信息,以及对该信息进行相应的处理。The network virtual driver module is used to obtain the information in the corresponding file package of the server according to the access request, and perform corresponding processing on the information.

所述服务器中保存的文件包为加密后的文件包;The file package stored in the server is an encrypted file package;

所述网络虚拟驱动模块中进一步包括:加解密模块,用于对从虚拟磁盘中读出的数据进行解密运算,以及对写入虚拟磁盘中的数据进行加密运算。The network virtual drive module further includes: an encryption and decryption module, which is used to perform decryption operations on data read from the virtual disk, and perform encryption operations on data written into the virtual disk.

所述服务器中包括用户信息存储模块以及用户身份标识验证模块,其中,The server includes a user information storage module and a user identity verification module, wherein,

用户信息存储模块,用于保存用户身份标识信息,以及为用户分配相应的文件包;The user information storage module is used to store user identification information and assign corresponding file packages to users;

用户身份标识验证模块,用于对密钥装置中的用户身份标识信息进行验证,将验证信息发送给客户端,以及在验证通过后,将相应文件包中的信息发送给客户端。The user identity verification module is used to verify the user identity information in the key device, send the verification information to the client, and send the information in the corresponding file package to the client after the verification is passed.

所述用户信息存储模块进一步用于生成对称密钥,并用该对称密钥对文件包进行加密,以及将对称密钥发送给客户端;The user information storage module is further used to generate a symmetric key, encrypt the file package with the symmetric key, and send the symmetric key to the client;

所述客户端进一步用于通过所述对称密钥对从文件包中读出的信息进行解密处理,以及对写入文件包中的信息进行加密处理。The client is further configured to use the symmetric key to decrypt the information read from the file package, and to encrypt the information written into the file package.

本发明方案预先配置存有用户身份标识信息的密钥装置,服务器根据该用户身份标识信息生成相应的文件包,并保存所述用户身份标识信息,之后在密钥装置插入客户端后,客户端通过服务器对该密钥装置中的用户身份标识信息进行验证,并在验证通过后将相应的文件包映射到本客户端,客户端则根据用户的需求对该文件包中的信息进行处理,并将处理后的信息发送到服务器的相应文件包中,实现了用户通过不同终端对服务器中的信息进行读取操作,且由于服务器在支持读取操作之前,需要对用户的密钥装置进行验证,因此安全性较好。The solution of the present invention pre-configures a key device storing user identity information, and the server generates a corresponding file package according to the user identity information, and saves the user identity information, and then after the key device is inserted into the client, the client Verify the user identity information in the key device through the server, and map the corresponding file package to the client after the verification is passed, and the client will process the information in the file package according to the user's needs, and Send the processed information to the corresponding file package of the server, so that the user can read the information in the server through different terminals, and because the server needs to verify the user's key device before supporting the read operation, Therefore, the security is better.

并且本发明方案只需要用户将密钥装置在服务器中做一次设置,之后即可通过任意一台与该服务器连接的客户端对服务器中的相应文件包进行读写操作。并且在用户操作结束后,只需要拔出密钥装置,客户端就会自动关闭该加密的文件,即使其他人在此PC上登录也无法看到该用户的文档。And the solution of the present invention only needs the user to set the key device in the server once, and then any client connected to the server can read and write the corresponding file package in the server. And after the user's operation is over, just pull out the key device, the client will automatically close the encrypted file, even if other people log in on this PC, they can't see the user's file.

另外,本发明方案还可以对服务器中的文件包用对称密钥进行加密,并通过用户的身份标识信息对对称密钥进行加密传输,进一步保证了数据传输及存取的安全性。In addition, the solution of the present invention can also encrypt the file package in the server with a symmetric key, and encrypt and transmit the symmetric key through the user's identity information, further ensuring the security of data transmission and access.

本发明方案所采用的密钥运算可以是对称密钥运算,也可以是非对称密钥运算,还可以是其他的密钥运算,并且这些密钥运算可以在客户端完成,也可以在密钥装置中完成,即本发明方案提供了多种实现密钥运算的方式。The key operation adopted in the scheme of the present invention can be a symmetric key operation, an asymmetric key operation, or other key operations, and these key operations can be completed on the client side or in the key device In other words, the scheme of the present invention provides a variety of ways to realize the key operation.

附图说明Description of drawings

图1为本发明方案的实现流程图;Fig. 1 is the realization flowchart of the scheme of the present invention;

图2为本发明方案中具体实施例的逻辑实现示意图;Fig. 2 is a schematic diagram of logic implementation of a specific embodiment in the solution of the present invention;

图3为本发明方案的系统结构图。Fig. 3 is a system structure diagram of the solution of the present invention.

