CN105516056A - Encrypted file protection system and protection method thereof - Google Patents

Abstract

The invention provides an encrypted file protection system and a protection method thereof, which are applied between client equipment and a server. When the client device requires to download the file, the server encrypts the file according to the key corresponding to the client device after verifying that the client device has the download authority, and enables the client device to download the file. When the client device wants to open the encrypted file, the information of the client device is transmitted to the server so as to confirm that the client device is an authorized client capable of opening the encrypted file. If the client device is indeed the authorized client, the encrypted file is decrypted by using the key held by the client device, and the decrypted file is opened according to the use rule recorded by the server. Therefore, the file can be prevented from being illegally downloaded and illegally copied to an unauthorized client for use after being downloaded.

Description

Encrypted file protection system and its protection method

technical field

The invention relates to a protection system and a protection method, in particular to a protection system and a protection method for encrypted files.

Background technique

Because digital data, such as documents, files, audio-visual data, etc. are easy to be illegally transmitted and downloaded through media such as networks, CDs, and flash drives, how to effectively protect important digital data has always been an important issue in this technical field. important research and development topics.

Generally speaking, important digital data itself can be encrypted by a key to ensure that only the holder of the key can open the encrypted digital data. However, with the rapid development of science and technology, there are already many technologies on the market that can assist third parties to illegally decrypt encrypted data. needs of the reader.

Furthermore, in order to ensure the security of confidential documents, general companies and enterprises generally encrypt servers used to store confidential documents. However, when these confidential files are provided to internal employees or external customers and suppliers for downloading, the server cannot control and track the downloaded confidential files. As a result, these downloaded confidential files are likely to be illegally obtained and used by a third party, causing serious damage to the enterprise.

Contents of the invention

The main purpose of the present invention is to provide a protection system and protection method for encrypted files, which can encrypt files in real time according to the key corresponding to the client device requesting to download the file, so that the encrypted file and the client device requesting download The devices are bonded together.

Another main purpose of the present invention is to provide a protection system and protection method for encrypted files, which can verify whether the client device is an authorized client when the client device wants to open the file, and determine whether the client device holds the correct file. The encrypted key can be used to decrypt encrypted files, so as to prevent files from being illegally copied to other client devices after downloading.

In order to achieve the above object, the present invention discloses an encrypted file protection method, which is applied to a client device and a server, wherein the client device has a client agent software, and the server has a server management software, including :

a) The client agent software obtains an encrypted file and opens it locally;

b) sending the information of the client device to the server;

c) The server-side management software judges whether the client device is an authorized client that can open the encrypted file according to the received information;

d) If the client device is the authorized client, the client agent software judges whether a client key held by itself can decrypt the encrypted file;

e) If the client key held by the client agent software can decrypt the encrypted file, further query the server-side management software to confirm whether the current opening action of the client device conforms to the encrypted file is set prescribed rules of use; and

f) If the opening action complies with the usage rule, decrypt the encrypted file into a file, and open the file according to the usage rule.

As mentioned above, a step g is also included: if the client device is not the authorized client, or the client key held by the client agent software cannot decrypt the encrypted file, or the opening action does not comply with the Using a rule, respond to a message that the opening action is prohibited.

As mentioned above, the information of the client device is the media access control address (MediaAccessControlAddress, MACAddress) of the client device and the authorization code of the client agent software.

As mentioned above, in the step f, the client agent software allows the application program in the client device to open the file.

As mentioned above, in step c, the server-side management software compares the received information with an authorization authority data preset in the encrypted file to determine whether the client device is the authorized client, wherein The authorization authority data records a sharing object and the usage rule that the encrypted file can be shared with.

As mentioned above, wherein the step a also includes the following steps before:

a01) making a file sharing request to the server-side management software;

a02) Select the file to be shared;

a03) setting the shared object of the file;

a04) setting the usage rules for the document; and

a05) storing the shared object and the usage rule as the authorization permission data of the file.

