CN115935390B - A method for dynamic access control and encryption of files within an attribute-based security sandbox - Google Patents
A method for dynamic access control and encryption of files within an attribute-based security sandboxInfo
- Publication number
- CN115935390B CN115935390B CN202211577805.3A CN202211577805A CN115935390B CN 115935390 B CN115935390 B CN 115935390B CN 202211577805 A CN202211577805 A CN 202211577805A CN 115935390 B CN115935390 B CN 115935390B
- Authority
- CN
- China
- Prior art keywords
- file
- user
- encryption
- attributes
- attribute
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Storage Device Security (AREA)
Abstract
本发明面向安全沙盒文件,提供了一种基于属性的动态访问控制和加密方法。该方法收集当前运行环境的时间、文件操作路径、用户身份、文件关键字和文件权限字段等各类属性形成属性集合。从属性集合中提取动态属性,采用策略引擎实现文件的动态访问控制;从属性集合中提取静态属性实施文件的属性基加密,实现了对文件的双重保护。本发明使用动态属性,一方面管理员可以更改属性或策略,实现对文件权限的按需调整;另一方面动态属性有助于对当前运行环境进行实时判断,实现更灵活与安全的访问控制。本发明复用访问控制的属性集合对文件进行加密,在不共享密钥的情况下实现对加密文件的共享。
This invention addresses secure sandbox files and provides an attribute-based dynamic access control and encryption method. The method collects various attributes, including the current runtime environment's time, file operation path, user identity, file keywords, and file permission fields, to form an attribute set. Dynamic attributes are extracted from this attribute set, and a policy engine is used to implement dynamic access control for the file. Static attributes are extracted from the attribute set to implement attribute-based encryption, achieving dual protection for the file. This invention uses dynamic attributes, allowing administrators to modify attributes or policies to adjust file permissions on demand. Furthermore, dynamic attributes facilitate real-time assessment of the current runtime environment, enabling more flexible and secure access control. This invention reuses the access control attribute set to encrypt files, enabling the sharing of encrypted files without sharing a key.
Description
Technical Field
The invention relates to electronic file protection in the field of information security, in particular to access control of electronic files and encryption protection of the electronic files.
Background
Electronic documents refer to documents flowing inside all organizations such as enterprises, governments and the like on terminals, and the internal documents contain important decisions, confidential information and the like, and once revealed, the documents can have adverse effects on the corresponding organizations.
Most of the existing electronic file protection technologies rely on manual management or forced blocking. The manual mode relies on manager and corresponding policy in inside to retrain, and on the one hand manual management has personnel cost, and on the other hand has very big subjective factor, causes the file to divulge secretly easily. The forced blocking mode is to disable paths such as USB and network equipment where file propagation may occur on the terminal, and this mode has a great disadvantage in the mode of "internet+office" nowadays, which is not beneficial to sharing files in an allowable range, and greatly reduces the working efficiency.
Currently, a data leakage Prevention system (DATA LEAKAGE pre) is implemented in a part of organizations, and DLP is a system architecture applied in a data leakage Prevention scenario. DLP classifies and evaluates data for risk during the life cycle of the data, and has control over data flow. However, at present, the focus of DLP is on the network side, and sensitive information carried in different network communication protocols is mainly checked, which can detect data leakage in the network transmission process, but it is obviously insufficient that the detectable leakage path is relatively single, and if the detection is difficult through a virtual private network (Virtual Private Network, VPN) or by using encrypted traffic, the detection range needs to be enlarged. Most of the existing terminal DLP products only have encryption function, lack the capability of executing control strategy on the terminal, and have the risk of disclosure once the encryption mode is cracked or compromised. Aiming at the problem of lack of management and control of terminal files, the invention combines a sandbox and file access control, and pre-accesses a control strategy engine in transparent encryption and decryption operation of the files, and attaches access permission conditions such as time, operation path, user identity and the like to each file. Meanwhile, the sandbox strategy effectively protects the file from being illegally read and destroyed by the non-trusted application. Aiming at the problem that the key is easy to leak in the traditional encryption mode, the invention adopts the attribute-based encryption mode, thereby avoiding the memory of the user on the key.
