CN115794758A - An extended management and control method and system for data file sharing - Google Patents
An extended management and control method and system for data file sharing Download PDFInfo
- Publication number
- CN115794758A CN115794758A CN202310044568.2A CN202310044568A CN115794758A CN 115794758 A CN115794758 A CN 115794758A CN 202310044568 A CN202310044568 A CN 202310044568A CN 115794758 A CN115794758 A CN 115794758A
- Authority
- CN
- China
- Prior art keywords
- data file
- access
- data
- receiving device
- package
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 67
- 230000004048 modification Effects 0.000 claims description 41
- 238000012986 modification Methods 0.000 claims description 41
- 230000008569 process Effects 0.000 claims description 26
- 238000004422 calculation algorithm Methods 0.000 claims description 18
- 230000009471 action Effects 0.000 claims description 8
- 230000006399 behavior Effects 0.000 description 23
- 230000015654 memory Effects 0.000 description 20
- 238000004590 computer program Methods 0.000 description 12
- 238000012545 processing Methods 0.000 description 11
- 238000003860 storage Methods 0.000 description 11
- 238000010586 diagram Methods 0.000 description 9
- 238000012795 verification Methods 0.000 description 6
- 238000004364 calculation method Methods 0.000 description 4
- 230000000694 effects Effects 0.000 description 4
- 238000004519 manufacturing process Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 4
- 238000001514 detection method Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Images
Landscapes
- Storage Device Security (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
本发明公开了一种数据文件共享的延伸管控方法及系统,该方法包括:接收数据文件接收设备的组件信息,基于所述数据文件接收设备的组件信息确定数据接收设备的访问标识;其中,所述数据文件接收设备的组件信息由数据接收方发送;获取数据文件访问需求,基于所述数据文件访问需求生成访问约束条件;获取待共享数据文件,将所述数据接收设备的访问标识、所述访问约束条件和所述待共享数据文件进行关联,生成数据文件包,并将所述数据文件包发送给数据接收方。本方法实现了对共享文件的有效管控,实现对数据文件在不同单位、不同主体之间共享的延伸访问管控,防范数据文件无序复制、共享、泄漏等安全风险。
The present invention discloses an extended management and control method and system for data file sharing. The method includes: receiving component information of a data file receiving device, and determining an access identifier of the data receiving device based on the component information of the data file receiving device; wherein, the The component information of the data file receiving device is sent by the data receiver; the data file access requirements are obtained, and access constraints are generated based on the data file access requirements; the data files to be shared are obtained, and the access identifier of the data receiving device, the The access constraint is associated with the data file to be shared, a data file package is generated, and the data file package is sent to the data receiver. The method realizes effective management and control of shared files, realizes extended access management and control of data files shared between different units and different subjects, and prevents security risks such as disorderly copying, sharing, and leakage of data files.
Description
技术领域technical field
本发明涉及数据安全技术领域,具体涉及一种数据文件共享的延伸管控方法及系统。The invention relates to the technical field of data security, in particular to an extended management and control method and system for data file sharing.
背景技术Background technique
新型电力系统建设和电力数字化转型推进,业务主体更加服务、业务应用更加开放,数据作为关键生产要素,已融入到电力、能源、政务等生产、经营等领域,数据安全风险日益突出。随着业务主体增加,电力数据在跨行业、跨企业之间共享日益频繁。电力数据与政务、金融或其他第三方单位共享后,将脱离公司生产环境,数据使用权也随之发生转移,数据安全性难以进行管控。同时,数据将在共享单位无限期存在,且可不断复制、随意共享,数据泄露的风险大幅增加。The construction of a new power system and the digital transformation of electric power are advancing, business entities are more service-oriented, and business applications are more open. Data, as a key production factor, has been integrated into production and operation fields such as electric power, energy, and government affairs, and data security risks have become increasingly prominent. With the increase of business entities, power data is shared more and more frequently across industries and enterprises. After the power data is shared with government affairs, finance or other third-party units, it will be separated from the company's production environment, and the right to use the data will also be transferred, making it difficult to control data security. At the same time, data will exist indefinitely in the sharing unit, and can be continuously copied and shared at will, greatly increasing the risk of data leakage.
为了强化数据离线共享后安全保护,降低数据共享带来的安全风险,目前行业主要采用数字水印的方式,通过在分发数据文件中添加显性或隐形水印,分发给数据接收方,一旦数据发生泄漏,可以基于水印进行泄漏源头追溯,进而定位数据安全责任。数字水印为数据共享保护提供了一种重要方法,但此方法属于事后措施,缺乏对分发数据文件操作过程管控,难以避免数据复制、共享、无限期存在等问题,难以做到数据文件的延伸管控。In order to strengthen the security protection of data after offline sharing and reduce the security risks caused by data sharing, the industry currently mainly adopts digital watermarking, by adding explicit or invisible watermarks to the distribution data files and distributing them to the data receivers. Once the data leaks , the leak source can be traced based on the watermark, and then the data security responsibility can be located. Digital watermarking provides an important method for data sharing protection, but this method is an after-the-fact measure, lacking control over the operation process of distributing data files, it is difficult to avoid problems such as data copying, sharing, and indefinite existence, and it is difficult to achieve extended control of data files .
因此,为了应对数据离线共享后的安全风险,如何对数据接收方的操作进行有效管控,提供一种数据文件共享后有效的延伸保护措施,成为本领域技术人员亟待解决的问题。Therefore, in order to deal with the security risk after data offline sharing, how to effectively control the operation of the data receiver and provide an effective extended protection measure after data file sharing has become an urgent problem to be solved by those skilled in the art.
发明内容Contents of the invention
因此,本发明要解决的技术问题在于克服现有技术缺乏对分发数据文件操作过程管控,难以对数据文件进行延伸管控缺陷,从而提供一种数据文件共享的延伸管控方法及系统。Therefore, the technical problem to be solved by the present invention is to overcome the lack of management and control of the operation process of distributing data files in the prior art, and the difficulty of extending management and control of data files, thereby providing an extended management and control method and system for data file sharing.
在本申请的第一个方面,本发明实施例提供了一种数据文件共享的延伸管控方法,应用于数据提供方,包括:In the first aspect of the present application, the embodiment of the present invention provides an extended management and control method for data file sharing, which is applied to the data provider, including:
接收数据文件接收设备的组件信息,基于所述数据文件接收设备的组件信息确定数据接收设备的访问标识;其中,所述数据文件接收设备的组件信息由数据接收方发送;receiving the component information of the data file receiving device, and determining the access identifier of the data receiving device based on the component information of the data file receiving device; wherein, the component information of the data file receiving device is sent by the data receiver;
获取数据文件访问需求,基于所述数据文件访问需求生成访问约束条件;Acquire data file access requirements, and generate access constraints based on the data file access requirements;
获取待共享数据文件,将所述数据接收设备的访问标识、所述访问约束条件和所述待共享数据文件进行关联,生成数据文件包,并将所述数据文件包发送给数据接收方。Acquiring the data file to be shared, associating the access identifier of the data receiving device, the access constraints and the data file to be shared, generating a data file package, and sending the data file package to the data receiver.
本发明提供的一种数据文件共享的延伸管控方法,通过数据接收方发送的数据文件接收设备的组件信息确定数据接收设备的访问标识,基于访问需求确定访问约束条件,并将数据接收设备的访问标识、访问约束条件和待共享数据文件进行关联,实现了对共享文件的有效管控,实现对数据文件在不同单位、不同主体之间共享的延伸访问管控,防范数据文件无序复制、共享、泄漏等安全风险。An extended management and control method for data file sharing provided by the present invention determines the access identifier of the data receiving device through the component information of the data file receiving device sent by the data receiving party, determines the access constraints based on the access requirements, and sets the access The identification, access constraints and data files to be shared are associated to realize effective management and control of shared files, realize extended access control and control of data files shared among different units and different subjects, and prevent disorderly copying, sharing and leakage of data files and other security risks.
可选地,所述基于所述数据文件接收设备的组件信息确定数据接收设备的访问标识,包括:Optionally, the determining the access identifier of the data receiving device based on the component information of the data file receiving device includes:
基于所述数据文件接收设备的组件信息确定各多个初始哈希值;determining a plurality of initial hash values based on component information of the data file receiving device;
基于所述多个初始哈希值,利用摘要算法确定所述数据接收设备的访问标识;Based on the plurality of initial hash values, using a digest algorithm to determine the access identifier of the data receiving device;
利用二叉哈希树存储所述数据接收设备的访问标识。The access identifier of the data receiving device is stored using a binary hash tree.
可选地,所述访问约束条件,包括:Optionally, the access constraints include:
访问次数约束、访问时长约束、数据文件修改约束和数据文件打印约束。Access times constraints, access duration constraints, data file modification constraints and data file printing constraints.
可选地,所述将所述数据接收设备的访问标识、所述访问约束条件和所述待共享数据文件进行关联,生成数据文件包,并将所述数据文件包发送给数据接收方,包括:Optionally, associating the access identifier of the data receiving device, the access constraints and the data file to be shared, generating a data file package, and sending the data file package to the data receiver includes :
将所述待共享数据文件进行封装,并将封装后的待共享数据文件与所述访问次数约束、所述访问时长约束、所述数据文件修改约束和数据文件打印约束进行关联,生成所述数据文件包,将所述数据文件包发送给数据接收方。Encapsulating the data file to be shared, and associating the encapsulated data file to be shared with the access times constraint, the access duration constraint, the data file modification constraint, and the data file printing constraint, to generate the data A file package, sending the data file package to a data receiver.
