Secret level marking and checking method and device thereof
A verification method and a technology of a verification device, which are applied in the field of information security and can solve problems such as large watermark capacity requirements
Active Publication Date: 2017-05-31
成都卫士通信息安全技术有限公司
2 Cites 2 Cited by
AI-Extracted Technical Summary
Problems solved by technology
Although there are many existing security-level identification technologies, there are still some p...
Method used
[0065] After the client 100 receives the classified identification information, it obtains the encrypted file according to the classified identification information and the file. The client 100 sends the encrypted file to the server 400 for storage. After the server 400 successfully saves the encrypted file, the file information and the confidentiality level identification information are sent to the server 400 for storage. Wherein, the information of the file refers to some information of the file itself and an identifier stored on the server 400, such as file name, size, type, and the like. The file information is stored separately from the classified identification information and the marked confidential file, which facilitates management and ensures that the classified identification information is not tampered with or deleted at will.
[...
Abstract
The invention discloses a secret level marking and checking method and a device thereof. The method comprises the following steps: sending selected files to a client terminal via a sending terminal, and inquiring secret level marking states of the files via a server after receiving the files via the client terminal; marking secret levels of the files via a secret level setting terminal when the files are not marked with secret levels; and obtaining file secret levels of the files via the server when the files are marked with secret levels, and checking the files according to the file secret levels. According to the technical scheme, the files which are not marked with secret levels can be marked with secret levels; meanwhile, the files marked with secret levels can be checked; access rights of users to the files marked with secret levels can be managed and controlled, so that the current situation that secret divulging events often occur can be improved.
Application Domain
Transmission
Technology Topic
Computer securityLevel set +1
Image
Examples
- Experimental program(3)
Example
[0054] First embodiment
[0055] Please refer to Figure 7 , Figure 7 It is a flowchart of the secret level identification and verification method provided by the first embodiment of the present invention, and the method is applied to the secret level identification and verification system 10. The specific process of the security level identification and verification method is described in detail below.
[0056] Step S110, the sending terminal 200 responds to the file selection operation, and sends the selected file to the client 100.
[0057] In this embodiment, the sending terminal 200 may include an input device (such as a mouse), and may also include an interactive interface for receiving file selection operations. In the implementation of this embodiment, the interactive interface may be a touch screen display. Among them, the touch screen may be a capacitive touch screen or a resistive touch screen that supports single-point and multi-touch operations. Supporting single-point and multi-touch operations means that the touch display can sense touch operations generated from one or more positions on the touch display, and hand over the sensed touch operations to the second The processor 203 performs processing and calculation. The sending terminal 200 may send the file to the client 100 through the second network module 204.
[0058] In step S120, the client 100 determines through the server 400 whether the file has been marked as secret.
[0059] In this embodiment, after receiving the file, the client 100 obtains the status of the file (for example, whether it is being uploaded, downloaded or occupied, etc.), and judges whether the file is legal according to the status of the file. When the file is legal (not in an upload, download, or occupied state, etc.), the server 400 determines whether the selected file has been marked as secret, thereby ensuring a one-to-one correspondence between the secret level identification information and the file.
[0060] In this embodiment, a hash algorithm is stored in the client 100, and the hash digest of the file is obtained through the hash algorithm. Among them, the hash algorithm can map a binary value of any length to a shorter fixed-length binary value. This binary value is called a hash value, also called a hash digest. Since the hash digest is a unique and extremely compact numerical expression of a file, the hash digest can be used as the unique identifier of the file.
[0061] In the implementation of this embodiment, the hash digest is used to determine whether the file has been marked as secret. The client 100 sends the calculated hash digest to the server 400, and the server 400 compares the received hash digest with the hash digest of the encrypted file stored by the server 400 Yes, to determine whether the file has been marked as secret. When the hash digest is queried from the server 400, it is determined that the file has been marked as secret; when the hash digest is not queried from the server 400, it is determined that the file is not marked as secret.
[0062] When the file is not marked as secret, step S130 is executed.
[0063] In step S130, the client 100 encrypts the file through the encryption terminal 300.
[0064] In this embodiment, the client 100 sends the file to the secret terminal 300. Wherein, the secret terminal 300 may include an input device (for example, a keyboard) for receiving the secret level identification information of the file. Among them, the secret level identification information may include mandatory attributes and extended attributes. The necessary attributes can include the document confidentiality level, the confidentiality period, the scope of knowledge, etc., while the extended attributes include the drafter, the person responsible for the classification, and the life cycle of the classified document. During the confidentiality period, the security level identification information is not allowed to be modified at will. At the same time, when the encrypted file passes through the client 100 again, it is processed as the original security level identification information and is not allowed to be modified. The secret terminal 300 sends the secret level identification information of the file to the client 100.