In the prior art, a system and a method for redirecting, encrypting and decrypting files are provided in a patent specification of application number 202110739746.4. In the Linux operating system, the application performs encryption and decryption in the memory when reading and writing the file by performing HOOK on the file operation related function. The method is characterized in that the method is applied to a Linux operating system, the related file operation API is remarkably different in the Windows operating system, the application scope is in process file operation, the method has the file content identification and access control capability for external plaintext files, the method decrypts the files in a memory according to each file request, the method optimizes the performance of encryption and decryption based on a buffer zone, the method encrypts the files in a traditional symmetric encryption mode, and the method realizes a file encryption mode without a memory key and a ciphertext sharing scheme based on attribute-based encryption.
Disclosure of Invention
The invention provides a file dynamic access control and encryption method based on attributes aiming at a file security sandbox. Aiming at the problem that the file security sandbox environment lacks policy management and control, dynamic access control and encryption are combined, and a set of dynamic protection file system is provided in the security isolation environment. The manager can adjust the attribute of the access object in time, and dynamically adjust the authority of the file through a policy engine on the terminal. And the attribute-based encryption is realized in the kernel layer, and the encryption and decryption operation without perception is performed when the user operates the file, so that the problem of key leakage in the sharing process of the file is avoided. The method aims to solve the problems that the file control strategy takes effect in the process of accessing the file in the organization, the time delay exists, the file is not easy to share, the file is easy to divulge, and the like.
The scheme of the invention is that referring to figure 1, after the user is authorized by the supported authentication mode, a secure sandbox is built for the user at the terminal, file operation on the user terminal is captured, whether the file is in a protected state is judged by judging whether the file operation is in a sandbox environment or not and analyzing file data, if the file belongs to an unprotected file, only the file is isolated and protected, if the file belongs to a protected file, the file is sent to an access control policy engine for processing, so as to judge whether the user has operation authority corresponding to the file, if the file does not have the corresponding authority, the file operation is intercepted and recorded, if the file has the corresponding authority, the file is subjected to transparent encryption and decryption, file read-write operation is divided, the attribute information of the user is encrypted and embedded in the file during writing, and the transparent access is realized based on the key of the user during reading.
The method specifically comprises the following steps:
Step S1, initializing a system, including generating a system master key and a public key and registering user identities;
S2, a user logs in a terminal by using a supported authentication mode, and establishes a safe sandbox environment for the user after authorized authentication is obtained;
The supported authentication modes comprise password authentication, USB-Key authentication and certificate authentication.
S3, intercepting file operation in a terminal security sandbox;
Step S4, judging whether a file corresponding to a file operation belongs to a current safe sandbox or not;
If the file belongs to the safe sandbox, performing the operation of the step 6;
if the file does not belong to the safe sandbox, performing the operation of the step 5;
And S5, in the process of self-identification of the file, analyzing the file, and matching based on the file name, the file format and the file content. If the corresponding file exists in the attribute library, encrypting the file through the attribute in the attribute library, and moving the file into a sandbox;
step S6, collecting the current running environment, specifically including time, file operation path, user identity information, file keywords and file authority fields, and obtaining whether file operation is allowed or not through an access control strategy engine;
Discarding the file operation if the policy engine results in denial of access;
If the result of the strategy engine is that the access is allowed, distinguishing the read-write operation of the file, and entering a transparent encryption and decryption flow of the file;
and S7, performing encryption and decryption operations according to the file operation types.
For file reading operation, reading a file encryption flag bit;
if the file is the encrypted file, judging whether a decryption buffer exists, directly returning the file with the buffer to a plaintext file handle, if the file is not the buffer, decrypting by using the current user attribute, and if the decryption is successful, returning the plaintext file handle and adding the plaintext file handle to the buffer;
If the file is the unencrypted file, returning a plaintext file handle of the user;
for file write operations, the plaintext is updated in the cache, and the file is encrypted according to the corresponding attributes.