在本申请的第二个方面,还提出了一种数据文件共享的延伸管控方法,应用于数据接收方,包括:In the second aspect of this application, an extended control method for data file sharing is also proposed, which is applied to the data receiver, including:
采集数据文件接收设备的组件信息,并将所述数据文件接收设备的组件信息发送给数据提供方;Collecting component information of the data file receiving device, and sending the component information of the data file receiving device to the data provider;
接收数据文件包,基于所述数据文件接收设备的组件信息和所述数据文件包确定数据文件访问权限;其中,所述数据文件包为数据提供方基于所述数据文件接收设备的组件信息确定的;Receiving the data file package, determining the data file access authority based on the component information of the data file receiving device and the data file package; wherein, the data file package is determined by the data provider based on the component information of the data file receiving device ;
获取数据文件访问行为,基于所述数据文件包确定访问约束条件,将所述数据文件访问行为与所述访问约束条件进行比较;Obtaining data file access behavior, determining an access constraint condition based on the data file package, and comparing the data file access behavior with the access constraint condition;
当所述数据文件访问行为不符合所述访问约束条件时,关闭所述数据文件访问权限,以停止共享所述数据文件包。When the data file access behavior does not meet the access constraint condition, close the data file access permission to stop sharing the data file package.
本发明提供的一种数据文件共享的延伸管控方法,通过所述访问约束条件对数据接收方的数据文件访问行为进行有效管控,有效防范了数据离线共享后的安全风险,实现了对数据文件在不同单位、不同主体之间共享的延伸访问管控。The extended management and control method for data file sharing provided by the present invention effectively controls the data file access behavior of the data receiver through the access constraint conditions, effectively prevents the security risk after the data is shared offline, and realizes the data file in the Extended access control shared between different units and subjects.
可选地,所述基于所述数据文件接收设备的组件信息和所述数据文件包确定数据文件访问权限,包括:Optionally, the determining the data file access authority based on the component information of the data file receiving device and the data file package includes:
基于所述数据文件接收设备的组件信息确定第一访问标识;determining a first access identifier based on component information of the data file receiving device;
基于所述数据文件包确定数据接收设备的访问标识,将所述数据接收设备的访问标识作为第二访问标识;Determining an access identifier of the data receiving device based on the data file package, using the access identifier of the data receiving device as a second access identifier;
将所述第一访问标识与所述第二访问标识进行比较,基于比较结果确定所述数据文件访问权限。Comparing the first access identifier with the second access identifier, and determining the data file access authority based on the comparison result.
可选地,所述基于所述数据文件包确定访问约束条件,将所述数据文件访问行为与所述访问约束条件进行比较,包括:Optionally, the determining the access constraint condition based on the data file package, and comparing the data file access behavior with the access constraint condition include:
基于所述数据文件包确定访问次数约束、访问时长约束、数据文件修改约束和数据文件打印约束;Determine access times constraints, access duration constraints, data file modification constraints, and data file printing constraints based on the data file package;
基于所述数据文件访问行为确定访问总次数、访问时间、文件修改动作和文件打印进程;Determine the total number of visits, access time, file modification action and file printing process based on the data file access behavior;
分别将所述访问次数约束、所述访问时长约束、所述数据文件修改约束和所述数据文件打印约束与所述访问总次数、所述访问时间、所述文件修改动作和所述文件打印进程进行比较。Respectively combine the access times constraint, the access duration constraint, the data file modification constraint, and the data file printing constraint with the total number of access times, the access time, the file modification action, and the file printing process Compare.
可选地,所述基于所述数据文件接收设备的组件信息和所述数据文件包确定数据文件访问权限,还包括:Optionally, the determining the data file access authority based on the component information of the data file receiving device and the data file package further includes:
获取打开所述数据文件包时的访问记录时间,并基于所述访问记录时间和所述访问时长约束确定访问截止时间;Acquiring the access record time when the data file package is opened, and determining the access cut-off time based on the access record time and the access duration constraint;
定期获取当前访问时间,当所述当前访问时间在所述访问记录时间与所述访问截止时间之间,则更新所述访问记录时间,并继续访问所述数据文件包;其中,所述当前访问时间为互联网时间或本地时间;Obtaining the current access time regularly, when the current access time is between the access record time and the access deadline, update the access record time, and continue to access the data file package; wherein, the current access The time is Internet time or local time;
或者,当所述当前访问时间在所述访问截止时间之后,则将所述数据文件包删除,生成无效文件覆盖扇区。Alternatively, when the current access time is after the access deadline, the data file package is deleted to generate an invalid file coverage sector.
在本申请的第三个方面,还提出了一种数据文件共享的延伸管控系统,应用于数据提供方,包括:In the third aspect of this application, an extended management and control system for data file sharing is also proposed, which is applied to data providers, including:
确定模块,用于接收数据文件接收设备的组件信息,基于所述数据文件接收设备的组件信息确定数据接收设备的访问标识;其中,所述数据文件接收设备的组件信息由数据接收方发送;A determining module, configured to receive component information of the data file receiving device, and determine an access identifier of the data receiving device based on the component information of the data file receiving device; wherein, the component information of the data file receiving device is sent by the data receiver;
生成模块,用于获取数据文件访问需求,基于所述数据文件访问需求生成访问约束条件;A generating module, configured to acquire data file access requirements, and generate access constraints based on the data file access requirements;
关联模块,用于获取待共享数据文件,将所述数据接收设备的访问标识、所述访问约束条件和所述待共享数据文件进行关联,生成数据文件包,并将所述数据文件包发送给数据接收方。An associating module, configured to obtain a data file to be shared, associate the access identifier of the data receiving device, the access constraints and the data file to be shared, generate a data file package, and send the data file package to data recipient.
在本申请的第四个方面,还提出了一种数据文件共享的延伸管控系统,应用于数据接收方,包括:In the fourth aspect of this application, an extended management and control system for data file sharing is also proposed, which is applied to the data receiver, including:
采集模块,用于采集数据文件接收设备的组件信息,并将所述数据文件接收设备的组件信息发送给数据提供方;The collection module is used to collect the component information of the data file receiving device, and send the component information of the data file receiving device to the data provider;
接收模块,用于接收数据文件包,基于所述数据文件接收设备的组件信息和所述数据文件包确定数据文件访问权限;其中,所述数据文件包为数据提供方基于所述数据文件接收设备的组件信息确定的;The receiving module is used to receive the data file package, and determine the data file access authority based on the component information of the data file receiving device and the data file package; wherein, the data file package is based on the data file receiving device of the data provider determined by the component information;
比较模块,用于获取数据文件访问行为,基于所述数据文件包确定访问约束条件,将所述数据文件访问行为与所述访问约束条件进行比较;A comparison module, configured to acquire data file access behavior, determine an access constraint condition based on the data file package, and compare the data file access behavior with the access constraint condition;
关闭模块,用于当所述数据文件访问行为不符合所述访问约束条件时,关闭所述数据文件访问权限,以停止共享所述数据文件包。A closing module, configured to close the data file access authority to stop sharing the data file package when the data file access behavior does not meet the access constraint conditions.
在本申请的第五个方面,还提出了一种计算机设备,包括处理器和存储器,其中,所述存储器用于存储计算机程序,所述计算机程序包括程序,所述处理器被配置用于调用所述计算机程序,执行上述第一方面或第二方面的方法。In the fifth aspect of the present application, a computer device is also proposed, including a processor and a memory, wherein the memory is used to store a computer program, the computer program includes a program, and the processor is configured to call The computer program executes the method of the first aspect or the second aspect above.
在本申请的第六个方面,本发明实施例提供了一种计算机可读存储介质,所述计算机存储介质存储有计算机程序,所述计算机程序被处理器执行以实现上述第一方面或第二方面的方法。In the sixth aspect of the present application, an embodiment of the present invention provides a computer-readable storage medium, the computer storage medium stores a computer program, and the computer program is executed by a processor to implement the above-mentioned first aspect or second aspect. aspects of the method.
附图说明Description of drawings
为了更清楚地说明本发明具体实施方式或现有技术中的技术方案,下面将对具体实施方式或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图是本发明的一些实施方式,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the specific implementation of the present invention or the technical solutions in the prior art, the following will briefly introduce the accompanying drawings that need to be used in the specific implementation or description of the prior art. Obviously, the accompanying drawings in the following description The drawings show some implementations of the present invention, and those skilled in the art can obtain other drawings based on these drawings without any creative work.
图1为本发明实施例1中一种数据文件共享的延伸管控方法应用于数据提供方的流程图;FIG. 1 is a flowchart of an extended control method for data file sharing applied to a data provider in Embodiment 1 of the present invention;
图2为本发明实施例1中数据提供方和数据接收方之间共享数据文件的示意图;FIG. 2 is a schematic diagram of a shared data file between a data provider and a data receiver in Embodiment 1 of the present invention;
图3为本发明实施例1中步骤S101的流程图;FIG. 3 is a flowchart of step S101 in Embodiment 1 of the present invention;
图4为本发明实施例2中一种数据文件共享的延伸管控方法应用于数据接收方的流程图;FIG. 4 is a flowchart of an extended control method for data file sharing applied to a data receiver in Embodiment 2 of the present invention;
图5为本发明实施例2中步骤S202的流程图;FIG. 5 is a flowchart of step S202 in Embodiment 2 of the present invention;
图6为本发明实施例2中步骤S203的流程图;FIG. 6 is a flowchart of step S203 in Embodiment 2 of the present invention;
图7为本发明实施例3中一种数据文件共享的延伸管控系统应用于数据提供方的原理框图;7 is a functional block diagram of an extended management and control system for data file sharing applied to a data provider in Embodiment 3 of the present invention;
图8为本发明实施例4中一种数据文件共享的延伸管控系统应用于数据接收方的原理框图。FIG. 8 is a functional block diagram of an extended management and control system for data file sharing in Embodiment 4 of the present invention applied to a data receiver.
具体实施方式Detailed ways
下面将结合附图对本发明的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The technical solutions of the present invention will be clearly and completely described below in conjunction with the accompanying drawings. Apparently, the described embodiments are some of the embodiments of the present invention, but not all of them. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.