[0065] After receiving the secret level identification information, the client 100 obtains the standard secret file according to the secret level identification information and the file. The client 100 sends the encrypted file to the server 400 for storage. After the server 400 successfully saves the secret file, the information of the file and the secret level identification information are sent to the server 400 for storage. Wherein, the information of the file refers to some information of the file and the identifier stored on the server 400, such as the file name, size, type, etc. The file information is stored separately from the secret level identification information and the standard secret file, which facilitates management and at the same time ensures that the secret level identification information is not arbitrarily tampered with or deleted.
[0066] In the implementation of the embodiment, the server 400 may be a plurality of servers provided separately. In an implementation of this embodiment, the separately set server may include a file server and a management server. Wherein, the management server is used to determine whether the file has been marked as secret, and to receive and save the information of the file and the secret level identification information. The file server is used to receive the encrypted file. The above settings make management convenient, and at the same time, servers of different specifications can be configured according to the actual situation.
[0067] In the implementation of this embodiment, the server 400 may also be a server. The server 400 is configured to determine whether the file has been classified as confidential, receive and save the information of the file and the security level identification information, and receive and save the classified file. The above settings make management and information search convenient.
[0068] In the implementation of this embodiment, the server 400 sends information indicating that the storage is successful to the client 100 after checking the file information and the secret level identification information.
[0069] When the file has been marked as secret, step S140 is executed.
[0070] In step S140, the client 100 obtains the file secret level of the file through the server 400, and verifies the file according to the file secret level.
[0071] In this embodiment, the server 400 stores data in a one-to-one correspondence between the secret level identification information and the file entity. Wherein, the security level identification information includes the file security level and the confidentiality period. During the confidentiality period, the security level identification information is not allowed to be modified at will. At the same time, when the encrypted file passes through the client 100 again, it is processed as the original security level identification information and is not allowed to be modified. The server 400 obtains the file security level of the file through query.
[0072] The server 400 also pre-stores the file security levels that can be processed by the sending terminal 200 and the file security levels that can be processed by the receiving terminal 500. The client 100 receives the file security level that can be processed by the sending terminal 200 and the file security level that can be processed by the receiving terminal 500 that are queried and sent by the server 400.
[0073] It is determined whether the file security level is higher than the file security level that the sending terminal 200 can process.
[0074] When the file security level is higher than the file security level that can be processed by the sending terminal 200, it is determined that the verification fails.
[0075] When the file security level is not higher than the file security level that can be processed by the sending terminal 200, it is determined whether the file security level is higher than the file security level that can be processed by the receiving terminal 500.
[0076] When the file security level is higher than the file security level that can be processed by the receiving terminal 500, it is determined that the verification fails.
[0077] When the file security level is not higher than the file security level that can be processed by the receiving terminal 500, it is determined that the verification is passed.
[0078] In the implementation of this embodiment, when the verification is passed, the receiving terminal 500 receives and accesses the file sent by the client 100. The receiving terminal 500 may include a display screen for displaying the file.
[0079] In an implementation of this embodiment, when the marked-secret file is modified, the hash digest of the marked-secret file changes and does not match the hash digest of the marked-secret file stored in the server 400 , Send the modified encrypted file to the terminal 300 for encryption. Therefore, it is ensured that the secret level identification information of the standard secret file is not arbitrarily tampered with and the file information of the standard secret file is not modified at will.
Example
[0080] Second embodiment
[0081] Please refer to Figure 8 , Figure 8 It is a schematic flow chart of the secret level identification and verification method provided by the second embodiment of the present invention. The method is applied to the client 100 communicating with the sending terminal 200, the secret terminal 300, and the server 400. The following describes the specific process of the security level identification and verification method.
[0082] Step S210: Receive the file sent by the sending terminal 200 after responding to the file selection operation, and determine whether the file has been marked as secret.
[0083] Please refer to Picture 9 , Picture 9 for Figure 8 A schematic flowchart of the sub-steps included in step S210. The step S210 includes sub-step S212 and sub-step S214.
[0084] In the sub-step S212, a hash digest of the file is calculated by a hash algorithm, and the hash digest is sent to the server 400.
[0085] In the sub-step S214, it is received that the server 400 compares the received hash digest with the hash digest of the encrypted file stored by the server 400 to obtain a query result of whether the file is encrypted.
[0086] When the file is not marked as secret, step S220 is executed.
[0087] In step S220, the file is encrypted by the encryption terminal 300.