具体实施方式Detailed ways

本发明方案如图1所示,对应以下步骤:The scheme of the present invention is shown in Figure 1, corresponding to the following steps:

步骤101、预先配置密钥装置。Step 101, pre-configure the key device.

该密钥装置中存有用于身份识别的用户身份标识信息。该标识信息可以是公钥。User identification information for identification is stored in the key device. The identification information may be a public key.

步骤102、服务器端保存该密钥装置中的用户身份标识信息,并在服务器端生成与该用户身份标识信息对应的文件包。为保证安全性,该用户身份标识信息及相应的文件包均需分开保存。Step 102, the server saves the user identity information in the key device, and generates a file package corresponding to the user identity information on the server. In order to ensure security, the user identification information and the corresponding file package need to be kept separately.

为实现对文件包中信息的加密传输,可以由服务器为每个文件包分配一个对称密钥,并用该对称密钥对文件包进行加密。为保证客户端能获取对称密钥、且该对称密钥不会被其他客户端获取,还可以用公钥对相应的对称密钥进行加密处理,并保存该加密的对称密钥。当然,服务器也可以根据需要删除所保存的公钥及相应的信息。In order to realize the encrypted transmission of information in the file package, the server may assign a symmetric key to each file package, and use the symmetric key to encrypt the file package. In order to ensure that the client can obtain the symmetric key and that the symmetric key will not be obtained by other clients, the corresponding symmetric key can also be encrypted with the public key, and the encrypted symmetric key can be saved. Of course, the server can also delete the stored public key and corresponding information as needed.

另外,该对称密钥还可以由密钥装置分配,并将该对称密钥发送给服务器,服务器则可以根据该对称密钥对文件包进行加密处理。其中,为保证对称密钥的安全性,可以由密钥装置将该对称密钥用公钥加密,并将加密后的对称密钥发送给服务器,服务器则根据该公钥对对称密钥进行解密。In addition, the symmetric key can also be distributed by the key device, and the symmetric key can be sent to the server, and the server can encrypt the file package according to the symmetric key. Among them, in order to ensure the security of the symmetric key, the symmetric key can be encrypted by the key device with the public key, and the encrypted symmetric key is sent to the server, and the server decrypts the symmetric key according to the public key .

步骤103、在密钥装置接入客户端时,客户端将所述密钥装置中用户身份的标识信息发送给服务器,由服务器对接收到的用户身份标识进行验证。Step 103, when the key device is connected to the client, the client sends the identification information of the user identity in the key device to the server, and the server verifies the received user identity.

如果客户端只是将诸如公钥之类的用户身份标识信息发送给服务器,则服务器可以判断自身保存的用户身份标识信息中是否存在客户端发送来的标识信息,如果存在,则认为验证通过;否则,认为验证未通过。If the client just sends the user identity information such as the public key to the server, the server can judge whether there is the identity information sent by the client in the user identity information saved by itself, and if it exists, the verification is considered to be passed; otherwise , considers authentication failed.

当然,如果密钥装置中的用户身份标识信息为公钥,并且该密钥装置中还保存了私钥,则服务器还可以在确定自身保存了该用户的身份标识信息后,生成一个长数字,用该公钥对长数字进行加密,并将加密后的长数字传输给客户端;客户端则通过密钥装置中的私钥对该加密后的长数字进行解密,得到相应的长数字,并用该私钥生成该长数字的签名,之后将该签名发送给服务器;服务器则用相应的公钥验证该签名是否正确,如果正确,则确定验证通过,否则,确定验证未通过。Of course, if the user identity information in the key device is a public key, and the key device also stores a private key, the server can also generate a long number after determining that it has saved the user's identity information, Use the public key to encrypt the long number, and transmit the encrypted long number to the client; the client uses the private key in the key device to decrypt the encrypted long number to obtain the corresponding long number, and use The private key generates the signature of the long number, and then sends the signature to the server; the server uses the corresponding public key to verify whether the signature is correct, and if it is correct, it is determined that the verification is passed; otherwise, it is determined that the verification is not passed.

步骤104、客户端在服务器验证通过后,将服务器中与该用户相关的文件包映射到本客户端。Step 104, after the client passes the authentication of the server, it maps the file package related to the user in the server to the client.