在本发明的描述中,需要说明的是,术语“中心”、“上”、“下”、“左”、“右”、“竖直”、“水平”、“内”、“外”等指示的方位或位置关系为基于附图所示的方位或位置关系,仅是为了便于描述本发明和简化描述,而不是指示或暗示所指的装置或元件必须具有特定的方位、以特定的方位构造和操作,因此不能理解为对本发明的限制。此外,术语“第一”、“第二”、“第三”仅用于描述目的,而不能理解为指示或暗示相对重要性。In the description of the present invention, it should be noted that the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer" etc. The indicated orientation or positional relationship is based on the orientation or positional relationship shown in the drawings, and is only for the convenience of describing the present invention and simplifying the description, rather than indicating or implying that the referred device or element must have a specific orientation, or in a specific orientation. construction and operation, therefore, should not be construed as limiting the invention. In addition, the terms "first", "second", and "third" are used for descriptive purposes only, and should not be construed as indicating or implying relative importance.
此外,下面所描述的本发明不同实施方式中所涉及的技术特征只要彼此之间未构成冲突就可以相互结合。In addition, the technical features involved in the different embodiments of the present invention described below may be combined with each other as long as there is no conflict with each other.
实施例1Example 1
本实施例提供一种数据文件共享的延伸管控方法,应用于数据提供方,如图1-2所示,包括:This embodiment provides an extended control method for data file sharing, which is applied to the data provider, as shown in Figure 1-2, including:
S101、接收数据文件接收设备的组件信息,基于上述数据文件接收设备的组件信息确定数据接收设备的访问标识;其中,上述数据文件接收设备的组件信息由数据接收方发送。S101. Receive component information of the data file receiving device, and determine an access identifier of the data receiving device based on the component information of the data file receiving device; wherein the component information of the data file receiving device is sent by the data receiver.
具体地,数据提供方向数据接收方索取数据文件接收设备所需的组件信息,包括但不限于处理器信息、网卡信息、硬盘信息、内存信息、光盘驱动器信息;数据提供方获取数据接收方的数据文件接收设备的组件信息,并进行处理。Specifically, the data provider asks the data receiver for the component information required by the data file receiving device, including but not limited to processor information, network card information, hard disk information, memory information, and optical drive information; the data provider obtains the data receiver’s data The file receives device component information and processes it.
S102、获取数据文件访问需求,基于上述数据文件访问需求生成访问约束条件。S102. Obtain data file access requirements, and generate access constraints based on the above data file access requirements.
具体地,上述访问约束条件,包括:访问次数约束、访问时长约束、数据文件修改约束和数据文件打印约束。Specifically, the above-mentioned access constraints include: access times constraints, access duration constraints, data file modification constraints, and data file printing constraints.
进一步地,数据提供方获取数据接收方数据文件的访问需求,包括但不限于访问时长、访问次数,数据文件修改、数据文件打印、数据文件复制。Further, the data provider obtains the access requirements of the data receiver's data files, including but not limited to access duration, access times, data file modification, data file printing, and data file copying.
进一步地,数据提供方基于上述数据文件访问需求生成访问约束条件,并配以访问异常检测措施;其中,针对数据文件访问次数,建立数据文件访问次数计次方式,以鼠标双击或右键打开为一次访问行为,记录数据访问次数;针对限制数据访问时长,以限定数据文件到具体日期方式,到期后丧失访问权限进行计时;针对限制数据文件修改,数据文件启用禁止修改模式,避免文件修改;针对限制数据文件打印,通过禁用此数据文件的打印进程,避免数据文件打印;针对限制数据文件截屏,在访问此文件时,通过禁止调用相关截屏工具能力,避免文件被截屏复制。Furthermore, the data provider generates access constraints based on the above-mentioned data file access requirements, and provides access anomaly detection measures; among them, for the number of data file accesses, a method of counting the number of data file accesses is established, and double-clicking or right-clicking to open is one time Access behavior, record the number of data accesses; for restricting the length of data access, the data file is limited to a specific date, and the access right is lost after expiration for timing; for restricting data file modification, the data file is enabled to prohibit modification mode to avoid file modification; for Restrict data file printing, by disabling the printing process of this data file, avoid data file printing; for restricted data file screen capture, when accessing this file, prevent the file from being copied by screen capture by prohibiting the ability to call the relevant screen capture tool.
S103、获取待共享数据文件,将上述数据接收设备的访问标识、上述访问约束条件和上述待共享数据文件进行关联,生成数据文件包,并将上述数据文件包发送给数据接收方。S103. Obtain the data file to be shared, associate the access identifier of the data receiving device, the access constraint conditions with the data file to be shared, generate a data file package, and send the data file package to the data receiver.
具体地,将上述待共享数据文件进行封装,并将封装后的待共享数据文件与上述访问次数约束、上述访问时长约束、上述数据文件修改约束和数据文件打印约束进行关联,生成上述数据文件包,将上述数据文件包发送给数据接收方。Specifically, the above-mentioned data file to be shared is packaged, and the packaged data file to be shared is associated with the above-mentioned access times constraint, the above-mentioned access duration constraint, the above-mentioned data file modification constraint, and the data file printing constraint, to generate the above-mentioned data file package , to send the above data file package to the data receiver.
进一步地,将待共享数据文件封装成共享数据包,共享数据包是一种可执行程序,可以根据封装的数据文件格式并调用相应的阅读软件;例如,共享数据包监测到封装的数据文件是.doc(一种文件扩展名)或.docx(一种文件扩展名)文件类型时,会自动搜索接收设备的office软件(office软件为微软公司开发的一套办公软件套装),访问此数据文件时会自动调用office word程序(文档程序);数据文件包监测到封装的数据文件是.pdf(可携带文件格式)文件类型时,会自动搜索接收设备的pdf常用阅读软件,访问此数据文件时会按照设定的优先级自动调用相关程序;若数据文件包监测到封装的数据文件类型,在接收设备不存在阅读程序时,会提示无法打开文件。Further, the data file to be shared is encapsulated into a shared data package, and the shared data package is an executable program that can call corresponding reading software according to the format of the encapsulated data file; for example, the shared data package monitors that the encapsulated data file is .doc (a file extension) or .docx (a file extension) file type, it will automatically search for the office software of the receiving device (office software is a suite of office software developed by Microsoft Corporation) to access this data file It will automatically call the office word program (document program); when the data file package detects that the encapsulated data file is a .pdf (portable file format) file type, it will automatically search for the commonly used pdf reading software of the receiving device. When accessing this data file It will automatically call the relevant program according to the set priority; if the data file package detects the type of the encapsulated data file, if there is no reading program on the receiving device, it will prompt that the file cannot be opened.
进一步地,通过共享数据包关联数据接收设备的访问标识,将访问标识置入共享数据包,且共享数据包内嵌读取接收设备组件信息能力;例如,数据提供方将数据接收方的接收设备组件信息录入共享数据包,计算接收设备组件信息的二叉Merkle树,并存入共享数据包,作为数据文件访问的访问标识,并在访问异常时检查提示接收设备与提供信息不一致的设备信息;同时,共享数据包自动检测接收设备组件信息,并采用与计算访问标识时一致的算法来计算接收设备相应组件信息的Hash值。Further, the access identifier of the data receiving device is associated with the shared data packet, and the access identifier is placed in the shared data packet, and the shared data packet is embedded with the ability to read the component information of the receiving device; for example, the data provider sends the receiving device of the data receiver Enter the component information into the shared data package, calculate the binary Merkle tree of the component information of the receiving device, and store it in the shared data package as the access identifier for data file access, and check the device information indicating that the receiving device is inconsistent with the provided information when the access is abnormal; At the same time, the shared data packet automatically detects the component information of the receiving device, and uses the algorithm consistent with the calculation of the access identifier to calculate the Hash value of the corresponding component information of the receiving device.
进一步地,在共享数据包中加入限制访问次数,并将访问次数与共享数据包中的数据文件进行关联,且数据文件包具备打开数据文件打开计次能力;例如,数据提供方将数据接收方提供的需求访问次数录入共享数据包,并将初始访问次数记录为0,共享数据包将需求访问次数与数据文件进行关联,共享数据包对数据文件打开次数进行控制。Further, limit the number of visits in the shared data package, and associate the number of visits with the data files in the shared data package, and the data file package has the ability to open the data file to open the number of times; for example, the data provider will the data receiver The number of required visits provided is entered into the shared data package, and the initial number of visits is recorded as 0. The shared data package associates the required visits with the data file, and the shared data package controls the number of times the data file is opened.
进一步地,在共享数据包中加入限制访问时长,并将访问时长与数据文件进行关联,且共享数据包内嵌读取、记录日期时间能力;例如,数据提供方根据数据接收方提供的需求访问时间,计算数据文件访问的截止时间,共享数据包记录当前互联网记录作为首次记录时间,并将数据文件访问截止时间与数据文件关联,共享数据包对数据文件访问时长进行控制。Further, limit the access duration in the shared data package, and associate the access duration with the data file, and the shared data package is embedded with the ability to read and record date and time; for example, the data provider can access Time, calculate the cut-off time of data file access, share the data package to record the current Internet record as the first record time, associate the data file access cut-off time with the data file, and share the data package to control the data file access time.
进一步地,共享数据包内嵌限制数据文件修改和打印能力;例如,数据提供方根据数据接收方提供的修改和打印需求,将限制修改、限制打印等能力配置入共享数据包,并与数据文件进行关联,共享数据包对数据文件修改、打印等操作进行控制。Furthermore, the shared data package embeds restricted data file modification and printing capabilities; for example, the data provider configures the limited modification and printing capabilities into the shared data package according to the modification and printing requirements provided by the data receiver, and shares them with the data file Associate and share data packages to control operations such as data file modification and printing.
进一步地,将共享数据包与访问约束条件进行关联,生成数据文件包,将数据文件包发送至数据文件接收方,数据文件接收方通过指定的接收设备访问数据文件。Further, the shared data package is associated with the access constraint conditions to generate a data file package, and the data file package is sent to a data file receiver, and the data file receiver accesses the data file through a designated receiving device.
