KR102741305B1 - System and method for controlling file encryption and decryption permissions in shared folders - Google Patents

Abstract

The present invention relates to a system and method for controlling file encryption and decryption rights in a shared folder, the method comprising: detecting an attempt to open a first file in a shared folder managed by a file system, obtaining a directory path in which the first file is located, determining whether the first file is in an encrypted directory, determining access to the encrypted directory by an external user, extracting an IP address and ID of the external user, and performing access control to the first file based on a preset security policy such as an IP, ID, file path, and access rights of a policy DB; and when access to the first file is permitted, generating an identification file context containing remote ID information, remote IP address information, remote access information, file identification information, file path and name, and encryption and decryption rights, and controlling the encryption and decryption rights of the first file based on the identification file context.

Description

{SYSTEM AND METHOD FOR CONTROLLING FILE ENCRYPTION AND DECRYPTION PERMISSIONS IN SHARED FOLDERS}

The present invention relates to a system and method for controlling file encryption/decryption authority in a shared folder, and more specifically, to a system and method for controlling file encryption/decryption authority in a shared folder, which controls encryption/decryption and access to files in a shared folder based on a security policy preset in a file system mini filter driver when a user accessing from a remote location via a network accesses a file in a shared folder using IP (Internet Protocol) address information, user ID (Identification), file identification information, and file access authority information.

Typically, nodes connected to a network send and receive data through the network to share data with multiple computers. Nodes can be referred to as communication nodes, terminals, etc. In order to send and receive such data, a specific folder is shared, and a method of controlling access to the shared folder by receiving an ID (ID) and password from a user accessing the shared folder is called ID-based access control.

Meanwhile, in order to implement ID-based access control, a file system filter driver must be created.

Also, the part that controls access to the entire shared folder based on the IP (Internet Protocol) address of the accessor accessing from a remote location is called IP address-based access control. In general, to obtain the IP address of a remote location, network packets are monitored, and TDI filter driver (Transport Data Interface Filter Driver) and WPF (Windows Filtering Platform) technology are used to monitor network packets.

Meanwhile, in order to obtain the IP address of a remote location, a network-related kernel driver operating in the kernel layer must be created. However, kernel drivers are difficult to develop because they require considerable stability in system operation.

In addition, there is a problem that in order to simultaneously implement ID-based access control and IP-based access control, at least two kernel drivers with poor stability must be developed and used.

In addition, if access control is performed only by IP address and ID for users accessing shared folders from multiple remote locations, there is a problem in that it only primarily protects the actual data, and if an accessor from a specific IP address has access rights, access to all decrypted data within the shared folder is permitted.

The present invention has been made to solve the problems of the prior art as described above, and an object of the present invention is to provide a file encryption/decryption permission control system for a shared folder, which reduces resources consumed for maintaining system stability in the operation of a computer such as a personal computer (PC), a server, etc., by not using a network filter driver requiring a high degree of stability, such as a Windows Filtering Platform (WPF) filter driver, a Transport Data Interface (TDI) filter driver, etc.

Another object of the present invention is to provide a file encryption/decryption permission control system for a shared folder, which can identify all accessors accessing a shared folder by obtaining the Internet Protocol (IP) addresses and identifications (IDs) of accessors accessing from multiple remote locations through a network using a file system mini filter driver.

Another object of the present invention is to provide a file encryption/decryption permission control system for a shared folder, which can control file access methods, such as blocking, encryption or decryption, in real time based on a security policy regarding encryption/decryption permissions including preset access control permissions.

Another object of the present invention is to provide a method for controlling file encryption/decryption permission of a shared folder used in the aforementioned file encryption/decryption permission control system.

According to one aspect of the present invention for solving the above technical problem, a method for controlling file encryption/decryption rights of a shared folder is provided, which is a method for controlling file encryption/decryption rights of a shared folder performed by a computing device, comprising: a step of detecting an attempt to open a first file in a shared folder managed by a file system; a step of obtaining a directory path in which the first file is located; a step of determining whether the first file is in an encrypted directory; a step of determining access to the encrypted directory by an external user if the first file is a file in the encrypted directory; a step of extracting or obtaining an Internet Protocol (IP) address and a remote identification (ID) of the external user if access to the encrypted directory by the external user is confirmed; a step of performing access control to the first file based on a preset security policy based on an IP, an ID, a file path, access rights, or a combination thereof that can be obtained through a policy database; And if access control for the first file is permitted, a step of generating an identification file context containing remote ID information, remote IP address information, remote access information, file identification information, file path and name, and encryption/decryption authority is included.

The above method may further include a step of registering first information contained in the identification file context in a file object of the first file.

The above method may further include a step of obtaining a current access token of a current thread to determine whether a remote user has access to the encrypted directory; and a step of identifying an original source of the obtained access token to determine whether the original source is a New technology Local Area Network Manager (NTLM) Security Support Provider (SSP).

The method may further include a step of detecting input/output (I/O) regarding a data request (Read) of the first file; a step of determining whether an identification file context (File Context) exists in a file object (File Object) of the first file after detecting the I/O regarding the data request; a step of extracting the identification file context from the file object of the first file; and a step of checking whether preset information or data exists in the identification file context.

The method may further include a step of decrypting the first file and transmitting it to the external user, or a step of encrypting the first file and transmitting it to the external user, based on information confirmed to be contained in the identification file context.

The above method may further include a step of checking whether the current I/O operation is a cached I/O, a non-cached I/O, or a fast I/O by referencing data in a structure containing information for processing an input/output (I/O) operation of a file system to determine a method for performing the encryption or decryption.

The method may further include a step of verifying remote access information contained in the identification file context, and performing an encryption or decryption operation on the first file using a preset encryption/decryption method according to a preset encryption/decryption authority and the type of the confirmed current I/O operation for the first file or the external user.

According to another aspect of the present invention for solving the above technical problem, a system for controlling file encryption and decryption rights of a shared folder is a system for performing a method for controlling file encryption and decryption rights of a shared folder, the system comprising: a memory storing at least one command; and a processor connected to the memory and executing the at least one command. By the at least one command, the processor detects an attempt to open a first file in a shared folder managed by a file system; acquires a directory path where the first file is located; determines whether the first file is in an encrypted directory; determines whether an external user accesses the encrypted directory if the first file is a file in the encrypted directory; extracts or acquires an Internet Protocol (IP) address and a remote identification (ID) of the external user if the external user accesses the encrypted directory is confirmed; performs access control for the first file based on a preset security policy based on an IP, an ID, a file path, an access right, or a combination thereof that can be acquired through a policy database; And if access control for the first file is permitted, a step of generating an identification file context containing remote ID information, remote IP address information, remote access information, file identification information, file path and name, and encryption/decryption authority is performed.

The above processor may be configured to further perform a step of registering first information contained in the identification file context to a file object of the first file.

The above processor may be configured to further perform the steps of: obtaining a current access token of a current thread to determine whether a remote user has access to the encrypted directory; and identifying an original source of the obtained access token to determine whether the original source is a New technology Local Area Network Manager (NTLM) Security Support Provider (SSP).

The processor may be configured to further perform the following steps: detecting input/output (I/O) regarding a data request (read) of the first file; determining whether an identification file context (File Context) exists in a file object (File Object) of the first file after detecting the I/O regarding the data request; extracting the identification file context from the file object of the first file; and checking whether preset information or data exists in the identification file context.

The above processor may be configured to further perform a step of decrypting the first file and transmitting it to the external user, or a step of encrypting the first file and transmitting it to the external user, based on information identified as being contained in the identification file context.

The above processor may be configured to further perform a step of checking whether the current I/O operation is a cached I/O, a non-cached I/O, or a fast I/O by referencing data in a structure containing information for processing an input/output (I/O) operation of a file system to determine a method for performing the encryption or decryption.

The above processor may be configured to further perform a step of verifying remote access information contained in the identification file context, and performing an encryption or decryption operation on the first file using a preset encryption/decryption method according to a preset encryption/decryption authority and the type of the confirmed current I/O operation for the first file or the external user.

According to another aspect of the present invention for solving the above technical problem, a system for controlling file encryption and decryption of a shared folder is a system for performing a method for controlling file encryption and decryption of a shared folder, comprising: a file I/O monitoring module for detecting an open attempt for a first file in a shared folder managed by a file system and detecting input/output (I/O) regarding a data request (read) of the first file; a remote access determination unit for obtaining a directory path in which the first file is located, determining whether the first file is in an encrypted directory, and determining access to the encrypted directory by an external user if the first file is a file in the encrypted directory; a remote information extraction unit for extracting or obtaining an Internet Protocol (IP) address and a remote identification (ID) of the external user when access to the encrypted directory by the external user is confirmed; an access control unit for performing access control for the first file based on a preset security policy based on an IP, an ID, a file path, an access right, or a combination thereof that can be obtained through a policy database; And if access control for the first file is permitted, it includes an identification information generation unit that generates an identification file context containing remote ID information, remote IP address information, remote access information, file identification information, file path and name, and encryption/decryption authority.

The above identification information generation unit can register the first information contained in the identification file context in the file object of the first file.

The above remote access determination unit can obtain a current access token of a current thread, identify an original source of the obtained access token, and determine whether the identified original source is an NTLM (New technology Local Area Network Manager) Security Support Provider (SSP).

The above system may further include an encryption/decryption unit that, after detecting I/O regarding the data request, determines whether an identification file context exists in a file object of the first file, extracts the identification file context from the file object of the first file, confirms whether preset information or data exists in the identification file context, and decrypts the first file based on information confirmed to be contained in the identification file context and transmits it to the external user, or encrypts the first file and transmits it to the external user.

The above encryption/decryption unit may be configured to determine whether the current I/O operation is a cached I/O, a non-cached I/O, or a fast I/O by referring to data in a structure containing information for processing an input/output (I/O) operation of a file system in order to determine a method for performing the encryption or decryption.

The above encryption/decryption unit may be configured to verify remote access information contained in the identification file context, and perform an encryption or decryption operation on the first file using a preset encryption/decryption method according to a preset encryption/decryption authority and the type of the confirmed current I/O operation for the first file or the external user.

According to the present invention, by using file encryption/decryption permission control of a shared folder, resources consumed for maintaining system stability in the operation of a computer such as a personal computer (PC) or a server can be reduced by not using a network filter driver requiring a high level of stability, such as a Windows Filtering Platform (WPF) filter driver and a Transport Data Interface (TDI) filter driver.

In addition, according to the present invention, by using a File System Mini Filter Driver, the Internet Protocol (IP) addresses and identifications (IDs) of accessors accessing from multiple remote locations through a network are acquired, and thereby all accessors accessing a shared folder are identified, thereby effectively controlling the file encryption/decryption authority of the shared folder, thereby improving the security performance of the shared folder.

In addition, according to the present invention, it is possible to control in real time the access method of a file, such as blocking, encryption or decryption, based on a security policy regarding encryption/decryption authority including a preset access control authority in file encryption/decryption authority control of a shared folder, thereby improving the security and stability of the shared folder.

FIG. 1 is a conceptual diagram of the configuration of a file encryption/decryption permission control system for a shared folder according to one embodiment of the present invention.
Figure 2 is a flowchart for explaining the process of generating and registering identification data after access control that can be employed in the file encryption/decryption authority control system of Figure 1.
Figure 3 is a flowchart for explaining the identification data verification and encryption/decryption process that can be employed in the file encryption/decryption permission control system of Figure 1.
Figure 4 is an example diagram of file context information of identification data that can be employed in the file encryption/decryption authority control system of Figure 1.
FIG. 5 is a schematic configuration diagram of a file encryption/decryption permission control system for a shared folder according to another embodiment of the present invention.

The present invention can have various modifications and various embodiments, and specific embodiments are illustrated in the drawings and described in detail. However, this is not intended to limit the present invention to specific embodiments, but should be understood to include all modifications, equivalents, or substitutes included in the spirit and technical scope of the present invention.

The terms first, second, etc. may be used to describe various components, but the components should not be limited by the terms. The terms are only used to distinguish one component from another. For example, without departing from the scope of the present invention, the first component could be referred to as the second component, and similarly, the second component could also be referred to as the first component. The term "and/or" includes any combination of a plurality of related listed items or any one of a plurality of related listed items.

In the embodiments of the present application, “at least one of A and B” can mean “at least one of A or B” or “at least one of combinations of one or more of A and B.” Furthermore, in the embodiments of the present application, “at least one of A and B” can mean “at least one of A or B” or “at least one of combinations of one or more of A and B.”

When it is said that a component is "connected" or "connected" to another component, it should be understood that it may be directly connected or connected to that other component, but that there may be other components in between. On the other hand, when it is said that a component is "directly connected" or "directly connected" to another component, it should be understood that there are no other components in between.

The terminology used in this application is only used to describe specific embodiments and is not intended to limit the present invention. The singular expression includes the plural expression unless the context clearly indicates otherwise. In this application, it should be understood that the terms "comprises" or "has" and the like are intended to specify the presence of a feature, number, step, operation, component, part or combination thereof described in the specification, but do not exclude in advance the possibility of the presence or addition of one or more other features, numbers, steps, operations, components, parts or combinations thereof.

Unless otherwise defined, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Terms defined in commonly used dictionaries, such as those defined in common dictionaries, should be interpreted as having a meaning consistent with the meaning they have in the context of the relevant art, and will not be interpreted in an idealized or overly formal sense unless expressly defined in this application.

Hereinafter, with reference to the attached drawings, a preferred embodiment of the present invention will be described in more detail. In order to facilitate an overall understanding in describing the present invention, the same reference numerals are used for the same components in the drawings, and redundant descriptions of the same components are omitted.

FIG. 1 is a conceptual diagram of the configuration of a file encryption/decryption permission control system for a shared folder according to one embodiment of the present invention.

Referring to FIG. 1, a file encryption/decryption permission control system (hereinafter also referred to simply as the 'authority control system') (100) can be connected to a first personal computer (PC1, 10), a second personal computer (PC2, 20), and a third personal computer (PC3, 30) via a network (network, 50).

Each personal computer may be referred to as a user terminal, and may include a node, communication node, terminal, communication terminal, network terminal, communication-capable computing device, user portable terminal, etc. that can transmit and receive signals, data, or files with the other party through a network (50) in the form of wired, wireless, mobile communication, satellite, or a combination thereof.

The permission control system (100) may be configured to control the file encryption/decryption authority of a shared folder within a file system (104) connected to a network (50) via a network driver (102). That is, the permission control system (100) may be configured to verify a user accessing a file within a shared folder of the file system (104) via a network (50), verify information about the file, and control the user's encryption/decryption authority for the file.

To this end, the authority control system (100) may be equipped with a file input/output (I/O) monitoring module (106), a remote access judgment unit (110), a remote information extraction unit (120), an access control unit (130), a policy database (DB) (140), an identification information generation unit (150), an encryption/decryption unit (160), an encryption/decryption key DB (170), and a storage (180).

The file I/O monitoring module (106) can detect an attempt by a remote user or an external user to open or copy a specific file to access specific data within a shared folder of the file system (104). In addition, the file I/O monitoring module (106) can detect an attempt by an external user to request (read) data.

The remote access determination unit (110) can obtain the directory path where the target file, such as the first file, is located according to the operation of the file I/O monitoring module (106), and can confirm whether the target file is a file in the encrypted directory. In addition, the remote access determination unit (110) can confirm or determine whether remote access to the target file is possible. To this end, the remote access determination unit (110) can be equipped with a file path acquisition module (112), an encrypted directory confirmation module (114), and a remote access confirmation module (116).

The remote information extraction unit (120) can extract or obtain the Internet Protocol (IP) address and remote identification (ID) of the currently accessed remote user. The extracted or obtained information can be transmitted to the access control unit (130). To this end, the remote information extraction unit (120) can be equipped with a remote IP address extraction module (122) and a remote ID extraction module (124).

The access control unit (130) can perform access control on files in a shared folder based on preset security policies such as IP, ID, full path, and access rights that can be obtained through the policy DB (140). If access to a target file is not permitted, the access control unit (130) can block the user's access to the target file or specific data. To this end, the access control unit (130) can be equipped with an access control module (132). The result of performing access control can be transmitted to the identification information generation unit (150).

The identification information generation unit (150) can generate an identification file context containing the remote user's IP, ID, file path and file name, file identification information, and encryption/decryption authority, and store the generated identification file context in a storage (180), if data access to the target file is permitted by the access control unit (130). In addition, the identification information generation unit (150) can register the identification file context in the file object of the file that the user currently wishes to access. To this end, the identification information generation unit (150) can be equipped with an identification information generation module (152). When registration of the identification file context in the file object of the target file is completed, the identification information generation unit (150) can transfer control to the file system (104).

When file input/output according to a data request (Read) from an external user is detected by the file I/O monitoring module (106), the encryption/decryption unit (160) can determine whether an identification file context registered in the file object of the target file exists in the identification information generation module (150) for the target file requesting data. To this end, the encryption/decryption unit (160) can be equipped with an encryption/decryption target color-based module (162).

In addition, if an identification file context is registered in the currently requested target file, the encryption/decryption unit (160) can extract the identification file context from the file object of the target file and check whether data stored in the identification information generation unit (150), i.e., a remote IP address, a remote login ID, remote access, file path and name, encryption/decryption authority, and file identification information, exist within the extracted identification file context.

In addition, the encryption/decryption unit (160) can encrypt or decrypt a target file using an encryption key, a decryption key, etc., obtainable from the encryption/decryption key DB (170) according to information in the identification file context. To this end, the encryption/decryption unit (160) may further include an encryption/decryption module (164).

The history or related data of the file encryption/decryption permission control process of the shared folder in the aforementioned file system (104) can be stored in the storage (180).

According to the above-described configuration, the authority control system (100) can implement a file encryption/decryption authority control method (hereinafter, also referred to simply as the 'authority control method') of a shared folder with high security, stability, and reliability.

For example, in one embodiment of the permission control method, when an external user attempts to open a first file to access specific data in a shared folder via a network (50), the open attempt can be detected by the file I/O monitoring module (106).

When an attempt to open the first file is detected, the remote access determination unit (110) can obtain the directory path where the first file is located and determine whether the first file is a file within the encrypted directory.

In addition, the remote access determination unit (110) can determine access to the encrypted directory if the first file is a file in the encrypted directory. In the process of confirming remote access to the encrypted directory, the remote access determination unit (110) can obtain the current access token of the current thread and identify the original source of the obtained access token to determine whether the original source is NTLM (New technology Local Area Network Manager) Security Support Provider (SSP).