As mentioned above, wherein the step a also includes the following steps before:

a11) The client agent software makes a download request of the file to the server management software;

a12) The server management software retrieves a corresponding user data according to the login information of the client agent software, wherein the user data is stored in the server;

a13) The server-side management software obtains the authorization permission data of the file;

a14) comparing the user data with the authorization authority data to determine whether the client agent software has the download authority of the file;

a15) If the client agent software has the download authority of the file, the server management software obtains the corresponding client key according to the user data, wherein the client key is stored in the server;

a16) encrypting the file using the client key to generate the encrypted file; and

a17) providing the encrypted file for the client agent software to download.

As mentioned above, when the server-side management software generates the encrypted file, it puts the information of the client device and the time of requesting download into the encrypted file, and the encrypted file protection method further includes a step h: the client The information of the end device and the time of the requested download are dynamically displayed on the opened file as a watermark.

As mentioned above, wherein the step a also includes the following steps before:

a21) installing the client agent software on the client device;

a22) After the client agent software is started, it connects to the server to log in for the first time;

a23) The server-side management software stores the login information of the client agent software as the user data, and generates the client key exclusive to the client agent software according to the user data;

a24) The server-side management software records the client key, and associates the client key with the user data; and

a25) The client agent software records the client key.

As mentioned above, a step i is also included: after step f, the client agent software returns an opening message to the server management software.

In order to achieve the above object, the present invention also discloses an encrypted file protection system, comprising:

A client agent software installed on a client device, including:

A permission filtering module, when the client device intends to open an encrypted file, the information of the client device is sent to a server to confirm that the client device is an authorized client that is allowed to open the encrypted file; and

A file decryption execution module, after confirming that the client device is the authorized client, uses a client key held by the client agent software to decrypt the encrypted file into a file, and the current opening action conforms to the file Open the file when a usage rule is set, wherein the usage rule is stored in the server;

A server-side management software installed on the server connected to the client device through the network, including:

An authority filtering management module, communicating with the authority filtering module to confirm whether the client device is the authorized client through the received information;

A key management module, when the client agent software logs in to the server for the first time, according to the login information of the client agent software, an exclusive client key is produced, wherein the client key is simultaneously recorded in the client Agent software and the server-side management software;

An encryption and decryption control module has a download encryption module. When receiving the download request of the client agent software for the file, it obtains the client key corresponding to the client agent software and encrypts the file to generate the encrypted file. documents; and

A data control hub is used for processing, integrating and converting the data and instructions of the authority filtering management module, the key management module and the encryption and decryption control module.

As mentioned above, wherein the file is encrypted by a server key of the server, the encryption and decryption control module also has a download decryption module, which obtains the server key pair when receiving the download request of the file from the client agent software. The file is decrypted to generate an original file, and the download encryption module encrypts the original file with the client key to generate the encrypted file.

As mentioned above, wherein the client agent software also includes a client encryption module, after the client device edits a file file, the client key held by the client agent software is used to encrypt the file file , and the client device uploads the encrypted file to the server for storage.

As mentioned above, the encryption and decryption control module also has:

An upload decryption module, after receiving the file, obtains the client key corresponding to the client device to decrypt the file to generate an original file; and

An upload encryption module obtains a server key preset by the server to encrypt the original file file to generate the file.

As mentioned above, the server stores a usage record data, and the usage record data records the opening information of the encrypted file by the client device.

As mentioned above, wherein the server stores an authorization authority data of the file, and the authorization authority data records the use rule of the file and a shared object, wherein the authority filtering management module combines the information of the client device with the file The shared object is compared to confirm whether the client device is the authorized client.

The technical effect achieved by the present invention compared with the prior art is that when the server receives a request for downloading a file, it will first confirm whether the requesting client device has the download authority of the file, thereby preventing the file from being illegally downloaded. download. In addition, the server encrypts the file using a key corresponding to the client device requesting the download and generates the encrypted file. In this way, the encrypted file can be bound together with the client device requesting to download, preventing other devices from copying and using the encrypted file.

Further, when the client device wants to open the encrypted file, the server needs to judge whether the client device is an authorized client that is allowed to open the encrypted file, and the client device also needs to use the pre-held key to open the encrypted file. Decrypt the encrypted file. In this way, the possibility of illegal use of the encrypted file can be further excluded.

In addition, when the file is required to be shared on the server, usage rules for the file can also be set on the server. In this way, when the client device opens the encrypted file, it also needs to abide by the preset usage rules, so as to prevent the file from being abused without restriction.