上述一种数据文件共享的延伸管控方法,通过数据接收方发送的数据文件接收设备的组件信息确定数据接收设备的访问标识,基于访问需求确定访问约束条件,并将数据接收设备的访问标识、访问约束条件和待共享数据文件进行关联,实现了对共享文件的有效管控,实现对数据文件在不同单位、不同主体之间共享的延伸访问管控,防范数据文件无序复制、共享、泄漏等安全风险。The above extended management and control method for data file sharing, determines the access identifier of the data receiving device through the component information of the data file receiving device sent by the data receiver, determines the access constraints based on the access requirements, and sets the access identifier, access The constraints are associated with the data files to be shared, which realizes the effective management and control of shared files, realizes the extended access control of data files shared between different units and different subjects, and prevents security risks such as disorderly copying, sharing, and leakage of data files .
作为本发明一个可选实施方式,如图3所示,步骤S101中基于上述数据文件接收设备的组件信息确定数据接收设备的访问标识,包括:As an optional implementation of the present invention, as shown in FIG. 3, in step S101, the access identification of the data receiving device is determined based on the component information of the above data file receiving device, including:
S1011、基于上述数据文件接收设备的组件信息确定各多个初始哈希值。S1011. Determine multiple initial hash values based on the component information of the data file receiving device.
具体地,数据提供方将数据接收方提供的数据文件接收设备的组件信息,采用摘要算法计算初始Hash(哈希)值;例如,采用国密SM3摘要算法分别得到处理器信息、网卡信息、硬盘信息、内存信息、光盘驱动器信息的初始Hash值;其中,SM3算法是密码杂凑算法,适用于商用密码应用中的数字签名和验证、消息认证码的生成与验证以及随机数的生成,可满足多种密码应用的安全需求。Specifically, the data provider uses the digest algorithm to calculate the initial Hash (hash) value of the component information of the data file receiving device provided by the data receiver; for example, the processor information, network card information, hard disk information, memory information, and CD-ROM drive information; among them, the SM3 algorithm is a cryptographic hash algorithm, which is suitable for digital signature and verification in commercial cryptography applications, generation and verification of message authentication codes, and random number generation, which can satisfy multiple security requirements for cryptographic applications.
S1012、基于上述多个初始哈希值,利用摘要算法确定上述数据接收设备的访问标识。S1012. Based on the multiple initial hash values, determine the access identifier of the data receiving device by using a digest algorithm.
具体地,将接收设备的各个组件信息初始Hash值链接,采用摘要算法反复执行两两Hash运算,直到生成最终Hash值,此Hash值作为数据接收设备的访问标识。Specifically, the initial Hash value of each component information of the receiving device is linked, and the digest algorithm is used to repeatedly perform two-two Hash operations until the final Hash value is generated, and this Hash value is used as the access identifier of the data receiving device.
例如,将处理器信息Hash值与网卡信息Hash值链接起来,硬盘信息Hash值与内存信息Hash值链接起来,分别采用国密SM3摘要算法分别计算得到两组Hash值;进一步将此两组Hash值连接起来,采用国密SM3摘要算法计算得到最终Hash值,即数据接收设备的访问标识。For example, link the Hash value of the processor information with the Hash value of the network card information, link the Hash value of the hard disk information with the Hash value of the memory information, and use the national secret SM3 digest algorithm to calculate two sets of Hash values; further combine the two sets of Hash values After connecting, the final Hash value is calculated by using the national secret SM3 digest algorithm, which is the access identifier of the data receiving device.
S1013、利用二叉哈希树存储上述数据接收设备的访问标识。S1013. Use the binary hash tree to store the access identifier of the data receiving device.
具体地,将整个Hash计算过程基于二叉Merkle树(即二叉哈希树)方式存储,可以在设备访问数据文件时,快速定位出与访问标识不一致的组件信息。Specifically, the entire Hash calculation process is stored based on a binary Merkle tree (that is, a binary hash tree), so that when a device accesses a data file, component information inconsistent with the access identifier can be quickly located.
上述实施例中,通过对数据接收方的数据文件接收设备的组件信息处理,基于处理器信息、网卡信息、硬盘信息、内存信息等生成访问标识,可对共享数据文件进行访问权限管控。In the above embodiment, by processing the component information of the data file receiving device of the data receiver, an access identifier is generated based on processor information, network card information, hard disk information, memory information, etc., and access authority control can be performed on shared data files.
实施例2Example 2
本实施例提供一种数据文件共享的延伸管控方法,应用于数据接收方,如图4所示,包括:This embodiment provides an extended management and control method for data file sharing, which is applied to the data receiver, as shown in Figure 4, including:
S201、采集数据文件接收设备的组件信息,并将上述数据文件接收设备的组件信息发送给数据提供方。S201. Collect component information of a data file receiving device, and send the above component information of the data file receiving device to a data provider.
具体地,数据接收方按照数据提供方所需的数据文件接收设备的组件信息,采集数据文件接收设备的组件信息,并将组件信息提供给数据提供方。Specifically, the data receiver collects the component information of the data file receiving device according to the component information of the data file receiving device required by the data provider, and provides the component information to the data provider.
进一步地,如图2所示,数据接收方接收到数据提供方提供的数据文件后,通过包含所有提供至数据提供方组件信息的接收设备访问数据文件包,数据接收方通过数据文件包访问数据文件内容。Further, as shown in Figure 2, after receiving the data file provided by the data provider, the data receiver accesses the data file package through the receiving device containing all component information provided to the data provider, and the data receiver accesses the data through the data file package document content.
进一步地,上述数据文件接收设备,可以采用移动终端、或PC终端(计算机终端)、或平板电脑。Further, the above-mentioned data file receiving device may adopt a mobile terminal, or a PC terminal (computer terminal), or a tablet computer.
S202、接收数据文件包,基于上述数据文件接收设备的组件信息和上述数据文件包确定数据文件访问权限;其中,上述数据文件包为数据提供方基于上述数据文件接收设备的组件信息确定的。S202. Receive the data file package, and determine the data file access authority based on the component information of the data file receiving device and the data file package; wherein, the data file package is determined by the data provider based on the component information of the data file receiving device.
具体地,在访问数据文件前,数据文件包读取接收设备组件信息,并计算访问标识,确定接收设备访问权限。Specifically, before accessing the data file, the data file package reads the component information of the receiving device, calculates the access identifier, and determines the access right of the receiving device.
S203、获取数据文件访问行为,基于上述数据文件包确定访问约束条件,将上述数据文件访问行为与上述访问约束条件进行比较。S203. Acquire the data file access behavior, determine the access constraint condition based on the data file package, and compare the data file access behavior with the access constraint condition.
S204、当上述数据文件访问行为不符合上述访问约束条件时,关闭上述数据文件访问权限,以停止共享上述数据文件包。S204. When the above-mentioned data file access behavior does not comply with the above-mentioned access constraint conditions, close the above-mentioned data file access permission, so as to stop sharing the above-mentioned data file package.
具体地,当上述访问总次数不符合访问约束条件中的访问次数约束,或上述访问时间不符合访问约束条件中的访问时长约束时,将上述数据文件包删除,生成无效文件覆盖扇区。Specifically, when the total number of access times does not meet the number of access constraints in the access constraints, or the access time does not meet the access duration constraints in the access constraints, the data file package is deleted to generate an invalid file coverage sector.
进一步地,基于上述比较结果,数据文件包持续监测数据文件使用时长、打开次数,针对不满足继续访问条件的,进行相应处理。Further, based on the above comparison results, the data file package continuously monitors the usage time and opening times of the data files, and performs corresponding processing for those that do not meet the conditions for continued access.
上述一种数据文件共享的延伸管控方法,通过上述访问约束条件对数据接收方的数据文件访问行为进行有效管控,有效防范了数据离线共享后的安全风险,实现了对数据文件在不同单位、不同主体之间共享的延伸访问管控。The above-mentioned extended control method for data file sharing effectively controls the data file access behavior of the data receiver through the above-mentioned access constraints, effectively prevents the security risk after the data is shared offline, and realizes the control of data files in different units and different locations. Extended access controls shared between principals.
作为本发明一个可选实施方式,如图5所示,步骤S202中上述基于上述数据文件接收设备的组件信息和上述数据文件包确定数据文件访问权限,包括:As an optional implementation of the present invention, as shown in FIG. 5, in step S202, the determination of the data file access authority based on the component information of the above-mentioned data file receiving device and the above-mentioned data file package in step S202 includes:
S2021、基于上述数据文件接收设备的组件信息确定第一访问标识。S2021. Determine a first access identifier based on the component information of the data file receiving device.
具体地,数据文件包读取数据接收方采集的接收设备组件信息,包括但不限于处理器信息、网卡信息、硬盘信息、内存信息,按照数据提供方生成访问标识同样的顺序进行逐项及链接后的Hash运算,得到最终Hash值,即第一访问标识。Specifically, the data file package reads the receiving device component information collected by the data receiver, including but not limited to processor information, network card information, hard disk information, and memory information, and performs item-by-item and linking in the same order that the data provider generates the access identifier. After the Hash operation, the final Hash value, that is, the first access identifier, is obtained.
S2022、基于上述数据文件包确定数据接收设备的访问标识,将上述数据接收设备的访问标识作为第二访问标识。S2022. Determine the access identifier of the data receiving device based on the data file package, and use the access identifier of the data receiving device as a second access identifier.
S2023、将上述第一访问标识与上述第二访问标识进行比较,基于比较结果确定上述数据文件访问权限。S2023. Compare the first access identifier with the second access identifier, and determine the data file access authority based on the comparison result.
具体地,将第一访问标识与上述第二访问标识进行比较,如果与访问标识一致,则数据接收方可以通过数据文件包访问数据文件,如果与访问标识不一致,则数据接收方不具备打开数据文件的权限,此时,数据文件包通过二叉Merkle树快速定位到接收设备与提供组件信息不一致的设备组件信息,并报告给数据接收方,由数据接收方定位、排查问题。Specifically, compare the first access identifier with the above-mentioned second access identifier, if it is consistent with the access identifier, the data receiver can access the data file through the data file package; if it is inconsistent with the access identifier, the data receiver does not have the ability to open the data file. File permissions. At this time, the data file package quickly locates the device component information that is inconsistent with the receiving device and the provided component information through the binary Merkle tree, and reports it to the data receiver, and the data receiver locates and troubleshoots the problem.