[0088] Please refer to Picture 10 , Picture 10 Yes Figure 8 A schematic flow chart of the sub-steps included in step S220. In this embodiment, the step S200 may include sub-step S221, sub-step S222, sub-step S223, and sub-step S224.
[0089] In the sub-step S221, the file is sent to the secret terminal 300.
[0090] In the sub-step S222, the security level identification information of the file sent by the security terminal 300 in response to the encryption operation of the file is received.
[0091] In the sub-step S223, after receiving the secret level identification information, obtain the standard secret file according to the secret level identification information and the file, and send the standard secret file to the server 400 so that the server 400 Save it.
[0092] In the sub-step S224, after the server 400 successfully saves the secret file, the information of the file and the secret level identification information are sent to the server 400 for storage.
[0093] Please refer to Picture 11 , Picture 11 Yes Figure 8 Another schematic flow chart of the sub-steps included in step S220. In this embodiment, the step S220 may further include a sub-step S225 of receiving a message that the information about the file and the secret level identification information are successfully saved from the server 400.
[0094] Please refer to Picture 12 , 12 is Figure 8 A schematic flow chart of the sub-steps included in step S230. In this embodiment, the step S230 may include sub-step S231, sub-step S232, sub-step S233, and sub-step S234.
[0095] Sub-step 231, receiving the file security level that can be processed by the sending terminal 200 and the file security level that can be processed by the receiving terminal 500 obtained and sent by the server 400.
[0096] In sub-step S232, it is determined whether the file security level is higher than the file security level that can be processed by the sending terminal 200.
[0097] When the file security level is higher than the file security level that can be processed by the sending terminal 200, sub-step S233 is executed.
[0098] In step S233, it is determined that the verification has failed.
[0099] When the file security level is not higher than the file security level that can be processed by the sending terminal 200, sub-step S234 is executed.
[0100] In sub-step S234, it is determined whether the file security level is higher than the file security level that can be processed by the receiving terminal 500.
[0101] Please refer to Figure 13 , Figure 13 for Picture 12 A schematic flowchart of the sub-steps included in the neutron step S234. In this embodiment, the sub-step S234 includes sub-step S2341 and sub-step S2342.
[0102] When the file security level is higher than the file security level that can be processed by the receiving terminal 500, sub-step S2341 is executed.
[0103] In sub-step S2341, it is determined that the verification has failed.
[0104] When the file security level is not higher than the file security level that can be processed by the receiving terminal 500, sub-step S2342 is executed.
[0105] In sub-step S2342, it is determined that the verification is passed.
[0106] Please refer again Figure 13 In the implementation of this embodiment, the sub-step S2342 may include the sub-step S23421, in which the receiving terminal 500 receives the file sent by the client 1000.
Example
[0107] The third embodiment
[0108] Please refer to Figure 14 , Figure 14 It is a schematic block diagram of a confidential level identification and verification device 600 provided by the third embodiment of the present invention. The security level identification and verification device 600 includes:
[0109] The receiving and querying module 610 is configured to receive the file sent by the sending terminal 200 after responding to the file selection operation, and query the confidentiality status of the file;
[0110] The encryption verification module 620 is used to verify the encryption of the file through the encryption terminal 300 when the file is not encrypted;
[0111] The verification module 630 is configured to obtain the file secret level of the file through the server 400 when the file has been marked as secret, and verify the file according to the file secret level.
[0112] In this embodiment, the receiving query module 610 receives the file sent by the sending terminal 200 in response to the file selection operation, and the manner in which to query the confidentiality status of the file includes:
[0113] Calculate the hash digest of the file using a hash algorithm, and send the hash digest to the server 400;
[0114] The server 400 compares the received hash digest with the hash digest of the encrypted file stored by the server 400 to obtain a query result of whether the file has been classified.
[0115] In summary, the embodiments of the present invention provide a method and device for identifying and verifying a security level. The sending terminal responds to the file selection operation, and sends the selected file to the client. The client inquires through the server whether the file has been marked as secret, and when the file is not marked as secret, the terminal performs a secret marking operation on the file; when the file has been marked as secret, obtains it by querying the server The file security level of the file, and the file is verified according to the file security level. The technical scheme of the present invention can perform encryption on unmarked secret documents, and at the same time, verify the marked secret documents to manage and control the user's access authority to marked secret documents, thereby improving the current situation of frequent leaks.
PUM


Description & Claims & Application Information
We can also present the details of the Description, Claims and Application information to help users get a comprehensive understanding of the technical details of the patent, such as background art, summary of invention, brief description of drawings, description of embodiments, and other original content. On the other hand, users can also determine the specific scope of protection of the technology through the list of claims; as well as understand the changes in the life cycle of the technology with the presentation of the patent timeline. Login to view more.