Description of drawings

Fig. 1 is a system architecture diagram of the first specific embodiment of the present invention;

Fig. 2 is the system block diagram of the first specific embodiment of the present invention;

Fig. 3 is the schematic diagram of client agent software of the first specific embodiment of the present invention;

Fig. 4 is a schematic diagram of the server-side management software of the first embodiment of the present invention;

Fig. 5 is the registration flowchart of the first specific embodiment of the present invention;

FIG. 6 is a flow chart of file sharing application in the first embodiment of the present invention;

Fig. 7 is the encrypted file download flow chart of the first specific embodiment of the present invention;

Fig. 8 is the encrypted file download flow chart of the second specific embodiment of the present invention;

Fig. 9 is a flow chart of opening an encrypted file according to the first embodiment of the present invention;

reference sign

1: Server 10: Server-side management software

101: Data Control Hub 102: Permission Filtering Management Module

103: key management module 104: encryption and decryption control module

1041: Download the encryption module 1042: Download the decryption module

1043: upload decryption module 1044: upload encryption module

11: File 12: User Data

13: Client key 14: Authorization authority data

15: Use record data 16: Encryption

2: client device 20: client agent software

201: Permission filtering module 202: File decryption execution module

203: Client encryption module 21: Internal client device

22: External client device 3: Network system

31: Encrypted communication channels S10-S18: Registration steps

S20～S28: Application steps S30～S42, S50～S56: Download steps

S60～S76: opening steps

detailed description

With regard to a preferred embodiment of the present invention, it is described in detail as follows with reference to the accompanying drawings.

Referring to FIG. 1 and FIG. 2 , they are a system architecture diagram and a system block diagram of a first embodiment of the present invention, respectively. The present invention discloses a protection system and method for encrypted files. The system and method are mainly used between a server 1 and a client device 2 . As shown in Figure 1, the client device 2 referred to in this case includes one or more internal client devices 21 connected to the server 1 through the internal network, and one or more internal client devices 21 connected to the server 1 through the Internet. An external client device 22. Specifically, if the server 1 is an internal management server of an enterprise, the internal client device 2 can be regarded as a device used by internal employees of the enterprise, and the external client device 2 can be regarded as a client outside the enterprise or equipment used by suppliers. It can be seen from FIG. 1 that the system may actually include a large number of client devices 2 . For the convenience of description, a single client device 2 will be used as an example in the description below.

FIG. 2 collectively refers to the above-mentioned internal network and the Internet as a network system 3 , and the client device 2 and the server 1 are mainly connected through an encrypted communication channel 31 in the network system 3 . However, how to establish the encrypted communication channel 31 in the network system 3 belongs to common knowledge in the technical field, so details are not described here.

In this embodiment, a client agent software 20 may be installed in the client device 2 , and a server management software 10 may be installed in the server 1 . When a user operates the client device 2 to connect to the server 1 and intends to upload, download, share, open, edit, delete, etc. a file 11 stored in the server 1, it is mainly through the client The client agent software 20 communicates with the server management software 10 to assist the user to complete the above actions.

The server 1 can mainly have a database (not shown), which stores one or more files 11, and these files 11 can be edited by the user on the client device 2 and then uploaded to the server 1 , it can also be directly edited by the user through an online editing program (not shown) provided by the server 1, but it is not limited thereto.

In this embodiment, after the client device 2 is installed with the client agent software 20 and started for the first time, it can log in to the server 1 through the client agent software 20 . After the client agent software 20 completes the login, the login information of the client agent software 20, such as an authorization code, is stored as a user data 12 in the server 1, wherein the user data 12 corresponds to the client agent software20.

It is worth mentioning that, when the client agent software 20 logs in for the first time, the server management software 10 generates the client client data 12 according to the user data 12 corresponding to the client agent software 20 (that is, the above login information). A client key 13 specific to the agent software 20 . The client key 13 is stored in the server 1 and recorded by the client agent software 20 at the same time. When the client device 2 requests to download these files 11 through the client agent software 20 in the future, the server-side management software 10 will use the client key 13 corresponding to the client agent software 20 to perform a download of these files 11 Encrypt to generate an encrypted file 16 available for download. And when the client device 2 successfully downloads the encrypted file 16 , it can be decrypted by the client key 13 recorded by the client agent software 20 .

In this embodiment, a file editor or a system administrator can submit a file sharing request to the server 1 , specifically, request the server 1 to allow the files 11 to be shared and set the sharing method. For example, set which client device these files 11 can be shared with for downloading, when they can be downloaded/opened, how many times they can be opened, whether they can be edited, whether they can be printed, etc. Moreover, the above-mentioned settings will be recorded by the server-side management software 10 as an authorization authority data 14 of the files 11 . When the client device 2 downloads one of the files 11, the file 11 can be opened only when the operation of the client device 2 conforms to the authorization authority data 14 corresponding to the file 11, and the After the file 11 is opened, only operations conforming to the authorization authority data 14 can be performed.

Referring to FIG. 3 , it is a schematic diagram of client agent software according to the first specific embodiment of the present invention. As shown in FIG. 3 , the client agent software 20 can be mainly divided into a permission filtering module 201 , a file decryption execution module 202 and a client encryption module 203 . When the client device 2 downloads the encrypted file 16 and opens it through the client agent software 20, it needs to communicate with the server management software 10 through the authority filtering module 201 to confirm whether the client device 2 is It is an authorized client that can legally open the encrypted file 16. For example, the permission filtering module 201 can transmit the information of the client device 2 to the server 1 for confirmation (details will be described later). If the client device 2 is indeed an authorized client, then the file decryption execution module 202 uses the client key 13 recorded by the client agent software 20 to decrypt the encrypted file 16 to restore the file 11 . Moreover, the file decryption execution module 202 opens the file 11 after successful decryption.

It is worth mentioning that if the client device 2 is an internal device of an enterprise, the client agent software 20 may be further restricted by the file protection policy (Policy) stipulated by the enterprise. For example, an enterprise may stipulate that all files edited by internal devices (such as Word files, Excel files, PowerPoint files, PDF files, etc.) must be encrypted before uploading to the server 1 to ensure the confidentiality of the files. In this embodiment, if the user operates the file editing software in the client device 2 to edit the file file, after the file file editing is completed, the client agent software 20 can automatically pass the client encryption module 203 Encrypt the file archive (specifically, use the client key 13 recorded by the client agent software 20 to encrypt). And, the encrypted file is uploaded to the server 1 to be stored as one of the files 11 .

In this embodiment, the client agent software 20 is mainly an application software similar to a driver, which resides and executes at the bottom layer of the client device 2 and can communicate with various application programs installed in the client device 2 . In the above-mentioned embodiment, the client agent software 20 can allow or prohibit actions performed by these applications on the file (such as opening, editing, automatic encryption, uploading, printing, forwarding, etc.) through communication. However, the above are only preferred specific examples of the present invention and should not be limited thereto.

Referring to FIG. 4 , it is a schematic diagram of the server-side management software of the first specific embodiment of the present invention. As shown in FIG. 4 , the server-side management software 10 can be mainly divided into a data control hub 101 , a rights filtering management module 102 , a key management module 103 and an encryption and decryption control module 104 . The data control hub 101 is the software core of the server-side management software 10 for processing, integrating and converting the data and instructions of the authority filtering management module 102 , the key management module 103 and the encryption and decryption control module 104 .

The rights filtering management module 102 communicates with the rights filtering module 201 during the verification procedure to confirm whether the client device 2 that will open the encrypted file 16 is an authorized client. The key management module 103 dynamically creates the exclusive client key 13 according to the corresponding user data 12 when the client agent software 20 logs in for the first time, and manages all the produced client keys 13 .

The encryption and decryption control module 104 mainly includes a download encryption module 1041 and a download decryption module 1042 . When the client device 2 intends to download the file 11, the download encryption module 1041 takes out the corresponding client key 13 according to the user data 12, and uses the client key 13 to encrypt the file 11, After the encrypted file 16 is generated, it can be downloaded by the client device 2 .

It is worth mentioning that, in this embodiment, the server 1 first copies the file 11 requested to be downloaded by the client device 2 , and then encrypts multiple files 11 . In other words, even after encryption and downloading, the server 1 still retains the original file 11 .