上述实施例中,基于二叉Merkle树生成数据接收方的访问标识,并可快速定位不满足访问条件的设备信息。In the above embodiment, the access identifier of the data receiver is generated based on the binary Merkle tree, and the device information that does not meet the access conditions can be quickly located.
作为本发明一个可选实施方式,如图6所示,步骤S203中基于上述数据文件包确定访问约束条件,将上述数据文件访问行为与上述访问约束条件进行比较,包括:As an optional implementation of the present invention, as shown in FIG. 6, in step S203, the access constraint condition is determined based on the above-mentioned data file package, and the above-mentioned data file access behavior is compared with the above-mentioned access constraint condition, including:
S2031、基于上述数据文件包确定访问次数约束、访问时长约束、数据文件修改约束和数据文件打印约束。S2031. Determine access times constraints, access duration constraints, data file modification constraints, and data file printing constraints based on the above data file package.
S2032、基于上述数据文件访问行为确定访问总次数、访问时间、文件修改动作和文件打印进程。S2032. Determine the total number of access times, access time, file modification action, and file printing process based on the above data file access behavior.
S2033、分别将上述访问次数约束、上述访问时长约束、上述数据文件修改约束和上述数据文件打印约束与上述访问总次数、上述访问时间、上述文件修改动作和上述文件打印进程进行比较。S2033. Comparing the access times constraints, access duration constraints, data file modification constraints, and data file printing constraints with the total access times, access time, file modification actions, and file printing processes respectively.
具体地,数据文件包在访问时长访问内打开数据文件时,会记录当次访问时间,替换首次记录时间或上次访问时间,在下次访问数据文件时进行比较,避免设备设定时间或其他方式进行异常访问。Specifically, when the data file package opens the data file within the access duration, it will record the current access time, replace the first record time or the last access time, and compare it when accessing the data file next time, avoiding device setting time or other means Unusual access.
具体地,接收设备访问数据文件,数据文件包进行计次,判定接收设备访问次数约束生效;其中,基于数据文件访问次数,数据接收方具备数据文件访问权限且打开数据文件之后,数据文件包将数据文件访问次数增加1,得到并记录当前数据文件访问总次数,并将此访问总次数与访问次数中的限制访问次数进行比较,若在限制访问次数之内,则可继续访问数据文件,否则进行处理。Specifically, the receiving device accesses the data file, the data file package is counted, and it is determined that the restriction on the number of access times of the receiving device takes effect; wherein, based on the data file access times, the data receiver has the data file access authority and after opening the data file, the data file package will be The number of data file accesses is increased by 1, and the total number of current data file accesses is obtained and recorded, and the total number of accesses is compared with the limited number of accesses in the number of accesses. If it is within the limited number of accesses, the data file can continue to be accessed, otherwise to process.
进一步地,针对数据文件访问次数限制的处理:对于访问次数在超出限制访问次数的,则将数据文件删除,并生成无效文件覆盖扇区。Further, the processing for limiting the number of access times of the data file: if the number of access times exceeds the limited number of access times, the data file is deleted, and an invalid file coverage sector is generated.
具体地,数据文件包启动文件保护措施,限制接收设备修改或打印数据文件;其中,基于数据文件包内嵌限制数据文件修改和打印能力,当数据接收方打开数据文件后,在数据文件修改时,数据文件包执行文件重定向将数据文件加密只读存储,禁止应用进程进行文件的编辑修改等操作;在数据文件打印时,数据文件包捕捉打印进程,当数据文件禁止打印时,数据文件包则禁止打印进程的联动处置。Specifically, the data file package initiates file protection measures to restrict the receiving device from modifying or printing the data file; among them, based on the embedded data file package, the ability to modify and print the data file is restricted. When the data receiver opens the data file, when the data file is modified, , the data file package executes file redirection to encrypt the data file for read-only storage, and prohibits the application process from editing and modifying the file; when the data file is printed, the data file package captures the printing process. When the data file is prohibited from printing, the data file package The linked processing of the printing process is prohibited.
上述实施例中,针对数据文件共享后的访问时长有效检测方法,通过访问时刻记录和对比方式,可以基于数据文件访问时长对数据文件的访问控制,并且融合限制访问时长、限制访问次数、限制修改打印等条件的访问延伸约束方式,可对共享数据文件访问过程及使用完毕后进行精细化管控。In the above embodiment, for the effective detection method of access duration after data file sharing, through access time recording and comparison, the access control of data files can be based on the access duration of data files, and combined with limiting access duration, limiting access times, and limiting modification The access extension restriction method of printing and other conditions can carry out refined control over the access process of shared data files and after use.
作为本发明一个可选实施方式,步骤S203中基于上述数据文件包确定访问约束条件,将上述数据文件访问行为与上述访问约束条件进行比较,还包括:As an optional implementation manner of the present invention, in step S203, the access constraint condition is determined based on the above-mentioned data file package, and the above-mentioned data file access behavior is compared with the above-mentioned access constraint condition, which also includes:
获取打开上述数据文件包时的访问记录时间,并基于上述访问记录时间和上述访问时长约束确定访问截止时间。Obtain the access record time when the above data file package is opened, and determine the access deadline based on the above access record time and the above access duration constraint.
定期获取当前访问时间,当上述当前访问时间在上述当前时间与上述访问截止时间之间,则更新上述访问记录时间,并继续访问上述数据文件包;其中,所述当前访问时间为互联网时间或本地时间。Obtain the current access time regularly, and when the above current access time is between the above current time and the above access deadline, update the above access record time, and continue to access the above data file package; wherein, the current access time is Internet time or local time time.
具体地,数据接收方的接收设备访问数据文件包中的数据文件,数据文件包读取并记录访问时间,判定接收设备访问时长约束生效;其中,基于数据文件访问时长约束确定的访问截止时间,在数据接收方具备数据文件访问权限且打开数据文件后,数据文件包检查并记录当前时间;如果接收设备连接互联网,数据文件包读取互联网时间,并与首次记录时间、数据文件访问截止时间比较,若在首次记录时间之后且在数据文件访问截止时间之前,则可继续访问数据文件,否则进行处理;其次,如果接收设备未连接互联网,数据文件包读取本地时间,并与首次记录时间、数据文件访问截止时间比较,若在首次记录时间之后且在数据文件访问截止时间之前,则可继续访问数据文件,否则进行处理。Specifically, the receiving device of the data receiver accesses the data file in the data file package, and the data file package reads and records the access time, and determines that the access time constraint of the receiving device takes effect; wherein, based on the access deadline determined by the data file access time constraint, After the data receiver has access to the data file and opens the data file, the data file package checks and records the current time; if the receiving device is connected to the Internet, the data file package reads the Internet time and compares it with the first recorded time and the data file access deadline , if it is after the first record time and before the data file access deadline, the data file can continue to be accessed, otherwise it will be processed; secondly, if the receiving device is not connected to the Internet, the data file package will read the local time and compare it with the first record time, Data file access cut-off time comparison, if it is after the first record time and before the data file access cut-off time, then the data file can continue to be accessed, otherwise it will be processed.
或者,当上述当前访问时间在上述访问截止时间之后,则将上述数据文件包删除,生成无效文件覆盖扇区。Or, when the above-mentioned current access time is after the above-mentioned access cut-off time, the above-mentioned data file package is deleted, and an invalid file coverage sector is generated.
具体地,针对数据文件限制访问时间处置:对于访问时间在上次访问时间之前的,要求连接互联网进行时间校验,若访问时间已超出限制访问时间(即访问截止时间),则将数据文件删除,并生成无效文件覆盖扇区;若访问时间未超出限制访问时间,则提示用户更新本地时间后再访问。Specifically, restrict access time for data files: For those whose access time is before the last access time, it is required to connect to the Internet for time verification, and if the access time has exceeded the limited access time (ie, the access deadline), the data file will be deleted , and generate an invalid file to cover the sector; if the access time does not exceed the limited access time, the user will be prompted to update the local time before accessing.
实施例3Example 3
本实施例提供一种数据文件共享的延伸管控系统,应用于数据提供方,如图7所示,包括:This embodiment provides an extended management and control system for data file sharing, which is applied to the data provider, as shown in Figure 7, including:
确定模块71,用于接收数据文件接收设备的组件信息,基于上述数据文件接收设备的组件信息确定数据接收设备的访问标识;其中,上述数据文件接收设备的组件信息由数据接收方发送。The determining
具体地,数据提供方向数据接收方索取数据文件接收设备所需的组件信息,包括但不限于处理器信息、网卡信息、硬盘信息、内存信息、光盘驱动器信息;数据提供方获取数据接收方的数据文件接收设备的组件信息,并进行处理。Specifically, the data provider asks the data receiver for the component information required by the data file receiving device, including but not limited to processor information, network card information, hard disk information, memory information, and optical drive information; the data provider obtains the data receiver’s data The file receives device component information and processes it.
生成模块72,用于获取数据文件访问需求,基于上述数据文件访问需求生成访问约束条件。The
具体地,上述访问约束条件,包括:访问次数约束、访问时长约束、数据文件修改约束和数据文件打印约束。Specifically, the above-mentioned access constraints include: access times constraints, access duration constraints, data file modification constraints, and data file printing constraints.
进一步地,数据提供方获取数据接收方数据文件的访问需求,包括但不限于访问时长、访问次数,数据文件修改、数据文件打印、数据文件复制。Further, the data provider obtains the access requirements of the data receiver's data files, including but not limited to access duration, access times, data file modification, data file printing, and data file copying.