The beneficial effects of the invention include:
(1) Designing a two-layer protection mechanism for a file
On the basis of the existing security sandbox file isolation, a dynamic access control system and a kernel layer are introduced for transparent encryption and decryption, a user can access a file only by having access rights and decryption keys, and any layer cannot pass through or acquire corresponding rights.
(2) Manager can dynamically adjust file authority
The manager can modify the attribute of the access object (environment, personnel), and the access authority of the file can be modified in real time through the policy engine at the terminal side, so that the user authority can be recovered or authorized in real time. The user does not feel in the whole process.
(3) Improving security in encrypted file sharing process
The method and the device relate to the sharing of the secret key in the traditional encryption file sharing process, get rid of the limitation of a secret key of a file, enable multiple users to decrypt the same file by using multiple secret keys, and improve the security in the encryption file sharing process.
Drawings
FIG. 1 is a schematic flow chart of an authorized user sandbox environment issue in an embodiment;
FIG. 2 is a schematic diagram of Windows file operation redirection in an embodiment;
FIG. 3 is a schematic diagram of a similar file management policy definition in an embodiment;
Fig. 4 is a schematic diagram of a terminal side access control implementation in an embodiment;
FIG. 5 is a flowchart of implementing transparent encryption and decryption protection of a terminal side file in an embodiment;
FIG. 6 is a schematic diagram of a transparent encryption scheme for files in an embodiment;
FIG. 7 is a schematic diagram of a transparent file decryption scheme in an embodiment;
Fig. 8 is a flowchart of a method for controlling and encrypting dynamic access of files in a security sandbox based on attributes.
Detailed Description
In this embodiment, a method for controlling and encrypting dynamic access to a file based on attributes is provided.
The following is a description relating to the relevant nouns:
attributes refer to attributes of various objects, such as file security level, system time, user level, etc.
The file refers to a file protected on the terminal, and has certain confidentiality and corresponding access rights.
And the safe sandbox is used for dividing an isolation area on the terminal operating system and controlling the operation executed by the process positioned in the isolation area.
Access control-control of the user as it performs file operations, including releasing and preventing their operations, in accordance with predefined policies.
And encrypting the file according to the user attribute and the environment attribute.
The dynamic file access control and encryption method based on the attributes comprises the following steps:
S1, necessary initialization is carried out on the whole system, and related operations such as key generation, attribute definition and the like related to encryption and decryption are carried out.
S101, a system authorization center initializes a key and generates a system master key MSK and a system public key PK.
The embodiment is implemented by adopting a correlation function provided in a password system (PBC) library based on bilinear Pairing, wherein the class A prime order elliptic curve y 2=x3 +x is selected, and the corresponding generation parameters are shown in Table 1. The calculated system master key MSK is 128 bytes.
TABLE 1Type A prime order Curve parameters
A complete set of attributes in the system is defined, including attributes of user groups, file groups, and the like.
The present embodiment gives a set of attributes:
Admin, user group, administrator;
UserGroup user group, common user;
SuFile File group, highest level file.
SHA-256 hash calculations are performed on the different attributes, mapped to points on the group by the element_from_hash function, and appended to the system public key PK. The administrator may add corresponding members to different property groups.
S102, the user performs registration operation by providing identity information, the identity information provided to the authorization center needs to contain an ID (identity) for uniquely identifying the user, and the value of the specific ID provided by each user is different.
S2, the user logs in the terminal by using the supported authentication mode, and establishes a safe sandbox environment for the user after authorized authentication is obtained. Fig. 1 is a schematic diagram of the process.
After the user performs authorization authentication on the terminal, the server generates an authentication certificate and sends the authentication certificate to the user terminal, and the terminal establishes a sandbox environment by taking the certificate as a name. Note that one credential is only bound to one user at a time. The dynamic binding of the sandbox dynamic and the user identity is realized, and the counterfeit sandbox is prevented from acquiring the authority.
And S3, establishing a sandbox environment at the user terminal, and realizing isolation from the host computer through file capturing operation.