Depending on the file protection policy of the enterprise, the files 11 stored in the server 1 may be unencrypted original files, or files encrypted with a server key. If these files 11 have been encrypted by the server key, then the server management software 10 needs to obtain the server key through the download decryption module 1042 before generating the above-mentioned encrypted file 16 for the client device 2 to download. key, and use the server key to decrypt the file 11 to obtain the original file of the file 11, and then carry out the above-mentioned copying and encryption actions on the original file, so that the client device 2 will be downloaded. Encrypted files16.

In addition, the encryption and decryption control module 104 may further include an upload decryption module 1043 and an upload encryption module 1044 . As mentioned above, when the client device 2 finishes editing a file and uploads it, it may first encrypt it with the client key 13 and then upload it due to the company's file protection policy. In this embodiment, after the server 1 receives the file file uploaded by the client device 2, the upload decryption module 1043 first extracts the corresponding client key 13 according to the corresponding user data 12, and Use the client key 13 to decrypt the uploaded file to generate an original file. Next, the upload encryption module 1044 takes out the server key, encrypts the original file file with the server key, and stores it as one of the above-mentioned files 11 . Through the above modules, the file 11 can be protected by encryption no matter on the client device 2 , on the server 1 or during transmission.

Referring to FIG. 5 , it is a registration flowchart of the first specific embodiment of the present invention. To effectively use the protection method of the present invention and join the protection system, firstly, the user needs to install the client agent software 20 in the client device 2 (step S10). Then, after the client agent software 20 is started for the first time, it can be connected to the server 1 to log in (step S12). In this embodiment, the server 1 can record the login information of the client agent software 20 as the user data 12 of the client agent software 20 when the client agent software 20 logs in.

After the client agent software 20 completes the first login, the server management software 10 dynamically makes the client key 13 ( Step S14 ), and associate the client key 13 with the user data 12 . After the step S14, the server management software 10 stores the client key 13 (step S16), and associates the client key 13 with the user data 12. At the same time, the server management software 10 provides the client key 13 to the client agent software 20, so that the client agent software 20 records the client key 13 (step S18).

Through the above steps S10 to S18, the client agent software 20 can log in to the server 1 after the installation is completed and the first startup is started. And after the login is completed, both the server 1 and the client agent software 20 store the client key 13 exclusive to the client agent software 20 .

Referring to FIG. 6 , it is a flow chart of file sharing application in the first specific embodiment of the present invention. As mentioned above, if any file 11 in the server 1 is to be shared with other devices for downloading, the user (such as a file editor or system manager) can propose the above-mentioned file to the server-side management software 10 Sharing request (step S20). In the file sharing request, the user mainly needs to select the file 11 to be shared (step S22), set the client device 2 to be shared (step S24), and set usage rules for the file 11 (step S22). Step S26). And, after the user completes the settings from the above steps S20 to S26, the server management software 10 stores the above setting parameters as the authorization authority data 14 of the file 11 (step S28). The above step S20 to step S26 do not have a sequence relationship in execution, so it is not limited to the above.

More specifically, the file 11 selected to be shared in step S22 is the file that the user wishes to allow the client device 2 to be shared with to download. The sharing object set in step S24 is the authorized client that the user wants the file 11 to be downloaded and opened. In the step S24, the user can set the media access control address (MediaAccessControlAddress, MACAddress) of the shared object, or the user data 12 of the client agent software 20 installed in the shared object, but not Be limited. The usage rule set in the step S26 is the action that the user wants the file 11 to be operated after being downloaded, such as the opening time, times, whether it can be edited, whether it can be printed, etc. However, the above descriptions are only preferred specific examples of the present invention and should not be limited thereto.

Referring to FIG. 7 , it is a flow chart of downloading encrypted files according to the first specific embodiment of the present invention. When the client device 2 will request to download the file 11, it mainly connects and logs in the server 1 through a browser (Browser) on the client device 2, and requests to download the file 11 to the server management software 10 (step S30). Then, the server-side management software 10 fetches the corresponding user data 12 from the server 1 according to the login information of the client device 2 (referring to the information of the client agent software 20 here), and simultaneously fetches the file The authorized authority data 14 of 11 (step S32). After the step S32, the server-side management software 10 compares the user data 12 with the authorization authority data 14 to determine whether the client device 2 (that is, the client agent software 20) has the file 11. Download permission (step S34). If the client device 2 does not have the download authority of the file 11, the server management software 20 rejects the download request of the client device 2 for the file 11 (step S36).