进一步地,数据提供方基于上述数据文件访问需求生成访问约束条件,并配以访问异常检测措施;其中,针对数据文件访问次数,建立数据文件访问次数计次方式,以鼠标双击或右键打开为一次访问行为,记录数据访问次数;针对限制数据访问时长,以限定数据文件到具体日期方式,到期后丧失访问权限进行计时;针对限制数据文件修改,数据文件启用禁止修改模式,避免文件修改;针对限制数据文件打印,通过禁用此数据文件的打印进程,避免数据文件打印;针对限制数据文件截屏,在访问此文件时,通过禁止调用相关截屏工具能力,避免文件被截屏复制。Furthermore, the data provider generates access constraints based on the above-mentioned data file access requirements, and provides access anomaly detection measures; among them, for the number of data file accesses, a method of counting the number of data file accesses is established, and double-clicking or right-clicking to open is one time Access behavior, record the number of data accesses; for restricting the length of data access, the data file is limited to a specific date, and the access right is lost after expiration for timing; for restricting data file modification, the data file is enabled to prohibit modification mode to avoid file modification; for Restrict data file printing, by disabling the printing process of this data file, avoid data file printing; for restricted data file screen capture, when accessing this file, prevent the file from being copied by screen capture by prohibiting the ability to call the relevant screen capture tool.
关联模块73,用于获取待共享数据文件,将上述数据接收设备的访问标识、上述访问约束条件和上述待共享数据文件进行关联,生成数据文件包,并将上述数据文件包发送给数据接收方。The associating
具体地,将上述待共享数据文件进行封装,并将封装后的待共享数据文件与上述访问次数约束、上述访问时长约束、上述数据文件修改约束和数据文件打印约束进行关联,生成上述数据文件包,将上述数据文件包发送给数据接收方。Specifically, the above-mentioned data file to be shared is packaged, and the packaged data file to be shared is associated with the above-mentioned access times constraint, the above-mentioned access duration constraint, the above-mentioned data file modification constraint, and the data file printing constraint, to generate the above-mentioned data file package , to send the above data file package to the data receiver.
进一步地,将待共享数据文件封装成共享数据包,共享数据包是一种可执行程序,可以根据封装的数据文件格式并调用相应的阅读软件;例如,共享数据包监测到封装的数据文件是.doc(一种文件扩展名)或.docx(一种文件扩展名)文件类型时,会自动搜索接收设备的office软件(office软件为微软公司开发的一套办公软件套装),访问此数据文件时会自动调用office word程序(文档程序);数据文件包监测到封装的数据文件是.pdf(可携带文件格式)文件类型时,会自动搜索接收设备的pdf常用阅读软件,访问此数据文件时会按照设定的优先级自动调用相关程序;若数据文件包监测到封装的数据文件类型,在接收设备不存在阅读程序时,会提示无法打开文件。Further, the data file to be shared is encapsulated into a shared data package, and the shared data package is an executable program that can call corresponding reading software according to the format of the encapsulated data file; for example, the shared data package monitors that the encapsulated data file is .doc (a file extension) or .docx (a file extension) file type, it will automatically search for the office software of the receiving device (office software is a suite of office software developed by Microsoft Corporation) to access this data file It will automatically call the office word program (document program); when the data file package detects that the encapsulated data file is a .pdf (portable file format) file type, it will automatically search for the commonly used pdf reading software of the receiving device. When accessing this data file It will automatically call the relevant program according to the set priority; if the data file package detects the type of the encapsulated data file, if there is no reading program on the receiving device, it will prompt that the file cannot be opened.
进一步地,通过共享数据包关联数据接收设备的访问标识,将访问标识置入共享数据包,且共享数据包内嵌读取接收设备组件信息能力;例如,数据提供方将数据接收方的接收设备组件信息录入共享数据包,计算接收设备组件信息的二叉Merkle树,并存入共享数据包,作为数据文件访问的访问标识,并在访问异常时检查提示接收设备与提供信息不一致的设备信息;同时,共享数据包自动检测接收设备组件信息,并采用与计算访问标识时一致的算法来计算接收设备相应组件信息的Hash值。Further, the access identifier of the data receiving device is associated with the shared data packet, and the access identifier is placed in the shared data packet, and the shared data packet is embedded with the ability to read the component information of the receiving device; for example, the data provider sends the receiving device of the data receiver Enter the component information into the shared data package, calculate the binary Merkle tree of the component information of the receiving device, and store it in the shared data package as the access identifier for data file access, and check the device information indicating that the receiving device is inconsistent with the provided information when the access is abnormal; At the same time, the shared data packet automatically detects the component information of the receiving device, and uses the algorithm consistent with the calculation of the access identifier to calculate the Hash value of the corresponding component information of the receiving device.
进一步地,在共享数据包中加入限制访问次数,并将访问次数与共享数据包中的数据文件进行关联,且数据文件包具备打开数据文件打开计次能力;例如,数据提供方将数据接收方提供的需求访问次数录入共享数据包,并将初始访问次数记录为0,共享数据包将需求访问次数与数据文件进行关联,共享数据包对数据文件打开次数进行控制。Further, limit the number of visits in the shared data package, and associate the number of visits with the data files in the shared data package, and the data file package has the ability to open the data file to open the number of times; for example, the data provider will the data receiver The required access times provided are entered into the shared data package, and the initial access times are recorded as 0. The shared data package associates the required access times with the data files, and the shared data package controls the number of times the data files are opened.
进一步地,在共享数据包中加入限制访问时长,并将访问时长与数据文件进行关联,且共享数据包内嵌读取、记录日期时间能力;例如,数据提供方根据数据接收方提供的需求访问时间,计算数据文件访问的截止时间,共享数据包记录当前互联网记录作为首次记录时间,并将数据文件访问截止时间与数据文件关联,共享数据包对数据文件访问时长进行控制。Further, limit the access duration in the shared data package, and associate the access duration with the data file, and the shared data package is embedded with the ability to read and record date and time; for example, the data provider can access Time, calculate the cut-off time of data file access, share the data package to record the current Internet record as the first record time, associate the data file access cut-off time with the data file, and share the data package to control the data file access time.
进一步地,共享数据包内嵌限制数据文件修改和打印能力;例如,数据提供方根据数据接收方提供的修改和打印需求,将限制修改、限制打印等能力配置入共享数据包,并与数据文件进行关联,共享数据包对数据文件修改、打印等操作进行控制。Furthermore, the shared data package embeds restricted data file modification and printing capabilities; for example, the data provider configures the limited modification and printing capabilities into the shared data package according to the modification and printing requirements provided by the data receiver, and shares them with the data file Associate and share data packages to control operations such as data file modification and printing.
进一步地,将共享数据包与访问约束条件进行关联,生成数据文件包,将数据文件包发送至数据文件接收方,数据文件接收方通过指定的接收设备访问数据文件。Further, the shared data package is associated with the access constraint conditions to generate a data file package, and the data file package is sent to a data file receiver, and the data file receiver accesses the data file through a designated receiving device.
上述一种数据文件共享的延伸管控系统,通过数据接收方发送的数据文件接收设备的组件信息确定数据接收设备的访问标识,基于访问需求确定访问约束条件,并将数据接收设备的访问标识、访问约束条件和待共享数据文件进行关联,实现了对共享文件的有效管控,实现对数据文件在不同单位、不同主体之间共享的延伸访问管控,防范数据文件无序复制、共享、泄漏等安全风险。The above-mentioned extended management and control system for data file sharing determines the access identifier of the data receiving device through the component information of the data file receiving device sent by the data receiver, determines the access constraints based on the access requirements, and sets the access identifier, access The constraints are associated with the data files to be shared, which realizes the effective management and control of shared files, realizes the extended access control of data files shared between different units and different subjects, and prevents security risks such as disorderly copying, sharing, and leakage of data files .
作为本发明一个可选实施方式,上述确定模块71,包括:As an optional implementation manner of the present invention, the above-mentioned determining
第一确定子模块,用于基于上述数据文件接收设备的组件信息确定各多个初始哈希值。The first determining submodule is configured to determine multiple initial hash values based on the component information of the data file receiving device.
具体地,数据提供方将数据接收方提供的数据文件接收设备的组件信息,采用摘要算法计算初始Hash(哈希)值;例如,采用国密SM3摘要算法分别得到处理器信息、网卡信息、硬盘信息、内存信息、光盘驱动器信息的初始Hash值;其中,SM3算法是密码杂凑算法,适用于商用密码应用中的数字签名和验证、消息认证码的生成与验证以及随机数的生成,可满足多种密码应用的安全需求。Specifically, the data provider uses the digest algorithm to calculate the initial Hash (hash) value of the component information of the data file receiving device provided by the data receiver; for example, the processor information, network card information, hard disk information, memory information, and CD-ROM drive information; among them, the SM3 algorithm is a cryptographic hash algorithm, which is suitable for digital signature and verification in commercial cryptography applications, generation and verification of message authentication codes, and random number generation, which can satisfy multiple security requirements for cryptographic applications.
第二确定子模块,用于基于上述多个初始哈希值,利用摘要算法确定上述数据接收设备的访问标识。The second determination submodule is configured to determine the access identifier of the data receiving device by using a digest algorithm based on the plurality of initial hash values.
具体地,将接收设备的各个组件信息初始Hash值链接,采用摘要算法反复执行两两Hash运算,直到生成最终Hash值,此Hash值作为数据接收设备的访问标识。Specifically, the initial Hash value of each component information of the receiving device is linked, and the digest algorithm is used to repeatedly perform two-two Hash operations until the final Hash value is generated, and this Hash value is used as the access identifier of the data receiving device.
例如,将处理器信息Hash值与网卡信息Hash值链接起来,硬盘信息Hash值与内存信息Hash值链接起来,分别采用国密SM3摘要算法分别计算得到两组Hash值;进一步将此两组Hash值连接起来,采用国密SM3摘要算法计算得到最终Hash值,即数据接收设备的访问标识。For example, link the Hash value of the processor information with the Hash value of the network card information, link the Hash value of the hard disk information with the Hash value of the memory information, and use the national secret SM3 digest algorithm to calculate two sets of Hash values; further combine the two sets of Hash values After connecting, the final Hash value is calculated by using the national secret SM3 digest algorithm, which is the access identifier of the data receiving device.
存储子模块,用于利用二叉哈希树存储上述数据接收设备的访问标识。The storage sub-module is used to store the access identification of the above-mentioned data receiving device by using a binary hash tree.
具体地,将整个Hash计算过程基于二叉Merkle树(即二叉哈希树)方式存储,可以在设备访问数据文件时,快速定位出与访问标识不一致的组件信息。Specifically, the entire Hash calculation process is stored based on a binary Merkle tree (that is, a binary hash tree), so that when a device accesses a data file, component information inconsistent with the access identifier can be quickly located.
实施例4Example 4
本实施例提供一种数据文件共享的延伸管控系统,应用于数据接收方,如图8所示,包括:This embodiment provides an extended management and control system for data file sharing, which is applied to the data receiver, as shown in Figure 8, including:
采集模块81,用于采集数据文件接收设备的组件信息,并将上述数据文件接收设备的组件信息发送给数据提供方。The
具体地,数据接收方按照数据提供方所需的数据文件接收设备的组件信息,采集数据文件接收设备的组件信息,并将组件信息提供给数据提供方。Specifically, the data receiver collects the component information of the data file receiving device according to the component information of the data file receiving device required by the data provider, and provides the component information to the data provider.
进一步地,如图2所示,数据接收方接收到数据提供方提供的数据文件后,通过包含所有提供至数据提供方组件信息的接收设备访问数据文件包,数据接收方通过数据文件包访问数据文件内容。Further, as shown in Figure 2, after receiving the data file provided by the data provider, the data receiver accesses the data file package through the receiving device containing all component information provided to the data provider, and the data receiver accesses the data through the data file package document content.
进一步地,上述数据文件接收设备,可以采用移动终端、或PC终端(计算机终端)、或平板电脑。Further, the above-mentioned data file receiving device may adopt a mobile terminal, or a PC terminal (computer terminal), or a tablet computer.
接收模块82,用于接收数据文件包,基于上述数据文件接收设备的组件信息和上述数据文件包确定数据文件访问权限;其中,上述数据文件包为数据提供方基于上述数据文件接收设备的组件信息确定的。The receiving
具体地,在访问数据文件前,数据文件包读取接收设备组件信息,并计算访问标识,确定接收设备访问权限。Specifically, before accessing the data file, the data file package reads the component information of the receiving device, calculates the access identifier, and determines the access right of the receiving device.
比较模块83,用于获取数据文件访问行为,基于上述数据文件包确定访问约束条件,将上述数据文件访问行为与上述访问约束条件进行比较。The
关闭模块84,用于当上述数据文件访问行为不符合上述访问约束条件时,关闭上述数据文件访问权限,以停止共享上述数据文件包。The
具体地,当上述访问总次数不符合访问约束条件中的访问次数约束,或上述访问时间不符合访问约束条件中的访问时长约束时,将上述数据文件包删除,生成无效文件覆盖扇区。Specifically, when the total number of access times does not meet the number of access constraints in the access constraints, or the access time does not meet the access duration constraints in the access constraints, the data file package is deleted to generate an invalid file coverage sector.
进一步地,基于上述比较结果,数据文件包持续监测数据文件使用时长、打开次数,针对不满足继续访问条件的,进行相应处理。Further, based on the above comparison results, the data file package continuously monitors the usage time and opening times of the data files, and performs corresponding processing for those that do not meet the conditions for continued access.
上述一种数据文件共享的延伸管控系统,通过上述访问约束条件对数据接收方的数据文件访问行为进行有效管控,有效防范了数据离线共享后的安全风险,实现了对数据文件在不同单位、不同主体之间共享的延伸访问管控。The above-mentioned extended control system for data file sharing effectively controls the data file access behavior of the data receiver through the above-mentioned access constraints, effectively prevents the security risk after the data is shared offline, and realizes the control of data files in different units and different locations. Extended access controls shared between principals.
作为本发明一个可选实施方式,上述接收模块82,包括:As an optional implementation manner of the present invention, the above-mentioned
第三确定子模块,用于基于上述数据文件接收设备的组件信息确定第一访问标识。The third determining submodule is configured to determine the first access identifier based on the component information of the data file receiving device.
具体地,数据文件包读取数据接收方采集的接收设备组件信息,包括但不限于处理器信息、网卡信息、硬盘信息、内存信息,按照数据提供方生成访问标识同样的顺序进行逐项及链接后的Hash运算,得到最终Hash值,即第一访问标识。Specifically, the data file package reads the receiving device component information collected by the data receiver, including but not limited to processor information, network card information, hard disk information, and memory information, and performs item-by-item and linking in the same order that the data provider generates the access identifier. After the Hash operation, the final Hash value, that is, the first access identifier, is obtained.
第四确定子模块,用于基于上述数据文件包确定数据接收设备的访问标识,将上述数据接收设备的访问标识作为第二访问标识。The fourth determining submodule is configured to determine the access identifier of the data receiving device based on the data file package, and use the access identifier of the data receiving device as the second access identifier.
第一比较子模块,用于将上述第一访问标识与上述第二访问标识进行比较,基于比较结果确定上述数据文件访问权限。The first comparing submodule is configured to compare the first access identifier with the second access identifier, and determine the data file access authority based on the comparison result.
具体地,将第一访问标识与上述第二访问标识进行比较,如果与访问标识一致,则数据接收方可以通过数据文件包访问数据文件,如果与访问标识不一致,则数据接收方不具备打开数据文件的权限,此时,数据文件包通过二叉Merkle树快速定位到接收设备与提供组件信息不一致的设备组件信息,并报告给数据接收方,由数据接收方定位、排查问题。Specifically, compare the first access identifier with the above-mentioned second access identifier, if it is consistent with the access identifier, the data receiver can access the data file through the data file package; if it is inconsistent with the access identifier, the data receiver does not have the ability to open the data file. File permissions. At this time, the data file package quickly locates the device component information that is inconsistent with the receiving device and the provided component information through the binary Merkle tree, and reports it to the data receiver, and the data receiver locates and troubleshoots the problem.
作为本发明一个可选实施方式,上述比较模块83,包括:As an optional implementation manner of the present invention, the
第五确定子模块,用于基于上述数据文件包确定访问次数约束、访问时长约束、数据文件修改约束和数据文件打印约束。The fifth determination sub-module is configured to determine access times constraints, access duration constraints, data file modification constraints, and data file printing constraints based on the above data file package.
第六确定子模块,用于基于上述数据文件访问行为确定访问总次数、访问时间、文件修改动作和文件打印进程。The sixth determination sub-module is configured to determine the total number of access times, access time, file modification action and file printing process based on the above-mentioned data file access behavior.
第二比较子模块,用于分别将上述访问次数约束、上述访问时长约束、上述数据文件修改约束和上述数据文件打印约束与上述访问总次数、上述访问时间、上述文件修改动作和上述文件打印进程进行比较。The second comparison sub-module is used to respectively compare the above-mentioned access times constraint, the above-mentioned access duration constraint, the above-mentioned data file modification constraint, and the above-mentioned data file printing constraint with the above-mentioned total number of access times, the above-mentioned access time, the above-mentioned file modification action, and the above-mentioned file printing process Compare.
具体地,数据文件包在访问时长访问内打开数据文件时,会记录当次访问时间,替换首次记录时间或上次访问时间,在下次访问数据文件时进行比较,避免设备设定时间或其他方式进行异常访问。Specifically, when the data file package opens the data file within the access duration, it will record the current access time, replace the first record time or the last access time, and compare it when accessing the data file next time, avoiding device setting time or other means Unusual access.
进一步地,针对数据文件访问次数限制的处理:对于访问次数在超出限制访问次数的,则将数据文件删除,并生成无效文件覆盖扇区。Further, the processing for limiting the number of access times of the data file: if the number of access times exceeds the limited number of access times, the data file is deleted, and an invalid file coverage sector is generated.
具体地,接收设备访问数据文件,数据文件包进行计次,判定接收设备访问次数约束生效;其中,基于数据文件访问次数,数据接收方具备数据文件访问权限且打开数据文件之后,数据文件包将数据文件访问次数增加1,得到并记录当前数据文件访问总次数,并将此访问总次数与访问次数中的限制访问次数进行比较,若在限制访问次数之内,则可继续访问数据文件,否则进行处理。Specifically, the receiving device accesses the data file, the data file package is counted, and it is determined that the restriction on the number of access times of the receiving device takes effect; wherein, based on the data file access times, the data receiver has the data file access authority and after opening the data file, the data file package will be The number of data file accesses is increased by 1, and the total number of current data file accesses is obtained and recorded, and the total number of accesses is compared with the limited number of accesses in the number of accesses. If it is within the limited number of accesses, the data file can continue to be accessed, otherwise to process.
具体地,数据文件包启动文件保护措施,限制接收设备修改或打印数据文件;其中,基于数据文件包内嵌限制数据文件修改和打印能力,当数据接收方打开数据文件后,在数据文件修改时,数据文件包执行文件重定向将数据文件加密只读存储,禁止应用进程进行文件的编辑修改等操作;在数据文件打印时,数据文件包捕捉打印进程,当数据文件禁止打印时,数据文件包则禁止打印进程的联动处置。Specifically, the data file package initiates file protection measures to restrict the receiving device from modifying or printing the data file; among them, based on the embedded data file package, the ability to modify and print the data file is restricted. When the data receiver opens the data file, when the data file is modified, , the data file package executes file redirection to encrypt the data file for read-only storage, and prohibits the application process from editing and modifying the file; when the data file is printed, the data file package captures the printing process. When the data file is prohibited from printing, the data file package The linked processing of the printing process is prohibited.
作为本发明一个可选实施方式,上述比较模块83,还包括:As an optional implementation manner of the present invention, the
获取子模块,用于获取打开上述数据文件包时的访问记录时间,并基于上述访问记录时间和上述访问时长约束确定访问截止时间。The obtaining sub-module is used to obtain the access record time when the above-mentioned data file package is opened, and determine the access deadline based on the above-mentioned access record time and the above-mentioned access duration constraint.
更新子模块,用于定期获取当前访问时间,当上述当前访问时间在上述当前时间与上述访问截止时间之间,则更新上述访问记录时间,并继续访问上述数据文件包;其中,上述当前时间为互联网时间或本地时间。The update submodule is used to regularly obtain the current access time. When the above-mentioned current access time is between the above-mentioned current time and the above-mentioned access deadline, the above-mentioned access record time is updated, and the above-mentioned data file package is continued to be accessed; wherein, the above-mentioned current time is Internet time or local time.
具体地,数据接收方的接收设备访问数据文件包中的数据文件,数据文件包读取并记录访问时间,判定接收设备访问时长约束生效;其中,基于数据文件访问时长约束确定的访问截止时间,在数据接收方具备数据文件访问权限且打开数据文件后,数据文件包检查并记录当前时间;如果接收设备连接互联网,数据文件包读取互联网时间,并与首次记录时间、数据文件访问截止时间比较,若在首次记录时间之后且在数据文件访问截止时间之前,则可继续访问数据文件,否则进行处理;其次,如果接收设备未连接互联网,数据文件包读取本地时间,并与首次记录时间、数据文件访问截止时间比较,若在首次记录时间之后且在数据文件访问截止时间之前,则可继续访问数据文件,否则进行处理。Specifically, the receiving device of the data receiver accesses the data file in the data file package, and the data file package reads and records the access time, and determines that the access time constraint of the receiving device takes effect; wherein, based on the access deadline determined by the data file access time constraint, After the data receiver has access to the data file and opens the data file, the data file package checks and records the current time; if the receiving device is connected to the Internet, the data file package reads the Internet time and compares it with the first recorded time and the data file access deadline , if it is after the first record time and before the data file access deadline, the data file can continue to be accessed, otherwise it will be processed; secondly, if the receiving device is not connected to the Internet, the data file package will read the local time and compare it with the first record time, Comparing the cut-off time of data file access, if it is after the first record time and before the cut-off time of data file access, the data file can be accessed continuously, otherwise, it will be processed.
删除子模块,用于当上述当前访问时间在上述访问截止时间之后,则将上述数据文件包删除,生成无效文件覆盖扇区。The deletion sub-module is used to delete the above-mentioned data file package when the above-mentioned current access time is after the above-mentioned access cut-off time, and generate invalid file coverage sectors.
具体地,针对数据文件限制访问时间处置:对于访问时间在上次访问时间之前的,要求连接互联网进行时间校验,若访问时间已超出限制访问时间(即访问截止时间),则将数据文件删除,并生成无效文件覆盖扇区;若访问时间未超出限制访问时间,则提示用户更新本地时间后再访问。Specifically, restrict access time for data files: For those whose access time is before the last access time, it is required to connect to the Internet for time verification, and if the access time has exceeded the limited access time (ie, the access deadline), the data file will be deleted , and generate an invalid file to cover the sector; if the access time does not exceed the limited access time, the user will be prompted to update the local time before accessing.
实施例5Example 5
本实施例提供一种计算机设备,包括存储器和处理器,处理器用于读取存储器中存储的指令,以执行上述任意方法实施例中的一种数据文件共享的延伸管控方法。This embodiment provides a computer device, including a memory and a processor, and the processor is configured to read instructions stored in the memory to execute an extended management and control method for data file sharing in any of the above method embodiments.
本领域内的技术人员应明白,本发明的实施例可提供为方法、系统、或计算机程序产品。因此,本发明可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of the present invention may be provided as methods, systems, or computer program products. Accordingly, the present invention can take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and combinations of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor, or processor of other programmable data processing equipment to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing equipment produce a Means for realizing the functions specified in one or more steps of the flowchart and/or one or more blocks of the block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the instructions The device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device, causing a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process, thereby The instructions provide steps for implementing the functions specified in the flow chart flow or flows and/or block diagram block or blocks.
实施例6Example 6
本实施例提供一种计算机可读存储介质,所述计算机存储介质存储有计算机可执行指令,该计算机可执行指令可执行上述任意方法实施例中的一种数据文件共享的延伸管控方法。其中,所述存储介质可为磁碟、光盘、只读存储记忆体(Read-Only Memory,ROM)、随机存储记忆体(Random Access Memory,RAM)、快闪存储器(Flash Memory)、硬盘(HardDisk Drive,缩写:HDD)或固态硬盘(Solid-State Drive,SSD)等;所述存储介质还可以包括上述种类的存储器的组合。This embodiment provides a computer-readable storage medium, where the computer-executable instruction is stored in the computer-executable instruction, and the computer-executable instruction can execute an extended management and control method for data file sharing in any of the above method embodiments. Wherein, the storage medium may be a magnetic disk, an optical disk, a read-only memory (Read-Only Memory, ROM), a random access memory (Random Access Memory, RAM), a flash memory (Flash Memory), a hard disk (Hard Disk Drive, abbreviation: HDD) or a solid-state drive (Solid-State Drive, SSD), etc.; the storage medium may also include a combination of the above-mentioned types of memories.
显然,上述实施例仅仅是为清楚地说明所作的举例,而并非对实施方式的限定。对于所属领域的普通技术人员来说,在上述说明的基础上还可以做出其它不同形式的变化或变动。这里无需也无法对所有的实施方式予以穷举。而由此所引伸出的显而易见的变化或变动仍处于本发明创造的保护范围之中。Apparently, the above-mentioned embodiments are only examples for clear description, rather than limiting the implementation. For those of ordinary skill in the art, other changes or changes in different forms can be made on the basis of the above description. It is not necessary and impossible to exhaustively list all the implementation manners here. And the obvious changes or changes derived therefrom are still within the scope of protection of the present invention.
Claims (10)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310044568.2A CN115794758A (en) | 2023-01-30 | 2023-01-30 | An extended management and control method and system for data file sharing |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310044568.2A CN115794758A (en) | 2023-01-30 | 2023-01-30 | An extended management and control method and system for data file sharing |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115794758A true CN115794758A (en) | 2023-03-14 |
Family
ID=85429149
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310044568.2A Pending CN115794758A (en) | 2023-01-30 | 2023-01-30 | An extended management and control method and system for data file sharing |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115794758A (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7484245B1 (en) * | 1999-10-01 | 2009-01-27 | Gigatrust | System and method for providing data security |
| CN106960162A (en) * | 2017-03-24 | 2017-07-18 | 北京深思数盾科技股份有限公司 | A kind of data sharing method, apparatus and system |
| US20180307855A1 (en) * | 2015-10-14 | 2018-10-25 | Finalcode, Inc. | Access management system, file access system, encrypting apparatus and program |
| CN110889131A (en) * | 2018-09-11 | 2020-03-17 | 北京金山办公软件股份有限公司 | File sharing system |
| CN111131216A (en) * | 2019-12-17 | 2020-05-08 | 云城(北京)数据科技有限公司 | File encryption and decryption method and device |
| CN114362974A (en) * | 2020-09-27 | 2022-04-15 | 中国电信股份有限公司 | Data resource authorization and authentication method, device and system based on Hash tree |
| CN115589316A (en) * | 2022-09-30 | 2023-01-10 | 北京海泰方圆科技股份有限公司 | A data encryption transmission method, device, electronic equipment and storage medium |
-
2023
- 2023-01-30 CN CN202310044568.2A patent/CN115794758A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7484245B1 (en) * | 1999-10-01 | 2009-01-27 | Gigatrust | System and method for providing data security |
| US20180307855A1 (en) * | 2015-10-14 | 2018-10-25 | Finalcode, Inc. | Access management system, file access system, encrypting apparatus and program |
| CN106960162A (en) * | 2017-03-24 | 2017-07-18 | 北京深思数盾科技股份有限公司 | A kind of data sharing method, apparatus and system |
| CN110889131A (en) * | 2018-09-11 | 2020-03-17 | 北京金山办公软件股份有限公司 | File sharing system |
| CN111131216A (en) * | 2019-12-17 | 2020-05-08 | 云城(北京)数据科技有限公司 | File encryption and decryption method and device |
| CN114362974A (en) * | 2020-09-27 | 2022-04-15 | 中国电信股份有限公司 | Data resource authorization and authentication method, device and system based on Hash tree |
| CN115589316A (en) * | 2022-09-30 | 2023-01-10 | 北京海泰方圆科技股份有限公司 | A data encryption transmission method, device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11902601B2 (en) | System and techniques for digital data lineage verification | |
| US8078880B2 (en) | Portable personal identity information | |
| EP2696305B1 (en) | Method and device for file protection | |
| CN102314578B (en) | A kind of system and method realizing software protection | |
| KR101120777B1 (en) | Metering accessing of content and the like in a content protection system or the like | |
| US20130125196A1 (en) | Method and apparatus for combining encryption and steganography in a file control system | |
| WO2014150339A2 (en) | Method and system for enabling communications between unrelated applications | |
| CN111597543A (en) | Wide-area process access authority authentication method and system based on block chain intelligent contract | |
| EP1430680B1 (en) | Server with file verification | |
| CN111507706B (en) | Data browsing and storage method, device, computer equipment and storage medium | |
| CN110059488A (en) | Security level identification management method and device | |
| CN110598377A (en) | Software serial number management method and device based on block chain | |
| CN116015767B (en) | A data processing method, device, equipment and medium | |
| CN101689238A (en) | File management system, device, program, and computer readable recording medium where its program is recorded | |
| JP2021118444A (en) | Information processing equipment, information processing methods and programs | |
| CN111931244B (en) | Method, device, electronic device and storage medium for preventing document leakage | |
| CN115794758A (en) | An extended management and control method and system for data file sharing | |
| CN112070494A (en) | Service response method and information reading method | |
| CN115134089A (en) | A data sharing supervision system and method | |
| JP2009169868A (en) | Storage area access device and storage area access method | |
| CN114793237A (en) | Smart city data sharing method, device and medium based on block chain technology | |
| CN109858217B (en) | Electronic file authenticity verification method and system | |
| CN118250099B (en) | USB flash disk data exchange method and device based on key distribution and computer equipment | |
| US12314244B1 (en) | Systems and methods for blockchain-based cloud storage document integrity | |
| CN118627090B (en) | Method for generating and running executable files |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20230314 |