The invention provides a method for capturing and redirecting file operations in Windows, which is shown in FIG. 2. The embodiment provides basic capability for file access control and encryption and decryption protection, and the native logic is realized by operating the Hook of the original API on the file. The file operation capturing method is different from the method for capturing the file operation directly through the driver, and is a method for capturing in a user mode. The process comprises the following steps:
S301, performing DLL injection when the process in the sandbox is started, and performing an Inline Hook on a file operation API, including NTCREATEFILE, NTOPENFILE, NTDELETEFILE, NTREADFILE, NTWRITEFILE and the like.
S302, creating Windows service, realizing data acquisition, file encryption, access control and other judgment in the service, and creating named pipes for different functional points to realize synchronous or asynchronous remote procedure call.
S303, after the frequently-used file API Hook is successful, the service end is sent to the logic needing to be executed through naming pipeline communication before the original operation, and the original logic can be executed downwards in a synchronous mode waiting for a remote function call to return a result or in an asynchronous mode without blocking.
This approach has the advantage of extracting the logic out of the kernel layer and Hook code as much as possible. According to the scheme, on one hand, the success of DLL injection is ensured only through a driving layer, logic-based implementation is realized in ring3 layer, on the other hand, operations are reduced in Hook post-function as much as possible, and key logic is separated from an original process space through named pipelines and system services. By the scheme, the problem that the blue screen of the system is crashed due to unexpected execution of the original program and triggering PatchGuard caused by the problem of the Hook code part can be greatly reduced.
And S4, judging whether the file operation is in the sandbox or not when the file operation occurs. If the file belongs to the current sandbox, performing the operation of step 6, and if the file does not belong to the current sandbox, performing the operation of step 5
File operation in the sandbox is determined in the following scenario:
1) Files accessed by processes in the sandbox;
2) The file path is located in the sandbox cache path.
S5, identifying the file and judging whether the file belongs to the protected file or not, as shown in figure 3.
The file double-layer protection mechanism has the beneficial effects that the user has file operation behaviors outside the sandbox, such as file copying, file downloading outside the sandbox and the like, so that files which are not defined in the attribute set exist, and similarity judgment needs to be carried out according to the content. The process comprises the following steps:
S501, performing filtering, driving and intercepting file operation through MINIFILTER without Dll injection for a sand box external program.
S502, when a PreOperation callback function is triggered, filtering is carried out once, and filtering is carried out according to file formats, such as docx, txt and other file format files.
The file format matching mode is file header feature matching.
(1) For a specific file format such as docx, png or wav, comparing the file header data of the file with a feature library by analyzing the file header data;
(2) For a file without a specific format, such as txt or a prefix file without a format, the first 32 bytes are probed for encoding,
It is checked whether it belongs to a known set of codes to determine whether the file contains readable text information.
And S503, performing content matching. And classifying the filtering result of S302, namely, picture format, audio format, text format and the like, and matching the filtering result with the content of the file feature library in the system. The invention provides a programmable interface for the content matching algorithm scheme, and the user can provide an optional file content similarity algorithm.
In particular, the present invention provides a way to use a locality sensitive hashing algorithm to perform an offline text similarity comparison.
(1) When text file creation and modification operations are carried out in the sandbox, the text file is marked as a file to be protected, and the hashed result is added into a hash table chain corresponding to the sandbox according to a local sensitive hash algorithm.
(2) The similarity sensitivity value is preset, namely the corresponding Hamming distance, and 3 is adopted as the preset value. And if the text Hamming distance is smaller than or equal to a preset value, the operated text file is considered to have high similarity with the protected text.
If the similarity of the external file of the sandbox and the protected file is high, the external file is encrypted according to the corresponding attribute of the protected file, and the external file is endowed with the same authority as the protected file for the program in the sandbox to access.
S6, collecting the current running environment, specifically including time, file operation path, user identity information, file keywords and file authority fields, and obtaining whether file operation is allowed or not through an access control policy engine, as shown in FIG. 4.
And the access control based on the attribute is introduced to uniformly describe the roles and the authorities, and the PERM meta-model is used for policy storage, so that the flexibility of the access control model is enhanced. The embodiment has the beneficial effects that the file attributes are classified, the attributes in the attribute set are divided into the static attributes and the dynamic attributes, the flexibility of the access control strategy is improved, and the real-time issuing and application of the access control strategy during the updating of the server strategy are realized.