If the client device 2 does have the download authority of the file 11, then the server management software 20 takes out the corresponding client key 13 from the server 1 according to the user data 12 (step S38), and uses The client key 13 encrypts the file 11 to generate the encrypted file 16 (step S40). After the step S40, the server management software 20 allows the client device 2 to download the encrypted file 16 (step S42). The download action referred to in the step S42 can be the automatic download of the client device 2, or display the download link of the encrypted file 16 so that the user clicks to download, without limitation.

It is worth mentioning that, as mentioned above, if the file 11 itself has been encrypted by the server key, before step S40, the server-side management software 20 will first obtain the server key, and use The server key first decrypts the file 11 to obtain the original file, and then executes step S40.

In the foregoing embodiments, the download request of the file 11 and the verification procedure of the download authority of the client device 2 are mainly executed by the client agent software 20 . However, the files within the enterprise may need to be provided to external customers or suppliers for downloading, and the client or supplier's equipment may not have the client agent software 20 installed. The protection system and the protection method of the present invention can be applied to the above situations at the same time, and the details are as follows.

Referring to FIG. 8 , it is a flow chart of downloading encrypted files according to the second specific embodiment of the present invention. If the aforesaid shared object is the external client device 22 (that is, the client agent software 20 is not installed), then the user also needs to first propose the above-mentioned file sharing request to the server management software 10, and select to For the file 11 to be shared, set the sharing object and the usage rule of the file 11 at the same time (step S50). In this embodiment, the user needs to provide an email address of the shared object at the same time, so that the shared object can obtain the encrypted file 16 (details will be described later).

After the step S50, the server-side management software 10 makes a group of specific keys (step S52) according to the setting parameters, and uses the specific key to encrypt the file 11 to generate the encrypted file 16 (step S54 ). Finally, the server-side management software 10 simultaneously provides the encrypted file 16 and the specific key to the shared object (step S56). In the step S56, the server-side management software 10 can mainly generate a download link of the encrypted file 16, and send it together with the specific key to the email mailbox of the sharing object, but it is not limited.

Referring to FIG. 9 , it is a flow chart of opening an encrypted file according to the first specific embodiment of the present invention. After the client device 2 obtains the encrypted file 16 through the aforementioned method, it can open the local terminal (step S60). In the present invention, the client device 2 mainly opens the encrypted file 16 directly through the client agent software 20, or opens the encrypted file 16 through an application program (not shown) installed in the client device 2 , and the application program is managed by the client agent software 20, without limitation.

When the client device 2 wants to open the encrypted file 16, the client agent software 20 obtains the information of the client device 2 and sends it to the server 1 (step S62). In this embodiment, the information of the client device 2 may mainly be, for example, the MACAddress of the client device 2 and the authorization code of the client agent software 20 , but it is not limited thereto.

After the server 1 receives the information of the client device 2, the server-side management software 10 judges whether the client device 2 is an authorized client that is allowed to open the encrypted file 16 (step S64), that is, judges that the client Whether the device 2 is the shared object for which the encrypted file 16 is set.

Specifically, the server-side management software 10 can compare the information of the client device 2 with the authorization authority data 14 corresponding to the encrypted file 16 to determine whether the client device 2 is the authorized client. If the server-side management software 10 judges that the client device 2 is not a legal authorized client, then the server-side management software 10 responds to the client agent software 20 with a message that the opening action is prohibited (step S66). After the step S66 , the client agent software 20 responds to the user that the encrypted file 16 cannot be opened, or prohibits the application program in the client device 2 from opening the encrypted file 16 .

If the client device 2 is indeed an authorized client, then the client agent software 20 verifies whether the client key 13 can decrypt the encrypted file 16 (step S68 ). Specifically, the client agent software 20 holds the client key 13 after the above-mentioned login procedure, and the encrypted file 16 is encrypted using the client key 13 exclusive to the client agent software 20, Therefore, if the client device 2 that downloaded the encrypted file 16 is the same as the client device 2 that opened the encrypted file 16, the encrypted file 16 can be correctly decrypted, and vice versa.