NT LAN Manager SSP (NTLMSSP) can be used when a particular user terminal, a client, is authenticating to a server that does not belong to a domain or does not have an Active Directory domain, commonly referred to as a "workgroup" or "peer-to-peer" server. In this case, the server may not be enabled by default and may have the "password-protected sharing" feature enabled. Also, if both the server and the client belong to the same group (or similar protocol), NTLM SSP can use public key cryptography-based user-to-user authentication instead of NTLM. Also, if the server is a device that supports SMB (Server Message Block), such as a centralized file server, such as a Network Attached Storage (NAS) device, or a network printer, the NTLM SSP can provide at least one authentication method supported by the server, and can negotiate for outbound authentication with the operating system, such as Windows. Additionally, if the server is a member of a domain but cannot use established protocols such as the Kerberos Protocol, NTLM SSP can be used to allow clients to authenticate to servers using their IP addresses, and instead of transitive cross-forest trusts, to authenticate to servers in other Active Directory forests with which the client has a legacy NTLM trust.

If the original source of the aforementioned access token is confirmed to be NTLMSSP (NT LAN Manager SSP), the remote information extraction unit (120) can extract or obtain the Internet Protocol (IP) address and remote identification (ID) of the currently accessed remote location and transmit them to the access control unit (130).

The access control unit (130) performs access control on files in a shared folder based on preset security policies such as IP, ID, full path, and access rights that can be obtained through the policy DB (140), and if access to the target file is not permitted, access to the target file or specific data can be blocked.

As a result of performing access control based on a preset security policy, if the access control unit (130) allows data access to the target file, the identification information generation unit (150) can generate and store an identification file context containing the previously acquired remote IP, ID, file path and file name, file identification information, and encryption/decryption authority. Then, the identification information generation unit (150) can register the identification file context to the file object of the file currently being accessed by the user. When registration of the identification file context to the file object of the target file is completed, the identification information generation unit (150) can transfer control to the file system (104).

Then, the file I/O monitoring module (106) detects I/O regarding a data request (Read), and at this time, the encryption/decryption unit (160) can determine whether an identification file context registered in the file object of the target file exists in the identification information generation unit module (150), for the target file requesting data.

The encryption/decryption target identification module (162) of the encryption/decryption unit (160) can extract the identification file context from the file object if it is registered in the currently requested file, and check whether the data stored in the identification information generation unit (150), i.e., the remote IP address, remote login ID, remote access, file path and name, encryption/decryption authority, and file identification information, exist. Meanwhile, if the identification file context is not registered, the encryption/decryption target identification module (162) can no longer proceed with the current process and transfer control to the file system (104).

Next, when the identification file context is confirmed, the encryption/decryption target identification module (162) can be set to perform an encryption/decryption task appropriate for the current I/O task by referring to the data in the callback data (FLT_CALLBACK_DATA) structure for the I/O task received from the file system (104) to determine whether the current I/O task is a cached I/O task, a non-cached I/O task, or a fast I/O task.

The encryption/decryption module (164) can check the encryption/decryption operation method set by the encryption/decryption target identification module (162) and the remote access information stored in the identification file context, and also check the encryption/decryption authority to encrypt or decrypt data and deliver it to the user.

Figure 2 is a flowchart for explaining the process of generating and registering identification data after access control that can be employed in the file encryption/decryption authority control system of Figure 1.

Referring to FIG. 2, the authority control system can be configured to execute a file encryption/decryption authority control method including an access control process, an identification data generation process, and an identification data registration process.

Specifically, the authority control system can detect a file input/output (I/O) situation through a file input/output monitoring module when a random user accesses a file in a shared folder (S210).

Next, the authority control system can obtain file information that the user wishes to access and obtain the file path based on the obtained file information (S220).

Next, the authority control system can determine whether the file accessed by the current user is in the encrypted directory (S230). The file accessed by the user can be referred to as the target file.

As a result of the determination in the above step (S230), if the target file is not a file existing in the encrypted directory (NO in S230), the authority control system can terminate the current remote access.

Meanwhile, if the result of the determination in the above step (S230) shows that the file to be accessed is a file existing in the encrypted directory (example of S230), the authority control system can determine whether the current accessing user is accessing from a remote location (S235).

If the result of the judgment in the above step (S235) is not a user accessing from a remote location (NO in S235), the authority control system can terminate the current process.

Meanwhile, if the result of the judgment in the above step (S235) is that the user accessed from a remote location (example of S235), the authority control system can collect remote location information such as remote location IP and remote location login ID (S240).

Next, the remote control system can perform access control according to a preset security policy based on remote information to determine whether to allow a remote user to access files in a shared folder (S250).

If, as a result of the judgment in the above step (S250), at least one piece of information included in the remote information violates a preset security policy, the authority control system can deny access to files in the remote user's shared folder (S270).

Meanwhile, if at least one piece of information included in the remote location information does not violate the preset security policy as a result of the judgment in the step (S250), the authority control system can create an identification file context (File Context) to store file identification information (S260) and register the created file context in the file object (File Object) of the target file (S280). Thereafter, the authority control system can transfer control to the file system (File System).

Here, the security policy may include a read policy, a write policy, an I/O cache policy, an encryption policy, a decryption policy, etc. The read policy may include 'do not read first', etc., and the write policy may include 'write through method', etc. And the file identification information may include a file path and name, encryption/decryption permission, remote access, remote IP address, remote login ID, etc.

Figure 3 is a flowchart for explaining the identification data verification and encryption/decryption process that can be employed in the file encryption/decryption permission control system of Figure 1.

Referring to FIG. 3, when a data request comes in (S310) while the file input/output detection module of the authority control system is monitoring all files of the managed file system or database system, the authority control system can check whether an identification file context (File Context) previously registered after determining access rights in the access control module exists in the file object (S320) in the currently accessed file.

As a result of the verification in the above step (S320), if an identifying file context does not exist in the file object (NO in S320), the authority control system may consider it as not an encrypted file and terminate the current process.

Meanwhile, if an identification file context exists in the file object as a result of the verification in the above step (S320) (example of S320), the authority control system can extract the identification file context from the file object.

Next, the authority control system can check or confirm whether the current I/O operation is a cached I/O, a non-cached I/O, or a fast I/O by referencing data in a structure containing information so that the file system can process the I/O operation in order to determine how to proceed with encryption/decryption in the encryption/decryption module based on the currently occurring input/output (I/O) operation (S330).

Here, the structure containing the information may contain I/O operation information, such as I/O operation start and processing. The structure containing the information may include a structure containing callback data (FLT_CALLBACK_DATA) for the I/O operation, and may be used by the filter manager or mini filter.

After checking the current I/O operation, the authority control system can check the remote access information (S340). Then, the authority control system can check the set encryption/decryption authority (S350).

According to the result of verification of the set encryption/decryption authority in the above step (S350), the authority control system can perform data decryption (S360) or data encryption (S370) based on the set encryption method or decryption method according to the current I/O operation.

That is, if the decryption authority is set as a result of the verification in the above step (S350), the authority control system decrypts the encrypted data and transmits the decrypted data to the user terminal, and if the encryption authority is set, the encrypted data can be transmitted to the user terminal without decrypting it. The authority control system may be configured to have at least a part of the processor of the computing device that manages the shared folder, or a component that performs a function corresponding to the means, or to cooperate with the processor.

Figure 4 is an example diagram of file context information of identification data that can be employed in the file encryption/decryption authority control system of Figure 1.

Referring to FIG. 4, file context information (400) of identification data may include encryption/decryption authority (410), file path and name (420), file identification information (430), remote access information (440), remote IP address information (450), and remote ID information (460).

Encryption/decryption authority (410) indicates encryption or decryption authority information when acquiring data, and may include at least one of encryption authority and decryption authority, or information indicating no encryption/decryption authority.

The file path and name (420) represents information for encryption directory access control and encryption or decryption, and may include information about the file path and file name or information about the storage location where the file path and file name are stored.

File identification information (430) indicates information for identifying whether a file in an encrypted directory is encrypted, and may include information on whether the file is encrypted.

Remote access information (440) represents information for verifying whether access data is requested from a remote location, and may include information on whether it is remote request data.

Remote IP address information (450) indicates IP address information accessed from a remote location, and may include remote IP address information or location information of a server or system that can confirm the remote IP address.

Remote ID information (460) may indicate ID information logged in from a remote location or include location information of a server or system that can verify a remote login ID.

FIG. 5 is a schematic block diagram of the configuration of a file encryption/decryption permission control system for a shared folder according to another embodiment of the present invention.

Referring to FIG. 5, a file encryption/decryption permission control system (500) of a shared folder may include at least one processor (Processor, 510), a memory (520), and a transceiver (Transceiver, 530) that is connected to a network and performs communication. At least one processor (510) and memory (520) may be configured as at least one controller.

The transceiver (530) may be equipped with a sub-communication system supporting a wired network or a wireless communication module (WCM) supporting a wireless network.

In addition, the file encryption/decryption permission control system (500) may further include an input interface device (540), an output interface device (550), a storage device (560), etc. Each component included in the file encryption/decryption permission control system (500) may be connected by a bus (Bus, 570) and communicate with each other.

However, each component included in the file encryption/decryption permission control system (500) may be connected through individual interfaces or individual buses centered around the processor (510), rather than a common bus. For example, the processor (510) may be connected to at least one of the memory (520), the transmission/reception device (530), the input interface device (540), the output interface device (550), and the storage device (560) through a dedicated interface.

The processor (510) can execute a program command stored in at least one of the memory (520) and the storage device (560). The processor (510) may mean a central processing unit (CPU), a graphics processing unit (GPU), or a dedicated processor on which a method according to an embodiment of the present invention is performed. The program command may include at least one command for implementing a method for controlling file encryption/decryption permissions of a shared folder.

Each of the memory (520) and the storage device (560) may be configured with at least one of a volatile storage medium and a nonvolatile storage medium. For example, the memory (520) may be configured with at least one of a read-only memory (ROM) and a random access memory (RAM).

The file encryption/decryption permission control system (500) described above can be implemented as a desktop computer, server, mobile terminal, laptop, personal mobile communication terminal, etc. The file encryption/decryption permission control system (500) can be referred to as a node, server, communication terminal, or user terminal located on a wired network, a short-range wireless communication network, a mobile communication network, a satellite network, or a combination of these networks.

Meanwhile, the operation of the method for controlling file encryption/decryption authority of a shared folder according to the above-described embodiment of the present invention can be implemented as a computer-readable program or code on a computer-readable recording medium. The computer-readable recording medium includes all types of recording devices that store information that can be read by a computer system. In addition, the computer-readable recording medium can be distributed to computer systems connected to a network, so that the computer-readable program or code can be stored and executed in a distributed manner.

Additionally, the computer-readable recording medium may include hardware devices specifically configured to store and execute program instructions, such as ROM, RAM, and flash memory. The program instructions may include not only machine language codes produced by a compiler, but also high-level language codes that can be executed by the computer using an interpreter, etc.

While some aspects of the invention have been described in the context of an apparatus, they may also represent a description of a corresponding method, wherein a block or device corresponds to a method step or a feature of a method step. Similarly, aspects described in the context of a method may also be represented as a feature of a corresponding block or item or a corresponding device. Some or all of the method steps may be performed by (or using) a hardware device, such as, for example, a microprocessor, a programmable computer or an electronic circuit. In some embodiments, at least one or more of the most important method steps may be performed by such a device.

In embodiments, a programmable logic device (e.g., a field-programmable gate array) may be used to perform some or all of the functions of the methods described herein. In embodiments, a field-programmable gate array may operate in conjunction with a microprocessor to perform one of the methods described herein. In general, the methods are preferably performed by some hardware device.

Although the present invention has been described with reference to the above embodiments, it will be understood by those skilled in the art that various modifications and changes can be made to the present invention without departing from the spirit and scope of the present invention as set forth in the claims below.

Claims (20)

A method for controlling file encryption/decryption permissions of a shared folder performed by a computing device,
A step of detecting an open attempt on a first file within a shared folder managed by a file system;
A step of obtaining a directory path where the first file is located;
A step of determining whether the first file above is within an encrypted directory;
A step of determining whether an external user can access the encrypted directory if the first file above is a file within the encrypted directory;
When the external user's access to the encrypted directory is confirmed, a step of extracting or obtaining the external user's Internet Protocol (IP) address and remote identification (ID);
A step of performing access control on the first file based on a preset security policy based on an IP, ID, file path, access rights or a combination thereof that can be obtained through a policy database;
If access control for the above first file is permitted, a step for creating an identification file context containing remote ID information, remote IP address information, remote access information, file identification information, file path and name, and encryption/decryption authority;
A step of detecting input/output (I/O) regarding a data request (read) of the first file;
After detecting I/O for the above data request, a step of determining whether an identifying file context exists in the file object of the first file;
A step of extracting the identifying file context from the file object of the first file;
A step of checking whether preset information or data exists within the above identification file context; and
A step of decrypting the first file and transmitting it to the external user based on information confirmed to be contained in the above identification file context;
A method for controlling file encryption and decryption permissions in a shared folder containing . In claim 1,
A method for controlling file encryption and decryption permissions of a shared folder, further comprising a step of registering first information contained in the above identification file context in a file object of the first file. In claim 1,
In order to determine whether a remote user has access to the above encrypted directory, a step of obtaining the current access token of the current thread; and
A method for controlling file encryption and decryption permissions of a shared folder, further comprising a step of identifying the original source of an acquired access token to determine whether the original source is a New technology Local Area Network Manager (NTLM) Security Support Provider (SSP). delete In claim 1,
A method for controlling file encryption and decryption permissions of a shared folder, further comprising a step of encrypting the first file and transmitting it to the external user based on information confirmed to be contained in the above identification file context. In claim 1,
A method for controlling file encryption and decryption permissions of a shared folder, further comprising a step of checking whether the current I/O operation is a cached I/O, a non-cached I/O, or a fast I/O by referencing data in a structure containing information so as to process an input/output (I/O) operation of a file system in order to determine a method for performing the encryption or decryption. In claim 6,
A method for controlling file encryption and decryption permissions of a shared folder, further comprising the step of verifying remote access information contained in the above-mentioned identification file context, and performing an encryption or decryption operation on the first file using a preset encryption and decryption method according to the preset encryption and decryption permission and the type of the confirmed current I/O operation for the first file or the external user. A system that performs a method for controlling file encryption and decryption permissions in a shared folder,
a memory storing at least one command; and
A processor connected to said memory and executing said at least one instruction;
and wherein by at least one instruction, the processor:
A step of detecting an open attempt on a first file within a shared folder managed by a file system;
A step of obtaining a directory path where the first file is located;
A step of determining whether the first file above is within an encrypted directory;
A step of determining whether an external user can access the encrypted directory if the first file above is a file within the encrypted directory;
When the external user's access to the encrypted directory is confirmed, a step of extracting or obtaining the external user's Internet Protocol (IP) address and remote identification (ID);
A step of performing access control on the first file based on a preset security policy based on an IP, ID, file path, access rights or a combination thereof that can be obtained through a policy database;
If access control for the above first file is permitted, a step of creating an identification file context containing remote ID information, remote IP address information, remote access information, file identification information, file path and name, and encryption/decryption authority;
A step of detecting input/output (I/O) regarding a data request (read) of the first file;
After detecting I/O for the above data request, a step of determining whether an identifying file context exists in the file object of the first file;
A step of extracting the identifying file context from the file object of the first file;
A step of checking whether preset information or data exists within the above identification file context; and
A file encryption/decryption permission control system of a shared folder, wherein the processor performs a step of decrypting the first file and transmitting it to the external user based on information confirmed to be contained in the identification file context. In claim 8,
A file encryption/decryption permission control system for a shared folder, wherein the processor further performs a step of registering first information contained in the identification file context in a file object of the first file. In claim 8,
The above processor,
In order to determine whether a remote user has access to the above encrypted directory, a step of obtaining the current access token of the current thread; and
A file encryption/decryption permission control system for a shared folder, which further performs the step of identifying the original source of the acquired access token and determining whether the original source is a New technology Local Area Network Manager (NTLM) Security Support Provider (SSP). delete In claim 8,
A file encryption/decryption permission control system for a shared folder, wherein the processor further performs a step of encrypting the first file and transmitting it to the external user based on information confirmed to be contained in the identification file context. In claim 8,
A file encryption/decryption permission control system for a shared folder, wherein the processor further performs a step of checking whether the current I/O operation is a cached I/O, a non-cached I/O, or a fast I/O by referencing data in a structure containing information so as to be able to process an input/output (I/O) operation of a file system in order to determine a method for performing the encryption or decryption. In claim 13,
A file encryption/decryption permission control system for a shared folder, wherein the processor further performs a step of verifying remote access information contained in the identification file context, and performing an encryption or decryption operation on the first file using a preset encryption/decryption method according to the preset encryption/decryption permission and the type of the confirmed current I/O operation for the first file or the external user. A system that performs a method for controlling file encryption and decryption permissions in a shared folder,
A file I/O monitoring module that detects an open attempt for a first file in a shared folder managed by a file system and detects input/output (I/O) regarding a data request (read) for the first file;
A remote access determination unit that obtains a directory path where the first file is located, determines whether the first file is within an encrypted directory, and determines access to the encrypted directory by an external user if the first file is within the encrypted directory;
When the encrypted directory access of the external user is confirmed, a remote information extraction unit extracts or obtains the Internet Protocol (IP) address and remote identification (ID) of the external user;
An access control unit that performs access control for the first file based on a preset security policy based on an IP, ID, file path, access rights or a combination thereof that can be obtained through a policy database;
If access control for the above first file is permitted, an identification information generation unit that generates an identification file context containing remote ID information, remote IP address information, remote access information, file identification information, file path and name, and encryption/decryption authority; and
After detecting I/O for the data request, an encryption/decryption unit is included, which determines whether an identification file context exists in the file object of the first file, extracts the identification file context from the file object of the first file, checks whether preset information or data exists in the identification file context, and decrypts the first file based on the information confirmed to be contained in the identification file context and transmits it to the external user, or encrypts the first file and transmits it to the external user.
The above encryption/decryption unit refers to data in a structure containing information to process input/output (I/O) operations of a file system in order to determine a method for performing the encryption or decryption, and checks whether the current I/O operation is a cached I/O, a non-cached I/O, or a fast I/O. A file encryption/decryption permission control system of a shared folder. In claim 15,
A file encryption/decryption permission control system of a shared folder, wherein the above identification information generation unit registers the first information contained in the above identification file context in the file object of the first file. In claim 15,
The above remote access judgment unit is a file encryption/decryption permission control system of a shared folder that obtains the current access token of the current thread, identifies the original source of the obtained access token, and determines whether the identified original source is an NTLM (New technology Local Area Network Manager) Security Support Provider (SSP). delete delete In claim 15,
A file encryption/decryption permission control system for a shared folder, wherein the encryption/decryption unit verifies remote access information contained in the identification file context, and performs an encryption or decryption operation on the first file using a preset encryption/decryption method according to the preset encryption/decryption permission and the type of the confirmed current I/O operation for the first file or the external user.

Images