The process comprises the following steps:
and S601, defining and issuing an attribute access control strategy.
S601-1, defining an attribute access control strategy. And the administrator defines the access control strategy at the server side.
Firstly, carrying out model design according to a PERM meta-model, wherein the model design comprises request definition, strategy definition and matching rule definition. The invention divides the file access request attribute into file attribute, environment attribute and file operation.
The file attributes comprise file names, file formats and file protected attributes;
The environment attributes include computer time, computer identification (which will be specifically described in S402), user credentials, sandbox environment status, etc.;
The file operation comprises file reading operation and file writing operation.
The following is a defined access control model.
[request_definition]
r=file,env,act
[policy_definition]
p=file,env,act
[policy_effect]
e=some(where(p.eft==allow))
[matchers]
m=eval(p.file)&&eval(p.env)&&r.act==p.act
After model determination, the administrator needs to make policy settings according to the policy definition. A specific implementation strategy is given by the definition above:
p,
r.file.name=="secret.txt"&&r.file.format=="asciitext"&&r.file.protected==tru e,
r.env.box_name=="DefaultBox"&&r.env.Hour>=8&&r.env.Hour<=22&&
r.env.Day>=1&&r.env.Day<=5&&r.env.image_name=="notepad.exe"&&r.env.id=="650fe3266b5b152137e362627c581902"&&r.env.user=="eyJhbGbioiJIUzj1NiJ9…",
write
according to the policy description, when a file request occurs, the following matching is performed:
(1) The file name is "secret. Txt"
(2) The file format is asciitext
(3) The file protection bit is in a protected state
(4) The current sandbox is named "DefaultBox"
(5) The current access time is in the range of 8 to 22 points in week 1 to week 5
(6) The current request process is notpad
(7) The current terminal identification is '650 fe3266b5b152137e362627c 581902'
(8) The current user identification is "ejhbgbibioijiuzj1 nij9.
(9) The current operation being a write operation
And after the file request is successfully matched, allowing the file request to be accessed, otherwise, refusing the access.
S601-2, issuing attribute access control strategies. Because the invention performs access control on the terminal side, the access control strategy of the server side needs to be synchronized in time. The invention issues the strategy based on ZeroMQ.
The server maintains the strategy version number, and upgrades the version number when an administrator changes the strategy.
After the identity authentication of the terminal user is passed, the terminal user actively applies the current strategy to the server. The server returns a response request, returns a strategy version and compares the strategy version with the local version. And if the local version number is smaller than the server, requesting the server to perform policy synchronization.
In the using process of the terminal user, the client and the server realize long connection by means of ZMQ publishing and subscribing modes, and when the server changes the strategy, the client in all subscriber queues is broadcasted with the new version number, and the change is notified. And when the client side is inconsistent with the local version, requesting the server side to perform policy synchronization.
S602, realizing the attribute access control terminal side. The invention provides a method for realizing attribute access control at a terminal side.
(1) A local service process is started up and, new named pipe "\\pipe \ abacpipe" and listens to this named pipe, for receiving client access control related information.
(2) And performing DLL injection on the running program in the sandbox, and performing an Inline hook on the file operation related API. When the corresponding file operation occurs, the current sandbox environment parameters, file attributes and file operation are sent to the service process through the naming pipeline. When receiving the related operation of the file request, the service process complements the missing environmental parameters in the strategy, and the specific missing parameter complement modes are listed as follows:
The computer identification is determined by system hardware, character strings are generated by splicing the CPUID, the BIOS UUID and the system serial number, and the character strings are hashed and recorded as the computer identification;
and the system time is that the client and the server perform NTP time correction, and the corrected system time is obtained.
(3) And the policy engine in the local service process is dynamically matched according to the policy model, and the execution results are 'pass' and 'reject', and the execution results are returned to the client. The client decides whether to continue executing the original system API after receiving the execution result,
And records the user operation.
S7, performing file encryption and decryption operation according to the captured file operation type.