However, if the client agent software 20 does not have the client key 13, or the client key held by it cannot decrypt the encrypted file 16, then step S66 is executed, and the client agent software 20 In response to the user, the encrypted file 16 cannot be opened, or the application program in the client device 2 is prohibited from opening the encrypted file 16 .

If the encrypted file 16 can be successfully decrypted by the client agent software 20 and restored to the file 11, then the client agent software 20 further asks the server 1 to confirm whether the current opening action is consistent with the file 11. Rules are used (step S70). In the step S70, the server 1 receives the query from the client agent software 20 through the server-side management software 10, and inquires the authorization authority data 14 corresponding to the file 11, thereby judging whether the current opening action conforms to the file 11 The usage rules are set. For example, whether the opening time is correct, whether the number of opening times reaches the upper limit, etc., but not limited. When the client agent software 20 receives the response from the server 1 and confirms that the current opening action conforms to the usage rules of the file 11, the file 11 can be opened (step S72). In this embodiment, in step S72, the client agent software 20 directly opens the file 11, or the client agent software 20 allows the application program in the client device 2 to open the file 11.

However, if the server-side management software 10 judges that the opening action of the client device 2 does not comply with the usage rules of the file 11, after step S66 is executed, the client agent software 20 will respond to the user that the encrypted file 16 cannot is opened, or the application program in the client device 2 is prohibited from opening the encrypted file 16 .

In this embodiment, it must be confirmed that the client device 2 is an authorized client, the client key 13 recorded by the client agent software 20 can be successfully decrypted, and the current opening action complies with the usage rules of the file. When both are established, the encrypted file 16 can be opened. However, the step S64 , the step S68 and the step S70 are not executed in a sequence relationship, and can be executed synchronously.

It is worth mentioning that when the server-side management software 10 generates the encrypted file 16, part of the information (such as the device name) of the client device 2 and the time when the client device 2 requests downloading can be simultaneously Join in this encrypted file 16. When the client device 2 successfully opens the encrypted file 16, the above-mentioned information will be displayed on the opened file 11 in the form of a dynamic watermark (step S74). Finally, after the client device 2 successfully opens the file 11, the client agent software 20 returns the opening information to the server 1 (step S76), so that the server 1 stores and updates a usage record data 15. Through the use record data 15 , administrators can easily know at which time the files 11 in the server 1 are opened by which client device. In this way, when the enterprise finds that the file has been illegally used, it can judge which link has a problem according to the usage record data 15 .

The above descriptions are only preferred specific examples of the present invention, and are not meant to limit the scope of the claims of the present invention. Therefore, all equivalent changes made by using the content of the present invention are all included in the scope of the present invention.

Claims (16)

1. A method for protecting encrypted files, applied to a client device and a server, wherein the client device has a client agent software, and the server has a server-side management software, characterized in that, comprising: a) The client agent software obtains an encrypted file and opens it locally; b) sending the information of the client device to the server; c) The server-side management software judges whether the client device is an authorized client that can open the encrypted file according to the received information; d) If the client device is the authorized client, the client agent software judges whether a client key held by itself can decrypt the encrypted file; e) If the client key held by the client agent software can decrypt the encrypted file, further query the server-side management software to confirm whether the current opening action of the client device conforms to the encrypted file is set prescribed rules of use; and f) If the opening action complies with the usage rule, decrypt the encrypted file into a file, and open the file according to the usage rule. 2. The encrypted file protection method according to claim 1, further comprising a step g: if the client device is not the authorized client, or the client key held by the client agent software cannot To decrypt the encrypted file, or the opening action does not comply with the usage rule, respond to a message that the opening action is prohibited. 3. The encrypted file protection method according to claim 1, wherein the information of the client device is a media access control address of the client device and an authorization code of the client agent software. 4. The encrypted file protection method according to claim 1, characterized in that, in the step f, the client agent software allows the application program in the client device to open the file. 5. The encrypted file protection method according to claim 1, characterized in that, in the step c, the server-side management software compares the received information with a preset authorization authority data of the encrypted file to obtain Judging whether the client device is the authorized client, wherein the authorization permission data records a sharing object that the encrypted file can be shared with and the usage rule. 6. The encrypted file protection method according to claim 5, characterized in that, the step a also includes the following steps before: a01) making a file sharing request to the server-side management software; a02) Select the file to be shared; a03) setting the shared object of the file; a04) setting the usage rules for the document; and a05) storing the shared object and the usage rule as the authorization permission data of the file. 7. The encrypted file protection method according to claim 6, characterized in that, the step a also includes the following steps before: a11) The client agent software makes a download request of the file to the server management software; a12) The server management software retrieves a corresponding user data according to the login information of the client agent software, wherein the user data is stored in the server; a13) The server-side management software obtains the authorization permission data of the file; a14) comparing the user data with the authorization authority data to determine whether the client agent software has the download authority of the file; a15) If the client agent software has the download authority of the file, the server management software obtains the corresponding client key according to the user data, wherein the client key is stored in the server; a16) encrypting the file using the client key to generate the encrypted file; and a17) providing the encrypted file for the client agent software to download. 8. The encrypted file protection method according to claim 7, wherein when the server-side management software generates the encrypted file, the information of the client device and the time of download request are put into the encrypted file, and the The encrypted file protection method further includes a step h: dynamically displaying the information of the client device and the time of requesting download on the opened file in the form of a watermark. 9. The encrypted file protection method according to claim 7, characterized in that, the step a also includes the following steps before: a21) installing the client agent software on the client device; a22) After the client agent software is started, it connects to the server to log in for the first time; a23) The server-side management software stores the login information of the client agent software as the user data, and generates the client key exclusive to the client agent software according to the user data; a24) The server-side management software records the client key, and associates the client key with the user data; and a25) The client agent software records the client key. 10. The encrypted file protection method according to claim 1, further comprising a step i: after step f, the client agent software returns an open message to the server management software. 11. An encrypted file protection system, comprising: A client agent software installed on a client device, including: A permission filtering module, when the client device intends to open an encrypted file, the information of the client device is sent to a server to confirm that the client device is an authorized client that is allowed to open the encrypted file; and A file decryption execution module, after confirming that the client device is the authorized client, uses a client key held by the client agent software to decrypt the encrypted file into a file, and the current opening action conforms to the file Open the file when a usage rule is set, wherein the usage rule is stored in the server; A server-side management software installed on the server connected to the client device through the network, including: An authority filtering management module, communicating with the authority filtering module to confirm whether the client device is the authorized client through the received information; A key management module, when the client agent software logs in to the server for the first time, according to the login information of the client agent software, an exclusive client key is produced, wherein the client key is simultaneously recorded in the client Agent software and the server-side management software; An encryption and decryption control module has a download encryption module. When receiving the download request of the client agent software for the file, it obtains the client key corresponding to the client agent software and encrypts the file to generate the encrypted file. documents; and A data control hub is used for processing, integrating and converting the data and instructions of the authority filtering management module, the key management module and the encryption and decryption control module. 12. The encrypted file protection system according to claim 11, wherein the file is encrypted by a server key of the server, and the encryption and decryption control module also has a download and decryption module, which receives the client agent software pair When downloading the file, obtain the server key to decrypt the file to generate an original file, and make the download encryption module encrypt the original file with the client key to generate the encrypted file. 13. The encrypted file protection system according to claim 11, wherein the client agent software also includes a client encryption module, and after the client device edits a file file, the client agent software is used to maintain The client key encrypts the file, and the client device uploads the encrypted file to the server for storage. 14. The encrypted file protection system according to claim 13, wherein the encryption and decryption control module also has: An upload decryption module, after receiving the file, obtains the client key corresponding to the client device to decrypt the file to generate an original file; and An upload encryption module obtains a server key preset by the server to encrypt the original file file to generate the file. 15. The encrypted file protection system according to claim 11, wherein the server stores a use record data, and the use record data records the opening information of the encrypted file by the client device. 16. The encrypted file protection system according to claim 11, wherein the server stores an authorization authority data of the file, and the authorization authority data records the usage rules and a shared object of the file, wherein the authority filter The management module compares the information of the client device with the shared object of the file to confirm whether the client device is the authorized client.