如果步骤102中生成的文件包被对称密钥加密了,则客户端在将服务器中的相关文件包映射到本客户端时,还需要获取相应的对称密钥,之后通过对称密钥对文件包中的信息进行解密处理,然后将解密后的文件包映射到本客户端。之后,用户即可对该文件包中的数据进行读取、修改、保存等操作。客户机则将修改后的数据重新用对称密钥进行加密,并发送给服务器。If the file package generated in step 102 is encrypted by a symmetric key, the client also needs to obtain the corresponding symmetric key when mapping the relevant file package in the server to the client, and then use the symmetric key to pair the file package The information in the file is decrypted, and then the decrypted file package is mapped to the client. Afterwards, the user can perform operations such as reading, modifying, and saving the data in the file package. The client computer re-encrypts the modified data with a symmetric key and sends it to the server.

对于获取对称密钥来说,如果服务器对该对称密钥作了加密处理,则客户端还需要对该对称密钥进行解密处理。如果是采用对称加密算法,则客户端可以是直接从密钥装置中获取公钥,并用该公钥对该对称密钥进行解密处理;或者是将加密的对称密钥发送给密钥装置,由密钥装置利用自身保存的公钥对该对称密钥进行解密处理。如果是采用非对称加密算法,则需要密钥装置中保存私钥,客户端可以直接从密钥装置中获取私钥,并用该私钥进行解密处理;或者将该对称密钥发送给密钥装置,由密钥装置利用自身保存的私钥对该对称密钥进行解密处理。For obtaining a symmetric key, if the server encrypts the symmetric key, the client also needs to decrypt the symmetric key. If a symmetric encryption algorithm is used, the client can obtain the public key directly from the key device, and use the public key to decrypt the symmetric key; or send the encrypted symmetric key to the key device, and the The key device decrypts the symmetric key by using the public key stored by itself. If an asymmetric encryption algorithm is used, the private key needs to be stored in the key device, and the client can directly obtain the private key from the key device and use the private key for decryption; or send the symmetric key to the key device , the symmetric key is decrypted by the key device using the private key stored by itself.

该步骤中,将文件包映射到客户端,可以是映射为一个目录,也可以是映射为一个磁盘。不管是映射为目录还是磁盘,其都是虚拟的,也即客户端实际并不存在该目录或磁盘,因此,需要通过客户端中的相应虚拟驱动程序来获取该目录或磁盘中的信息,也即由虚拟驱动程序与服务器交互,获取服务器中相应文件包中的信息。In this step, the file package is mapped to the client, either as a directory or as a disk. Regardless of whether it is mapped as a directory or a disk, it is virtual, that is, the directory or disk does not actually exist on the client. Therefore, it is necessary to obtain the information in the directory or disk through the corresponding virtual driver in the client. That is, the virtual driver interacts with the server to obtain the information in the corresponding file package in the server.

以映射为一个磁盘为例,本发明方案需要在客户端的硬盘设备对象的上层或下层设置一个过滤器,通过该过滤器对客户端中的原有硬磁盘进行约束,即通过该过滤器判断用户的访问是针对原有的硬磁盘还是针对虚拟磁盘的,如果是针对虚拟磁盘,则需要启动相应的虚拟磁盘驱动程序,并通过该虚拟磁盘驱动程序生成相应的访问请求,之后由客户端中的网络服务将该访问请求映射成服务器中特定文件包中特定位置的数据的访问。Taking mapping as a disk as an example, the solution of the present invention needs to set a filter on the upper or lower layer of the hard disk device object of the client, and constrain the original hard disk in the client through the filter, that is, judge the user's Whether the access is for the original hard disk or the virtual disk, if it is for the virtual disk, you need to start the corresponding virtual disk driver, and generate the corresponding access request through the virtual disk driver, and then the network service in the client The access request is mapped to an access to data at a specific location in a specific file package in the server.

步骤105、客户端对映射到本客户端的文件包中的信息进行读写等处理,并将处理后的信息发送到服务器中的文件包。Step 105, the client reads and writes the information in the file package mapped to the client, and sends the processed information to the file package in the server.

本步骤中,客户端对相应的信息进行读写,需要通过相应的映射驱动程序从服务器中读写信息。In this step, the client needs to read and write information from the server through a corresponding mapping driver to read and write corresponding information.

通过上述步骤即可实现网络的安全存储和访问。Through the above steps, the secure storage and access of the network can be realized.

图2为本发明基于公钥和私钥实现用户文件包设置及访问的逻辑示意图。Fig. 2 is a logical schematic diagram of realizing user file package setting and access based on public key and private key in the present invention.

另外,如果密钥装置被从客户端中拔出,则客户端需要通知服务器关闭其映射到本客户端的文件包。In addition, if the key device is pulled out from the client, the client needs to notify the server to close its file package mapped to the client.

由以上描述可以看出,本发明提供的方案所对应的系统包括密钥装置、客户端以及服务器,如图3所示。It can be seen from the above description that the system corresponding to the solution provided by the present invention includes a key device, a client and a server, as shown in FIG. 3 .

其中,密钥装置中需要保存用户身份标识信息,该用户身份标识信息可以为公钥。该密钥装置中还可以进一步保存私钥,如前所述,该私钥用于通过非对称加密运算获取对称密钥,以及用于服务器端更为严格的验证等。密钥装置还可以具有计算、密钥生成功能等,因此该密钥装置除了需要有一个独立的存储空间外,还需要有能够计算的芯片。密钥装置所具有的功能如前所述,在此不再赘述。密钥装置可以具有USB口,并通过USB口与PC交互。Wherein, the user identity information needs to be stored in the key device, and the user identity information may be a public key. The private key can also be further stored in the key device. As mentioned above, the private key is used to obtain a symmetric key through an asymmetric encryption operation, and is used for more stringent verification on the server side. The key device can also have calculation and key generation functions, etc. Therefore, the key device needs not only an independent storage space, but also a chip capable of calculation. The functions of the key device are as described above, and will not be repeated here. The key device may have a USB port, and interact with the PC through the USB port.

对于客户端来说,通常是将服务器端的文件包在本地映射为虚拟磁盘或虚拟目录。为实现对该虚拟磁盘或虚拟目录的访问,客户端通常需要包括用户身份标识确认模块、访问控制模块及网络虚拟驱动模块。其中,用户身份标识确认模块用于将所述密钥装置中的用户身份标识发送到服务器,并且接收服务器返回的验证信息,以及将验证信息发送到访问控制模块;访问控制模块,用于接收针对虚拟磁盘的访问请求,并在接收到服务器端的验证通过信息后,将该访问请求发送到网络虚拟驱动模块;网络虚拟驱动模块,用于根据所述访问请求对服务器的相应文件包中的信息进行显示。For the client, usually the file package on the server is locally mapped as a virtual disk or a virtual directory. In order to realize access to the virtual disk or virtual directory, the client usually needs to include a user identity identification confirmation module, an access control module and a network virtual driver module. Wherein, the user identity confirmation module is used to send the user identity in the key device to the server, and receive the verification information returned by the server, and send the verification information to the access control module; the access control module is used to receive the The access request of the virtual disk, and after receiving the verification information of the server side, the access request is sent to the network virtual driver module; the network virtual driver module is used to process the information in the corresponding file package of the server according to the access request show.

由于用户通常需要对虚拟磁盘或虚拟目录中的信息进行读写等操作,因此,网络虚拟驱动模块中可以进一步设置网络读写模块,由该模块对服务器中文件包里的数据进行读写处理。另外,由于服务器中保存的文件包通常为加密后的文件包,因此网络虚拟驱动模块中还需要加解密模块,由该加解密模块对网络读写模块读取到的数据进行解密处理,并对网络读写模块写入的数据进行加密处理。Because the user usually needs to read and write the information in the virtual disk or virtual directory, etc., the network virtual driver module can further set up a network read and write module, which reads and writes the data in the file package in the server. In addition, since the file packages saved in the server are usually encrypted file packages, an encryption and decryption module is also required in the network virtual drive module, and the encryption and decryption module decrypts the data read by the network read-write module, and The data written by the network read-write module is encrypted.

对于服务器来说,其至少需要包括用户信息存储模块及用户身份标识验证模块,其中,用户信息存储模块用于保存用户身份标识信息,以及为该用户分配的文件包;用户身份标识验证模块,用于对密钥装置中的用户身份标识信息进行验证,并将验证信息发送给客户端,以及在验证通过后,将相应文件包中的信息发送给客户端。对于服务器来说,其还可以具有对称密钥的生成功能、根据对称密钥对文件包进行加密并将对称密钥发送给客户端,及用公钥为对称密钥加密等功能,这些功能都可以设置在用户信息存储模块中。For the server, it at least needs to include a user information storage module and a user identity verification module, wherein the user information storage module is used to store user identity information and a file package allocated to the user; the user identity verification module uses The user identity information in the key device is verified, and the verification information is sent to the client, and after the verification is passed, the information in the corresponding file package is sent to the client. For the server, it can also have the function of generating a symmetric key, encrypting the file package according to the symmetric key and sending the symmetric key to the client, and using the public key to encrypt the symmetric key. It can be set in the user information storage module.

以上所述仅为本发明方案的较佳实施例,并不用以限定本发明的保护范围。The above descriptions are only preferred embodiments of the solutions of the present invention, and are not intended to limit the protection scope of the present invention.

Claims (14)

1.一种实现网络安全存储与访问的方法,其特征在于,预先配置密钥装置,所述密钥装置中存有用户身份的标识信息,服务器端根据该用户身份的标识信息生成相应的文件包,并保存所述用户身份标识信息;该方法进一步包括以下步骤:1. A method for realizing network security storage and access, characterized in that a key device is pre-configured, and the identification information of the user identity is stored in the key device, and the server side generates a corresponding file according to the identification information of the user identity package, and save the user identification information; the method further includes the following steps: a.在密钥装置接入客户端时,客户端将所述密钥装置中用户身份的标识信息发送给服务器,由服务器对接收到的用户身份标识进行验证;a. When the key device is connected to the client, the client sends the identification information of the user identity in the key device to the server, and the server verifies the received user identity; b.客户端在服务器验证通过后,将服务器中与该用户相关的文件包映射到本客户端;判断用户的访问是否针对服务器中与该用户相关的文件包,如果是,则执行步骤c;b. After the client is authenticated by the server, map the file package related to the user in the server to the client; judge whether the user's access is aimed at the file package related to the user in the server, and if so, perform step c; c.客户端对映射到本客户端的文件包中的信息进行处理,并将处理后的信息发送到服务器中的文件包。c. The client processes the information in the file package mapped to the client, and sends the processed information to the file package in the server. 2.根据权利要求1所述的方法,其特征在于,所述密钥装置中保存的用户身份标识信息为公钥。2. The method according to claim 1, wherein the user identity information stored in the key device is a public key. 3.根据权利要求2所述的方法,其特征在于,所述服务器端根据用户身份的标识信息生成相应的文件包、并保存所述用户身份标识信息的步骤包括:根据用户身份的标识信息生成相应的文件包,为该文件包分配对称密钥,并用该对称密钥对文件包进行加密,之后用所述公钥为对称密钥加密,并保存所述文件包、用户的公钥以及加密的对称密钥;3. The method according to claim 2, wherein the step of generating a corresponding file package according to the identification information of the user identity at the server end and saving the identification information of the user identity comprises: generating a file package according to the identification information of the user identity For the corresponding file package, assign a symmetric key to the file package, and encrypt the file package with the symmetric key, then use the public key to encrypt the symmetric key, and save the file package, the user’s public key and the encrypted the symmetric key of 步骤b中,所述客户端将与用户相关的文件包映射到本客户端包括:客户端从服务器获取加密的对称密钥,并通过解密处理获取加密前的对称密钥,之后从服务器下载与用户相关的文件包,并利用获取的对称密钥对该文件包进行解密处理,然后将解密后的文件包映射到本客户端;In step b, the client mapping the file package related to the user to the client includes: the client obtains the encrypted symmetric key from the server, and obtains the pre-encrypted symmetric key through decryption processing, and then downloads the encrypted symmetric key from the server. User-related file packages, and use the obtained symmetric key to decrypt the file package, and then map the decrypted file package to the client; 步骤c中,所述客户端将处理后的信息发送到服务器中的文件包为:客户端对处理后的信息用步骤b所获取的对称密钥进行加密,并将加密后的信息发送到所述服务器中的文件包中。In step c, the file package that the client sends the processed information to the server is: the client encrypts the processed information with the symmetric key obtained in step b, and sends the encrypted information to the server. in the file package on the server mentioned above. 4.根据权利要求3所述的方法,其特征在于所述步骤b中,所述客户端通过解密处理获取加密前的对称密钥为:4. The method according to claim 3, characterized in that in the step b, the client obtains the symmetric key before encryption through decryption processing as: 客户端从密钥装置中获取公钥,并通过该公钥对加密的对称密钥进行解密处理;The client obtains the public key from the key device, and uses the public key to decrypt the encrypted symmetric key; 或者将该加密的对称密钥发送给密钥装置,由该密钥装置利用自身保存的公钥对该加密的对称密钥进行解密处理。Or send the encrypted symmetric key to the key device, and the key device uses the public key stored by itself to decrypt the encrypted symmetric key. 5.根据权利要求3所述的方法,其特征在于,所述密钥装置中进一步存有私钥;5. The method according to claim 3, wherein a private key is further stored in the key device; 步骤b中,所述客户端通过解密处理获取加密前的对称密钥为:In step b, the client obtains the pre-encrypted symmetric key through decryption processing as follows: 客户端从密钥装置中获取私钥,并通过该私钥对加密的对称密钥解密处理;The client obtains the private key from the key device, and uses the private key to decrypt the encrypted symmetric key; 或者由客户端将加密的对称密钥发送给密钥装置,由密钥装置通过所述私钥对该加密的对称密钥进行解密获取加密前的对称密钥,并将所述对称密钥发送给客户端。Or the client sends the encrypted symmetric key to the key device, and the key device uses the private key to decrypt the encrypted symmetric key to obtain the pre-encrypted symmetric key, and sends the symmetric key to to the client. 6.根据权利要求2所述的方法,其特征在于所述步骤a中,所述服务器对接收到的用户身份标识进行验证包括:客户端将所述公钥发送给服务器,服务器判断自身保存的用户身份标识信息中是否存有该公钥,如果有,则确定验证通过,否则,确定验证未通过。6. The method according to claim 2, characterized in that in step a, the server verifying the received user identity includes: the client sends the public key to the server, and the server judges the public key stored by itself. Whether the public key exists in the user identity information, if yes, it is determined that the verification is passed, otherwise, it is determined that the verification is not passed. 7.根据权利要求6所述的方法,其特征在于,所述密钥装置中进一步存有私钥;7. The method according to claim 6, wherein a private key is further stored in the key device; 步骤a中,所述服务器在确定验证通过之前,进一步包括:In step a, before the server determines that the verification is passed, it further includes: a1.服务器生成一个长数字,用所述公钥对该长数字进行加密,并将加密后的长数字传输给客户端;a1. The server generates a long number, encrypts the long number with the public key, and transmits the encrypted long number to the client; a2.客户端通过密钥装置中的私钥对该加密后的长数字进行解密,得到相应的长数字,用私钥生成该长数字的签名,之后将该签名发送给服务器;a2. The client decrypts the encrypted long number with the private key in the key device to obtain the corresponding long number, generates a signature of the long number with the private key, and then sends the signature to the server; a3.服务器用所述公钥验证该签名是否正确,如果正确,则确定验证通过;否则,确定验证未通过。a3. The server uses the public key to verify whether the signature is correct, and if it is correct, it is determined that the verification is passed; otherwise, it is determined that the verification is not passed. 8.根据权利要求1所述的方法,其特征在于所述步骤b中,客户端将服务器中的相关文件包映射到本客户端为:将服务器中的相关文件包映射为本客户端中的虚拟磁盘;8. The method according to claim 1, characterized in that in the step b, the client maps the relevant file packages in the server to the client as: mapping the relevant file packages in the server to the client in the client virtual disk; 步骤c中,所述客户端对映射到本客户端的文件包中的信息进行处理包括:通过该虚拟磁盘的驱动程序对所述信息进行处理。In step c, the client processing the information in the file package mapped to the client includes: processing the information through a driver program of the virtual disk. 9.根据权利要求1所述的方法,其特征在于,所述步骤c之后进一步包括:在密钥装置与客户端分离后,通知服务器关闭映射到本客户端的文件包。9. The method according to claim 1, further comprising: after the step c, notifying the server to close the file package mapped to the client after the key device is separated from the client. 10.一种实现网络安全存储与访问的系统,其特征在于,该系统包括密钥装置、客户端和服务器,其中,10. A system for realizing network security storage and access, characterized in that the system includes a key device, a client and a server, wherein, 密钥装置中存有用户身份的标识信息,用于将自身保存的用户身份标识信息发送到服务器;The identification information of the user identity is stored in the key device, which is used to send the user identification information stored by itself to the server; 客户端,用于在密钥装置接入时,通过服务器对所述密钥装置中的用户身份标识进行验证,以及在服务器验证通过后,将服务器中与该用户相关的文件包映射到本客户端,并判断用户的访问是否针对服务器中与该用户相关的文件包,如果是,则对该客户端中的文件包中的信息进行处理;The client is used to verify the user identity in the key device through the server when the key device is connected, and map the file package related to the user in the server to the client after the server verification is passed. terminal, and determine whether the user's access is aimed at the file package related to the user in the server, and if so, process the information in the file package in the client; 服务器,用于保存用户身份标识信息、为用户分配相应的文件包,对密钥装置中的用户身份标识信息进行验证,以及在验证通过后,将相应文件包中的信息发送给客户端。The server is configured to store user identity information, distribute corresponding file packages to users, verify the user identity information in the key device, and send the information in the corresponding file package to the client after the verification is passed. 11.根据权利要求10所述的系统,其特征在于,所述客户端进一步用于将服务器中与该用户相关的文件包在本客户端中映射为虚拟磁盘或虚拟目录;11. The system according to claim 10, wherein the client is further configured to map the file package related to the user in the server to a virtual disk or a virtual directory in the client; 所述客户端中包括用户身份标识确认模块、访问控制模块及网络虚拟驱动模块,其中,The client includes a user identity confirmation module, an access control module and a network virtual driver module, wherein, 用户身份标识确认模块,用于将所述密钥装置中的用户身份标识发送到服务器,并接收服务器返回的验证信息,以及将验证信息发送给访问控制模块;A user identity confirmation module, configured to send the user identity in the key device to the server, receive the verification information returned by the server, and send the verification information to the access control module; 访问控制模块,用于在接收到验证通过信息后,将接收到的针对虚拟磁盘或虚拟目录的访问请求发送到网络虚拟驱动模块;The access control module is configured to send the received access request for the virtual disk or virtual directory to the network virtual driver module after receiving the verification passing information; 网络虚拟驱动模块,用于根据所述访问请求获取服务器的相应文件包中的信息,以及对该信息进行相应的处理。The network virtual driver module is used to obtain the information in the corresponding file package of the server according to the access request, and perform corresponding processing on the information. 12.根据权利要求11所述的系统,其特征在于,所述服务器中保存的文件包为加密后的文件包;12. The system according to claim 11, wherein the file package stored in the server is an encrypted file package; 所述网络虚拟驱动模块中进一步包括:加解密模块,用于对从虚拟磁盘中读出的数据进行解密运算,以及对写入虚拟磁盘中的数据进行加密运算。The network virtual drive module further includes: an encryption and decryption module, which is used to perform decryption operations on data read from the virtual disk, and perform encryption operations on data written into the virtual disk. 13.根据权利要求10所述的系统,其特征在于,所述服务器中包括用户信息存储模块以及用户身份标识验证模块,其中,13. The system according to claim 10, wherein the server includes a user information storage module and a user identity verification module, wherein, 用户信息存储模块,用于保存用户身份标识信息,以及为用户分配相应的文件包;The user information storage module is used to store user identification information and assign corresponding file packages to users; 用户身份标识验证模块,用于对密钥装置中的用户身份标识信息进行验证,将验证信息发送给客户端,以及在验证通过后,将相应文件包中的信息发送给客户端。The user identity verification module is used to verify the user identity information in the key device, send the verification information to the client, and send the information in the corresponding file package to the client after the verification is passed. 14.根据权利要求13所述的系统,其特征在于,所述用户信息存储模块进一步用于生成对称密钥,并用该对称密钥对文件包进行加密,以及将对称密钥发送给客户端;14. The system according to claim 13, wherein the user information storage module is further used to generate a symmetric key, encrypt the file package with the symmetric key, and send the symmetric key to the client; 所述客户端进一步用于通过所述对称密钥对从文件包中读出的信息进行解密处理,以及对写入文件包中的信息进行加密处理。The client is further configured to use the symmetric key to decrypt the information read from the file package, and to encrypt the information written into the file package.
CN2005100805849A 2005-06-30 2005-06-30 Method and system for realizing network safety storing and accessing Expired - Lifetime CN1889426B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2005100805849A CN1889426B (en) 2005-06-30 2005-06-30 Method and system for realizing network safety storing and accessing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2005100805849A CN1889426B (en) 2005-06-30 2005-06-30 Method and system for realizing network safety storing and accessing

Publications (2)

Publication Number Publication Date
CN1889426A CN1889426A (en) 2007-01-03
CN1889426B true CN1889426B (en) 2010-08-25

Family

ID=37578687

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2005100805849A Expired - Lifetime CN1889426B (en) 2005-06-30 2005-06-30 Method and system for realizing network safety storing and accessing

Country Status (1)

Country Link
CN (1) CN1889426B (en)

Families Citing this family (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101299666A (en) * 2008-06-16 2008-11-05 中兴通讯股份有限公司 Method and system for generating key identity identifier
CN101753532B (en) * 2008-11-29 2013-09-25 华为数字技术(成都)有限公司 Method for controlling storage equipment, verifying device and storage device
CN102131191A (en) * 2010-01-15 2011-07-20 中兴通讯股份有限公司 Method, authentication server, terminal and system for realizing key mapping
CN102025503B (en) * 2010-11-04 2014-04-16 曙光云计算技术有限公司 Data security implementation method in cluster environment and high-security cluster
CN102420821B (en) * 2011-11-28 2015-05-27 飞天诚信科技股份有限公司 Method and system for improving transmission security of file
CN102843356B (en) * 2012-07-11 2015-05-13 深圳市紫色力腾科技发展有限公司 Controllable exchange method for symmetric key-encrypted file
CN102761559B (en) * 2012-08-02 2016-02-17 上海上讯信息技术股份有限公司 Network security based on private data shares method and communication terminal
CN102984273B (en) * 2012-12-13 2015-01-07 华为技术有限公司 Encryption method, decryption method, encryption device and decryption device of virtual disk and cloud server
CN103279717A (en) * 2013-06-19 2013-09-04 福建伊时代信息科技股份有限公司 Operation method and device for documents
CN103413100B (en) * 2013-08-30 2016-09-07 国家电网公司 File security protection system
CN104580086A (en) * 2013-10-17 2015-04-29 腾讯科技(深圳)有限公司 Information transmission method, client side, server and system
CN104331375B (en) * 2014-10-29 2018-08-07 中国建设银行股份有限公司 Shared virtual resource management method under shared virtualization resource pool environment and device
CN104618325B (en) * 2014-12-19 2018-02-09 中国印钞造币总公司 A kind of safe transmission method and device for electronic sealing
CN104486083A (en) 2014-12-19 2015-04-01 小米科技有限责任公司 Supervisory video processing method and device
CN108881243B (en) * 2018-06-26 2021-02-23 晋商博创(北京)科技有限公司 Linux operating system login authentication method, equipment, terminal and server based on CPK

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1338841A (en) * 2000-08-11 2002-03-06 海南格方网络安全有限公司 Intelligent key for security authentication of computer
CN1422034A (en) * 2002-12-17 2003-06-04 胡祥义 Utilization of symmetrical cipher for network digital signature
CN2667807Y (en) * 2004-01-08 2004-12-29 中国工商银行 Network bank with device for encrypting and idetificating utilizing USB key
CN1592197A (en) * 2003-09-01 2005-03-09 台均实业有限公司 Method for authentication between client device and local client application or remote network service

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1338841A (en) * 2000-08-11 2002-03-06 海南格方网络安全有限公司 Intelligent key for security authentication of computer
CN1422034A (en) * 2002-12-17 2003-06-04 胡祥义 Utilization of symmetrical cipher for network digital signature
CN1592197A (en) * 2003-09-01 2005-03-09 台均实业有限公司 Method for authentication between client device and local client application or remote network service
CN2667807Y (en) * 2004-01-08 2004-12-29 中国工商银行 Network bank with device for encrypting and idetificating utilizing USB key

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
李颖等.一种面向用户的网络文件系统远程访问控制方法.计算机工程30 22.2004,30(22),21-23,29.
李颖等.一种面向用户的网络文件系统远程访问控制方法.计算机工程30 22.2004,30(22),21-23,29. *

Also Published As

Publication number Publication date
CN1889426A (en) 2007-01-03

Similar Documents

Publication Publication Date Title
CN101605137B (en) Safe distribution file system
CN102084373B (en) Back up digital content stored in secure storage
US7849514B2 (en) Transparent encryption and access control for mass-storage devices
US8966580B2 (en) System and method for copying protected data from one secured storage device to another via a third party
EP0752635B1 (en) System and method to transparently integrate private key operations from a smart card with host-based encryption services
US8103883B2 (en) Method and apparatus for enforcing use of danbury key management services for software applied full volume encryption
US9569627B2 (en) Systems and methods for governing content rendering, protection, and management applications
US9032219B2 (en) Securing speech recognition data
CN104639516B (en) Identity identifying method, equipment and system
US7095859B2 (en) Managing private keys in a free seating environment
US20140143533A1 (en) Securing speech recognition data
CN1889426B (en) Method and system for realizing network safety storing and accessing
CN104468562B (en) A kind of data security protecting portable terminal transparent towards Mobile solution
US20090276474A1 (en) Method for copying protected data from one secured storage device to another via a third party
WO2021164166A1 (en) Service data protection method, apparatus and device, and readable storage medium
CN106663150A (en) Securely storing content within public clouds
CN101246455A (en) System and method for data encryption and data access in storage device
WO2008121157A2 (en) Cryptographic key management system facilitating secure access of data portions to corresponding groups of users
CN105740725A (en) File protection method and system
CN106682521B (en) File transparent encryption and decryption system and method based on driver layer
CN103516523A (en) Data encryption system structure based on cloud storage
JP3579882B2 (en) Recording medium and method storing program for authenticating a certificate supporting a plurality of encryption algorithms
CN108399341A (en) A kind of Windows dualized file managing and control systems based on mobile terminal
JP2011077740A (en) Key information management apparatus
CN112688999B (en) TrustZone-based key use frequency management method and system in cloud storage mode

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CX01 Expiry of patent term

Granted publication date: 20100825

CX01 Expiry of patent term