The invention provides a transparent file encryption method for sharing multi-user keys, which belongs to the second layer encryption protection in a file double-layer protection mechanism. The method has the advantages that the file encryption key does not need to be memorized, the cipher text is decrypted by multiple users at the same time, and the safety of file sharing is improved. As shown in fig. 5.
Since there is a risk of files in the sandbox being compromised by maliciously bypassing the access control engine or physically reading the hard disk, the files need to be encrypted. Aiming at the problems of single key, complex ciphertext sharing mode and the like of the traditional encryption mode, the invention provides a transparent file encryption method for sharing multi-user keys under the background of attribute access control. The process comprises the following steps:
s701, generating a user key. The user key is issued by the server after the user passes the authentication, and the user key belongs to the runtime information and can be modified by the administrator in real time as in the strategy issuing mechanism described in S601-2. The user key construction mode comprises the following steps:
(1) User attribute definition. An administrator defines user attributes at a server, which need to be contained in a user attribute set
(2) A user key is generated. The server generates a user key SK through a user attribute and a system master key MSK based on the CP-ABE, and sends the SK to the user terminal in real time through ZMQ.
S702, transparent encryption of the file. And when the file writing operation in the sandbox is released, performing transparent file encryption operation. Firstly, a file to be encrypted is moved into a plaintext buffer area protected by a sandbox, and the file is encrypted in an attribute encryption mode. The encrypted file is moved into the original path of the file, thereby realizing transparent encryption of the file, as shown in fig. 6.
The specific encryption mode is as follows:
(1) Constructing user access structures
The construction of the access structure is performed according to a set of attributes or a single attribute in a global set of attributes defined by the system. The method comprises the steps of dividing request object attributes and target object attributes, wherein the request object attributes are user groups or specific users, and the response object attributes are file groups or specific files. One example is:
SuFile∩Admin
SuFile, along with Admin, define with the set of attributes in S101, that the file can be decrypted on behalf of both the access object and the members of the administrator group that have access to SuFile groups.
The method comprises the steps of carrying out encryption on a file with an original access structure on a user terminal, carrying out default inheritance of the original access structure when encrypting the file with the original access structure, carrying out default on a common file to construct the access structure by a specific login user, if Bob is the current login user, constructing the access structure as Bob, applying the file with the access range needing to be expanded to a server, and issuing the access structure after approval.
(2) Transparent encryption of documents
A local service process is started up and, new named pipe "\\pipe \ encrypt" and listens to this named pipe, for receiving the client encrypted file path.
The CloseFile is subjected to an Inline hook by DLL injection of the run program in the sandbox. When the corresponding file operation occurs, the current file path is sent to the service process through the naming pipeline first. When the service process receives the file path, the service process analyzes the current file access structure to determine the access structure which is specifically used in attribute encryption. And writing the encrypted data into the original path of the file after attribute encryption.
S703, transparent decryption of the file. When the file reading operation in the sandbox is released, a transparent file decrypting operation is performed, as shown in fig. 7.
The specific decryption mode is as follows:
A local service process is started up and, new named pipe "\\pipe \ decrypt" and listens to this named pipe, for receiving the client decrypted file path.
And performing DLL injection on the running program in the sandbox, and performing an Inline hook on the OpenFile. When the corresponding file operation occurs, the current file path is sent to the service process through the naming pipeline first. And when the service process receives the file path, judging whether the current file exists in the file buffer area or not. If the same file exists in the file buffer area, the file is decrypted, file redirection operation is carried out, the file handle in the buffer area is returned, and if the same file does not exist in the file buffer area, decryption is carried out according to the key of the current user. If the decryption is successful, the file buffer is added, the file handle in the buffer is returned, and if the decryption is failed, the access is refused.
Claims (1)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211577805.3A CN115935390B (en) | 2022-12-09 | 2022-12-09 | A method for dynamic access control and encryption of files within an attribute-based security sandbox |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211577805.3A CN115935390B (en) | 2022-12-09 | 2022-12-09 | A method for dynamic access control and encryption of files within an attribute-based security sandbox |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115935390A CN115935390A (en) | 2023-04-07 |
| CN115935390B true CN115935390B (en) | 2026-01-30 |
Family
ID=86553409
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211577805.3A Active CN115935390B (en) | 2022-12-09 | 2022-12-09 | A method for dynamic access control and encryption of files within an attribute-based security sandbox |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115935390B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116861411B (en) * | 2023-06-05 | 2024-06-25 | 北京连山科技股份有限公司 | Seccomp mechanism-based safe sandbox data protection method and system |
| CN117290823B (en) * | 2023-11-21 | 2024-05-10 | 中国电信股份有限公司江西分公司 | A method for intelligent detection and security protection of APP, computer equipment and medium |
| CN120724449A (en) * | 2024-03-29 | 2025-09-30 | 华为技术有限公司 | Method and electronic device for displaying encrypted files |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113168476A (en) * | 2018-11-30 | 2021-07-23 | 百可德罗德公司 | Access Control for Personalized Cryptographic Security in Operating Systems |
| CN115329389A (en) * | 2022-10-17 | 2022-11-11 | 中安网脉(北京)技术股份有限公司 | File protection system and method based on data sandbox |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR101321479B1 (en) * | 2012-02-22 | 2013-10-28 | 숭실대학교산학협력단 | Method and Apparatus for preventing illegal copy of application software using access control of process |
| CN110059499A (en) * | 2019-03-22 | 2019-07-26 | 华为技术有限公司 | A kind of file access purview certification method and electronic equipment |
-
2022
- 2022-12-09 CN CN202211577805.3A patent/CN115935390B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113168476A (en) * | 2018-11-30 | 2021-07-23 | 百可德罗德公司 | Access Control for Personalized Cryptographic Security in Operating Systems |
| CN115329389A (en) * | 2022-10-17 | 2022-11-11 | 中安网脉(北京)技术股份有限公司 | File protection system and method based on data sandbox |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115935390A (en) | 2023-04-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6941146B2 (en) | Data security service | |
| US6801998B1 (en) | Method and apparatus for presenting anonymous group names | |
| CN115935390B (en) | A method for dynamic access control and encryption of files within an attribute-based security sandbox | |
| Kapil et al. | Attribute based honey encryption algorithm for securing big data: Hadoop distributed file system perspective | |
| JP4689945B2 (en) | Resource access method | |
| KR101067399B1 (en) | One or more computer readable media storing a method, system and a plurality of instructions implemented in a computing device for storage and retrieval of data based on symmetric key encryption. | |
| US9380037B2 (en) | Methods and devices for trusted protocols for a non-secured, distributed environment with applications to virtualization and cloud-computing security and management | |
| JP6678457B2 (en) | Data security services | |
| KR101373542B1 (en) | System for Privacy Protection which uses Logical Network Division Method based on Virtualization | |
| JP2024507679A (en) | Allowed Encryption | |
| CN100547598C (en) | Saving and retrieving data based on symmetric key encryption | |
| JP7571954B2 (en) | SYSTEM AND METHOD FOR SECURE ELECTRONIC DATA TRANSFER - Patent application | |
| US20230362018A1 (en) | System and Method for Secure Internet Communications | |
| Yu et al. | Data security in cloud computing | |
| CN116566663B (en) | Threat data dynamic processing and efficient sharing method suitable for industrial control system | |
| CN114826702B (en) | Database access password encryption method, device and computer equipment | |
| JP2018110442A (en) | Access management system, access management method, and program | |
| Darwish et al. | Privacy and security of cloud computing: a comprehensive review of techniques and challenges | |
| CN114650184B (en) | Docker process security access control method based on trust degree | |
| Kim et al. | Secure user authentication based on the trusted platform for mobile devices | |
| CN1819590A (en) | Enciphering method of computer electronic documents | |
| Desausoi | Building a secure and auditable Personal Cloud | |
| Sohal et al. | Comparative Analysis of Different Cryptographic Mechanisms of Data Security and Privacy in Cloud Environment | |
| ALnwihel et al. | A Novel Cloud Authentication Framework | |
| Ditu et al. | Work-in-Progress: Optimizing Performance of User Revocation in Cryptographic Access Control with Trusted Execution Environments |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |