[go: up one dir, main page]

WO2022252449A1 - File access control method, file encryption method, and computing device - Google Patents

File access control method, file encryption method, and computing device Download PDF

Info

Publication number
WO2022252449A1
WO2022252449A1 PCT/CN2021/120591 CN2021120591W WO2022252449A1 WO 2022252449 A1 WO2022252449 A1 WO 2022252449A1 CN 2021120591 W CN2021120591 W CN 2021120591W WO 2022252449 A1 WO2022252449 A1 WO 2022252449A1
Authority
WO
WIPO (PCT)
Prior art keywords
file
value pairs
user
value
access
Prior art date
Application number
PCT/CN2021/120591
Other languages
French (fr)
Chinese (zh)
Inventor
卢桢
Original Assignee
统信软件技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 统信软件技术有限公司 filed Critical 统信软件技术有限公司
Publication of WO2022252449A1 publication Critical patent/WO2022252449A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Definitions

  • the invention relates to the technical fields of computers and the Internet, in particular to a file access control method, a file encryption method and computing equipment.
  • the present invention provides a file access control method and a file encryption method in an attempt to solve or at least alleviate the above existing problems.
  • a file access control method executed in a computing device, comprising the steps of: receiving a file access request sent by a user based on an access credential; obtaining one or more sets of values based on the access credential Yes, each set of value pairs includes multiple value pairs, and each set of value pairs corresponds to a file directory; according to each set of value pairs, the corresponding file directory is decrypted to obtain one or more corresponding to the user's access credentials. multiple decrypted file directories; and merging and mounting the one or more decrypted file directories to a predetermined directory, so that users can access the one or more decrypted file directories under the predetermined directory.
  • the step of merging and mounting the one or more decrypted file directories to a predetermined directory includes: mounting a stacked file system in the predetermined directory, so that based on the stacked file system, the One or more decrypted file directories are merged and mounted to a predetermined directory.
  • the step of decrypting the corresponding file directory according to each set of value pairs includes: respectively calculating each set of value pairs according to the Lagrangian interpolation algorithm to obtain A constant value corresponding to each set of value pairs is obtained; and a corresponding file directory is decrypted based on the constant value corresponding to each set of value pairs, so as to obtain a decrypted file directory corresponding to each set of value pairs.
  • a step is included: verifying each set of value pairs.
  • each value pair corresponds to a user attribute; the user attribute includes department, position and rank.
  • a file encryption method is provided, which is executed in a computing device, comprising the steps of: for each file directory, generating a polynomial based on a random algorithm, and encrypting the file directory based on a constant value of the polynomial ; Randomly generate a set of value pairs corresponding to the file directory according to the polynomial, and each set of value pairs includes a plurality of value pairs; determine one or more file directories that the user has permission to access according to the user identity, based on a or multiple sets of value pairs corresponding to multiple file directories to generate access credentials corresponding to user identities; and send the access credentials to the user, so that the user can access the corresponding one or more File Directory.
  • the step of randomly generating a set of value pairs corresponding to the file directory according to the polynomial includes: randomly generating a plurality of random numbers; The polynomial computes corresponding value pairs to obtain a plurality of value pairs corresponding to the plurality of random numbers.
  • the step of generating an access credential corresponding to the user identity includes: combining one or more sets of value pairs corresponding to one or more file directories based on a predetermined format , generate a corresponding data value, and use the data value as an access credential.
  • encrypting the file directory based on the constant value of the polynomial includes: calculating the constant value of the polynomial, and calculating the hash value based on the hash calculation of the constant value Encrypt the file directory.
  • each value pair corresponds to a user attribute; the user attribute includes department, position and rank.
  • a computing device comprising: at least one processor; and a memory storing program instructions, wherein the program instructions are configured to be executed by the at least one processor, the
  • the above-mentioned program instructions include instructions for executing the above-mentioned file access control method.
  • a readable storage medium storing program instructions, and when the program instructions are read and executed by a computing device, the computing device is made to execute the method described above.
  • a file encryption method and a file access control method wherein each file directory is encrypted according to the file encryption method, and a corresponding set of value pairs is generated for each file directory , value pairs related to user attributes.
  • the user is distributed access credentials with corresponding permissions, and the access credentials include one or more sets of value pairs corresponding to the one or more file directories that the user has permission to access.
  • the user can decrypt one or more file directories based on the corresponding access credentials, thereby being able to access one or more file directories matching the user's identity.
  • FIG. 1 shows a schematic diagram of a computing device 100 according to one embodiment of the present invention
  • FIG. 2 shows a flowchart of a file encryption method 200 according to an embodiment of the present invention
  • FIG. 3 shows a flowchart of a file access control method 300 according to an embodiment of the present invention.
  • FIG. 4 and FIG. 5 respectively show schematic diagrams of data formats of access credentials according to an embodiment of the present invention.
  • each file directory is encrypted according to the file encryption method, and corresponding access credentials are distributed to users according to user identities. Furthermore, by executing the file access control method, the user can decrypt one or more file directories based on corresponding access credentials, so as to access one or more file directories matching the user's identity.
  • FIG. 1 is a schematic block diagram of an example computing device 100 .
  • computing device 100 typically includes system memory 106 and one or more processors 104 .
  • a memory bus 108 may be used for communication between the processor 104 and the system memory 106 .
  • processor 104 may be any type of processing including, but not limited to, a microprocessor (UP), microcontroller (UC), digital information processor (DSP), or any combination thereof.
  • Processor 104 may include one or more levels of cache such as L1 cache 110 and L2 cache 112 , processor core 114 and registers 116 .
  • Exemplary processor core 114 may include an arithmetic logic unit (ALU), a floating point unit (FPU), a digital signal processing core (DSP core), or any combination thereof.
  • An example memory controller 118 may be used with the processor 104 or, in some implementations, the memory controller 118 may be an internal part of the processor 104 .
  • system memory 106 may be any type of memory including, but not limited to: volatile memory (such as RAM), non-volatile memory (such as ROM, flash memory, etc.), or any combination thereof.
  • System memory 106 may include an operating system 120 , one or more applications 122 , and program data 124 .
  • applications 122 may be arranged to execute instructions on an operating system with program data 124 by one or more processors 104 .
  • Computing device 100 also includes storage device 132 , which includes removable storage 136 and non-removable storage 138 .
  • Computing device 100 may also include storage interface bus 134 .
  • Storage interface bus 134 enables communication from storage devices 132 (eg, removable storage 136 and non-removable storage 138 ) to base configuration 102 via bus/interface controller 130 .
  • Operating system 120, applications 122, and at least a portion of data 124 may be stored on removable storage 136 and/or non-removable storage 138, and when computing device 100 is powered on or when applications 122 are about to be executed, the storage interface bus 134 into system memory 106 and executed by one or more processors 104 .
  • Computing device 100 may also include interface bus 140 to facilitate communication from various interface devices (eg, output devices 142 , peripheral interfaces 144 , and communication devices 146 ) to base configuration 102 via bus/interface controller 130 .
  • Example output devices 142 include a graphics processing unit 148 and an audio processing unit 150 . They may be configured to facilitate communication with various external devices such as a display or speakers via one or more A/V ports 152 .
  • Example peripherals interfaces 144 may include serial interface controller 154 and parallel interface controller 156, which may be configured to facilitate communication via one or more I/O ports 158 and input devices such as (e.g., keyboard, mouse, pen) , voice input device, touch input device) or other peripherals (such as printers, scanners, etc.) to communicate with external devices such as.
  • An example communication device 146 may include a network controller 160, which may be arranged to facilitate communication with one or more other computing devices 162 over a network communication link via one or more communication ports 164.
  • a network communication link may be one example of a communication medium.
  • Communication media typically embodies computer readable instructions, data structures, program modules in a modulated data signal such as a carrier wave or other transport mechanism and may include any information delivery media.
  • a "modulated data signal" may be a signal in which one or more of its data sets or alterations thereof may be made in such a manner as to encode information in the signal.
  • communication media may include wired media such as a wired or dedicated-line network, and various wireless media such as acoustic, radio frequency (RF), microwave, infrared (IR) or other wireless media.
  • RF radio frequency
  • IR infrared
  • the term computer readable media as used herein may include both storage media and communication media.
  • Computing device 100 may be implemented as a personal computer including desktop and notebook computer configurations.
  • the computing device 100 can also be implemented as part of a small-sized portable (or mobile) electronic device, such as a cellular phone, a digital camera, a personal digital assistant (PDA), a personal media player device, a wireless network browsing device, etc. , personal headsets, application-specific devices, or hybrid devices that can include any of the above.
  • PDA personal digital assistant
  • personal headsets application-specific devices, or hybrid devices that can include any of the above.
  • It can even be implemented as a server, such as a file server, database server, application program server, and WEB server. The embodiments of the present invention do not limit this.
  • the computing device 100 is configured to execute the file encryption method 200 and/or the file access control method 300 according to the present invention.
  • the application 122 of the computing device 100 contains a plurality of program instructions for executing the file encryption method 200 and/or the file access control method 300 of the present invention, and these program instructions can be read and executed by the computing device 100, so that the computing device 100 executes the file encryption method 200 and the file access control method 300 according to the present invention.
  • Fig. 2 shows a flowchart of a file encryption method 200 according to an embodiment of the present invention.
  • the method 200 is suitable for execution in a computing device, such as the aforementioned computing device 200 .
  • each file directory is encrypted separately based on the file encryption method 200 .
  • step S210 the method 200 begins with step S210.
  • step S210 for each file directory, when encrypting the file directory, a polynomial is generated based on a random algorithm, and the file directory is encrypted based on a constant value of the polynomial.
  • the constant value f(0) can be hashed based on a hash function to obtain a hash value, and based on the constant The hash value corresponding to the value f(0) is used as the encryption key of the file directory to encrypt the file directory.
  • a set of value pairs corresponding to the file directory is randomly generated according to the polynomial, and each set of value pairs includes a plurality of value pairs.
  • each file directory corresponds to a set of value pairs, that is, each file directory corresponds to multiple value pairs.
  • Different file directories correspond to different value pair groups, so that the file directory is encrypted based on the corresponding group of value pairs.
  • the present invention does not limit the number of value pairs included in each set of value pairs.
  • multiple random numbers are randomly generated, and corresponding value pairs are obtained by calculating each random number with a polynomial.
  • the value of the polynomial f(x) is calculated by substituting each random number into the polynomial, and the value pair corresponding to the random number is obtained by combining the random number with the value of the corresponding polynomial.
  • the value pair corresponding to the random number a can be expressed as ⁇ a,f(a) ⁇ . In this way, a plurality of value pairs corresponding to a plurality of random numbers can be finally calculated, wherein each random number corresponds to a value pair.
  • step S230 one or more file directories that the user has permission to access are determined according to the user identity.
  • an access credential corresponding to the user identity is generated based on one or more sets of value pairs corresponding to one or more file directories that the user has permission to access.
  • the access credentials (one or more sets of value pairs) corresponding to each user are determined according to the user identity, and the access credentials also determine one or more authorized access credentials according to the user identity.
  • File Directory Therefore, one or more sets of value pairs in the user's access credentials are related to the user's identity and can prove the user's identity.
  • each value pair corresponds to a user attribute
  • the user attribute is an attribute that can be related to the user identity.
  • the user identity can be determined by one or more user attributes, or in other words, the user identity is related to one or more user attributes.
  • the user attributes related to the user identity may include the user's department, position, rank, etc., but are not limited thereto.
  • the user identity when the attributes used to determine the user identity include the user's department, position, and rank, the user identity is related to the three user attributes of department, position, and rank.
  • each user attribute is represented by a corresponding value pair, and access credentials are generated based on multiple value pairs corresponding to multiple user attributes, where each value pair represents a user attribute. In this way, the access credentials generated based on multiple value pairs are also access credentials related to user identities.
  • the number of value pairs included in each group of value pairs is equal to the number of types of user attributes related to the user identity. For example, when the user identity is related to the three user attributes of department, position and rank, a set of value pairs corresponding to each file directory is composed of three value pairs.
  • one or more sets of value pairs corresponding to one or more file directories may be assembled and combined based on a predetermined format, to generate the corresponding data value, and use the data value as the access credential.
  • the present invention does not limit the specific data format of the data value corresponding to the access credential, which can be set by those skilled in the art according to actual needs.
  • FIG. 4 and FIG. 5 respectively show schematic diagrams of data formats of access credentials according to an embodiment of the present invention.
  • generating access credentials based on one or more sets of value pairs may be performed according to the following method:
  • the first 4 bytes of the data are used to store the length of the random number x, followed by the value of the random number x, followed by the length of the corresponding polynomial f(x) value, in The polynomial f(x) value is stored after the length of the f(x) value.
  • Each value pair is processed according to this rule, so that each value pair is combined until all value pairs corresponding to a polynomial (that is, a set of value pairs corresponding to a file directory) are processed, and the final value is set to 0.
  • hash calculation is performed on the data before the 0 value to obtain a hash value, and the hash value (Hash) is stored behind the 0 value for the key value Correctness verification and anti-brute force cracking.
  • step S240 the access credential is sent to the user, so that the user can access the corresponding one or more file directories based on the access credential.
  • the one or more file directories that can be accessed based on the access credentials are the one or more file directories that the user matching the user identity has permission to access.
  • FIG. 3 shows a flowchart of a file access control method 300 according to an embodiment of the present invention.
  • Method 300 may be performed in computing device 100 .
  • the user may have access to one or more file directories corresponding to the user identity based on the access credentials obtained in the aforementioned method 200 . In this way, it is possible to control the access rights of users with different identities to the file directory.
  • the method 300 starts at step S310.
  • step S310 the file access request sent by the user based on the access credential is received.
  • the access credential is the access credential distributed to the user based on the aforementioned method 200 and corresponding to the user identity, and the access credential is a data value obtained by combining one or more sets of value pairs.
  • step S320 one or more sets of value pairs are obtained based on the access credentials.
  • each set of value pairs includes multiple value pairs, and each set of value pairs corresponds to a file directory that a user has permission to access.
  • the access credentials when one or more sets of value pairs are obtained based on the access credentials, according to the reservation of the data value corresponding to the access credentials Format, starting from the starting position of the data value corresponding to the access credential, first obtain the predetermined byte as the length value of x, and then obtain the value of x stored after the length value, and then obtain the f stored after the value of x (x) value, so that the first set of value pairs is obtained. Furthermore, a second set of value pairs located after the first set of value pairs is acquired. By analogy, finally, multiple value pairs included in multiple sets of value pairs can be obtained from the data value corresponding to the access credential.
  • step S330 the corresponding file directory is decrypted according to each set of value pairs, so as to obtain one or more decrypted file directories corresponding to the user's access credentials.
  • the decrypted file directory is the file directory that the user has permission to access.
  • each set of value pairs is also verified, so as to determine the value of each set of value pairs.
  • effectiveness Specifically, according to the method and data format of the access credentials generated based on multiple value pairs described above, when verifying the access credentials, based on the hash function, the 0 value and the data in front of the 0 value (a group of value pairs) multiple value pairs) to get the H value by hash calculation, and then compare the H value calculated here with the hash value in the access credential data value, if the two are equal, the verification is passed, according to the value pair Multiple value pairs in the group perform decryption processing on the corresponding file directory.
  • the corresponding file directory when decrypting the corresponding file directory according to each set of value pairs, firstly calculate each set of value pairs according to the Lagrangian interpolation algorithm to obtain the constant value corresponding to each set of value pairs f(0). Furthermore, the corresponding file directory is decrypted based on the constant value f(0) corresponding to each group of value pairs, so as to obtain the decrypted file directory corresponding to each group of value pairs. In this way, the user can access the decrypted one or more file directories based on the access credentials.
  • step S330 when decrypting the corresponding file directory based on the corresponding constant value f(0) of each group of values, in fact , the constant value f(0) may be hashed based on a hash function to obtain a hash value, and then the file directory may be decrypted based on the hash value corresponding to the constant value f(0).
  • step S340 the one or more decrypted file directories are merged and mounted to a predetermined directory, so that the user can access the one or more decrypted file directories under the predetermined directory.
  • the present invention does not limit the predetermined directory for merging and mounting, as long as it is a file directory that is convenient for users to view.
  • the predetermined directory can be implemented as a user directory.
  • one or more decrypted file directories can be combined and mounted to the predetermined directory based on the stack file system.
  • the stacked file system can be realized as AUFS, for example.
  • the present invention does not limit the specific types of stacked file systems, and all stacked file systems in the prior art that can merge and mount multiple file directories into the same directory are within the protection scope of the present invention.
  • each file directory is encrypted separately, and a corresponding set of value pairs is generated for each file directory, and the value pairs are related to user attributes.
  • the user is distributed access credentials with corresponding permissions, and the access credentials include one or more sets of value pairs corresponding to the one or more file directories that the user has permission to access.
  • the user can decrypt one or more file directories based on the corresponding access credentials, so as to access one or more file directories matching the user's identity.
  • the various techniques described herein can be implemented in conjunction with hardware or software, or a combination thereof.
  • the method and device of the present invention, or certain aspects or parts of the method and device of the present invention may be embedded in a tangible medium, such as a removable hard disk, USB flash drive, floppy disk, CD-ROM or any other machine-readable storage medium
  • program code ie, instructions
  • a machine such as a computer
  • the program when the program is loaded into a machine such as a computer and executed by the machine, the machine becomes an apparatus for practicing the invention.
  • the computing device In the case of program code execution on a programmable computer, the computing device generally includes a processor, a storage medium readable by the processor (including volatile and non-volatile memory and/or storage elements), at least one input device, and at least one output device.
  • the memory is configured to store program code; the processor is configured to execute the method for identifying multilingual garbage text of the present invention according to instructions in the program code stored in the memory.
  • Readable media include, by way of example and not limitation, readable storage media and communication media.
  • Readable storage media store information such as computer readable instructions, data structures, program modules or other data.
  • Communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media. Combinations of any of the above are also included within the scope of readable media.
  • the algorithms and displays are not inherently related to any particular computer, virtual system, or other device.
  • Various general-purpose systems can also be used with examples of the invention. The structure required to construct such a system is apparent from the above description.
  • the present invention is not specific to any particular programming language. It should be understood that various programming languages can be used to implement the content of the present invention described herein, and the above description of specific languages is for disclosing the best mode of the present invention.
  • modules or units or components of the devices in the examples disclosed herein may be arranged in the device as described in this embodiment, or alternatively may be located in a different location than the device in this example. in one or more devices.
  • the modules in the preceding examples may be combined into one module or furthermore may be divided into a plurality of sub-modules.
  • modules in the device in the embodiment can be adaptively changed and arranged in one or more devices different from the embodiment.
  • Modules or units or components in the embodiments may be combined into one module or unit or component, and furthermore may be divided into a plurality of sub-modules or sub-units or sub-assemblies.
  • All features disclosed in this specification including accompanying claims, abstract and drawings) and any method or method so disclosed may be used in any combination, except that at least some of such features and/or processes or units are mutually exclusive. All processes or units of equipment are combined.
  • Each feature disclosed in this specification may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • Databases & Information Systems (AREA)
  • Automation & Control Theory (AREA)
  • Storage Device Security (AREA)

Abstract

Disclosed is a file access control method, implemented in a computing device and comprising the steps: receiving an access request for a file sent by a user on the basis of an access credential; obtaining one or more groups of value pairs on the basis of the access credential, each group of value pairs comprising a plurality of value pairs, and each group of value pairs respectively corresponding to one file directory; decrypting the corresponding file directory according to each group of value pairs, respectively, to obtain one or more decrypted file directories corresponding to the access credential of the user; and combining and mounting the one or more decrypted file directories to a predetermined directory, such that the user can access the one or more decrypted file directories under the predetermined directory. A corresponding file encryption method and the computing device are further disclosed. According to the solution of the present invention, access permissions of users of different identities to a file directory can be controlled, and user experience is better.

Description

文件访问控制方法、文件加密方法及计算设备File access control method, file encryption method and computing device 技术领域technical field

本发明涉及计算机及互联网技术领域,特别涉及一种文件访问控制方法、文件加密方法及计算设备。The invention relates to the technical fields of computers and the Internet, in particular to a file access control method, a file encryption method and computing equipment.

背景技术Background technique

目前,在日常工作中存在不同身份用户访问不同机密等级文件的情况,而现有的加密技术,只要用户持有文件的解密密钥就可以打开并修改里面的全部内容,这种修改是不受用户身份限制的,很容易造成对数据的滥操作。At present, in daily work, there are situations where users with different identities access files with different confidentiality levels. With the existing encryption technology, as long as the user holds the decryption key of the file, he can open and modify all the contents inside. This modification is not subject to User identity restrictions can easily lead to abuse of data.

现有技术中,为了实现在一台机器上不同用户访问的文件夹不同,需要为用户分别创建不同的加密文件夹,使每个用户只能访问自己的加密文件夹。这种文件加密方案,由于加密文件夹分散在不同路径,无法实现对文件的统一管理,而且,对于相同的文件,每个用户都需要保存一份,造成对存储空间的浪费。另外,这种方案无法限制不同身份的用户的访问权限。In the prior art, in order to realize different folders accessed by different users on one machine, it is necessary to create different encrypted folders for users, so that each user can only access his own encrypted folder. In this file encryption scheme, since encrypted folders are scattered in different paths, unified management of files cannot be realized. Moreover, each user needs to save a copy of the same file, resulting in a waste of storage space. In addition, this scheme cannot limit the access rights of users with different identities.

还有一种方案,通过创建一个加密目录和若干子目录,用户持有加密目录的密钥和证明用户身份的令牌。当用户需要查看相应权限的文件时,首先进行解锁操作,再将令牌传给加密系统,系统确定用户身份后显示相应权限的目录。该方案虽然可以实现不同身份用户的访问权限,但由于不是对各个目录单独加密,导致只要是进入根目录的用户通过技术手段都可以查看并操作所有的文件。可见,这种方案即使设置了权限限制,也无法实现不同身份的用户之间的数据隔离,导致数据安全性得不到保障。There is also a scheme, by creating an encrypted directory and several subdirectories, the user holds the key of the encrypted directory and the token to prove the user's identity. When the user needs to view the file with the corresponding permission, the unlock operation is performed first, and then the token is passed to the encryption system, and the system displays the directory with the corresponding permission after confirming the user's identity. Although this scheme can realize the access rights of users with different identities, since each directory is not encrypted separately, as long as the user who enters the root directory can view and operate all files through technical means. It can be seen that even if permission restrictions are set in this scheme, data isolation between users with different identities cannot be achieved, resulting in unguaranteed data security.

为此,需要一种文件访问控制方法来解决上述技术方案中存在的问题。Therefore, a file access control method is needed to solve the problems in the above technical solutions.

发明内容Contents of the invention

为此,本发明提供一种文件访问控制方法和文件加密方法,以力图解决或者至少缓解上面存在的问题。For this reason, the present invention provides a file access control method and a file encryption method in an attempt to solve or at least alleviate the above existing problems.

根据本发明的一个方面,提供了一种文件访问控制方法,在计算设备中执行,包括步骤:接收用户基于访问凭证发送的对文件的访问请求;基于所述访问凭证获取一组或多组值对,每组值对包括多个值对,且每组值对分别对应一个文件目录;分别根据每组值对对相应的文件目录进行解密处理,以得到与用户的访问凭证相对应的一个或多个解密文件目录;以及将所述一个或多个解密文件目录合并挂载到预定目录,以便用户在所述预定目录下访问所述一个或多个解密文件目录。According to one aspect of the present invention, there is provided a file access control method, executed in a computing device, comprising the steps of: receiving a file access request sent by a user based on an access credential; obtaining one or more sets of values based on the access credential Yes, each set of value pairs includes multiple value pairs, and each set of value pairs corresponds to a file directory; according to each set of value pairs, the corresponding file directory is decrypted to obtain one or more corresponding to the user's access credentials. multiple decrypted file directories; and merging and mounting the one or more decrypted file directories to a predetermined directory, so that users can access the one or more decrypted file directories under the predetermined directory.

可选地,在根据本发明的文件访问控制方法中,将所述一个或多个解密文件目录合并挂载到预定目录的步骤包括:在预定目录挂载堆叠文件系统,以便基于堆叠文件系统将一个或多个解密文件目录合并挂载到预定目录。Optionally, in the file access control method according to the present invention, the step of merging and mounting the one or more decrypted file directories to a predetermined directory includes: mounting a stacked file system in the predetermined directory, so that based on the stacked file system, the One or more decrypted file directories are merged and mounted to a predetermined directory.

可选地,在根据本发明的文件访问控制方法中,分别根据每组值对对相应的文件目录进行解密处理的步骤包括:根据拉格朗日插值算法对每组值对分别进行计算,以得到与每组值对相对应的常数值;基于每组值对对应的常数值对相应的文件目录进行解密处理,以得到与每组值对相对应的解密文件目录。Optionally, in the file access control method according to the present invention, the step of decrypting the corresponding file directory according to each set of value pairs includes: respectively calculating each set of value pairs according to the Lagrangian interpolation algorithm to obtain A constant value corresponding to each set of value pairs is obtained; and a corresponding file directory is decrypted based on the constant value corresponding to each set of value pairs, so as to obtain a decrypted file directory corresponding to each set of value pairs.

可选地,在根据本发明的文件访问控制方法中,在根据每组值对对相应的文件目录进行解密处理之前,包括步骤:对每组值对进行验证。Optionally, in the file access control method according to the present invention, before decrypting the corresponding file directory according to each set of value pairs, a step is included: verifying each set of value pairs.

可选地,在根据本发明的文件访问控制方法中,所述每个值对分别对应一个用户属性;所述用户属性包括部门、职位和职级。Optionally, in the file access control method according to the present invention, each value pair corresponds to a user attribute; the user attribute includes department, position and rank.

根据本发明的一个方面,提供了一种文件加密方法,在计算设备中执行,包括步骤:对于每个文件目录,分别基于随机算法生成多项式,基于多项式的常数值对所述文件目录进行加密处理;根据所述多项式随机生成与所述文件目录相对应的一组值对,每组值对分别包括多个值对;根据用户身份确定用户有权限访问的一个或多个文件目录,基于与一个或多个文件目录相对应的一组或多组值对生成与用户身份相对应的访问凭证;以及将所述访问凭证发送至用户,以便用户基于所述访问凭证来访问相应的一个或多个文件目录。According to one aspect of the present invention, a file encryption method is provided, which is executed in a computing device, comprising the steps of: for each file directory, generating a polynomial based on a random algorithm, and encrypting the file directory based on a constant value of the polynomial ; Randomly generate a set of value pairs corresponding to the file directory according to the polynomial, and each set of value pairs includes a plurality of value pairs; determine one or more file directories that the user has permission to access according to the user identity, based on a or multiple sets of value pairs corresponding to multiple file directories to generate access credentials corresponding to user identities; and send the access credentials to the user, so that the user can access the corresponding one or more File Directory.

可选地,在根据本发明的文件加密方法中,根据所述多项式随机生成与文件目录相对应的一组值对的步骤包括:随机生成多个随机数;基于每个随机数分别与所述多项式计算得到相应的值对,以得到与多个随机数相对应的 多个值对。Optionally, in the file encryption method according to the present invention, the step of randomly generating a set of value pairs corresponding to the file directory according to the polynomial includes: randomly generating a plurality of random numbers; The polynomial computes corresponding value pairs to obtain a plurality of value pairs corresponding to the plurality of random numbers.

可选地,在根据本发明的文件加密方法中,生成与用户身份相对应的访问凭证的步骤包括:将与一个或多个文件目录相对应的一组或多组值对基于预定格式进行组合,生成相应的数据值,将所述数据值作为访问凭证。Optionally, in the file encryption method according to the present invention, the step of generating an access credential corresponding to the user identity includes: combining one or more sets of value pairs corresponding to one or more file directories based on a predetermined format , generate a corresponding data value, and use the data value as an access credential.

可选地,在根据本发明的文件加密方法中,基于多项式的常数值对文件目录进行加密处理包括:计算所述多项式的常数值,并基于对常数值进行哈希计算后得到的哈希值对文件目录进行加密处理。Optionally, in the file encryption method according to the present invention, encrypting the file directory based on the constant value of the polynomial includes: calculating the constant value of the polynomial, and calculating the hash value based on the hash calculation of the constant value Encrypt the file directory.

可选地,在根据本发明的文件加密方法中,所述每个值对分别对应一个用户属性;所述用户属性包括部门、职位和职级。Optionally, in the file encryption method according to the present invention, each value pair corresponds to a user attribute; the user attribute includes department, position and rank.

根据本发明的一个方面,提供了一种计算设备,包括:至少一个处理器;以及存储器,存储有程序指令,其中,所述程序指令被配置为适于由所述至少一个处理器执行,所述程序指令包括用于执行如上所述的文件访问控制方法的指令。According to an aspect of the present invention, there is provided a computing device, comprising: at least one processor; and a memory storing program instructions, wherein the program instructions are configured to be executed by the at least one processor, the The above-mentioned program instructions include instructions for executing the above-mentioned file access control method.

根据本发明的一个方面,提供了一种存储有程序指令的可读存储介质,当所述程序指令被计算设备读取并执行时,使得所述计算设备执行如上所述方法。According to one aspect of the present invention, a readable storage medium storing program instructions is provided, and when the program instructions are read and executed by a computing device, the computing device is made to execute the method described above.

根据本发明的技术方案,提供了一种文件加密方法和文件访问控制方法,其中,根据文件加密方法分别对每个文件目录进行加密处理,并分别为每个文件目录生成相应的一组值对,值对与用户属性相关。根据用户有权限访问的一个或多个文件目录,来为用户分发相应权限的访问凭证,访问凭证中包括与用户有权限访问的一个或多个文件目录相对应的一组或多组值对。这样,通过执行文件访问控制方法,使用户可以基于相应的访问凭证解密一个或多个文件目录,从而能访问与用户身份相匹配的一个或多个文件目录。可见,根据本发明的技术方案,能实现控制不同身份的用户对文件目录的访问权限,并且,实现了不同身份的用户之间的数据隔离。According to the technical solution of the present invention, a file encryption method and a file access control method are provided, wherein each file directory is encrypted according to the file encryption method, and a corresponding set of value pairs is generated for each file directory , value pairs related to user attributes. According to one or more file directories that the user has permission to access, the user is distributed access credentials with corresponding permissions, and the access credentials include one or more sets of value pairs corresponding to the one or more file directories that the user has permission to access. In this way, by executing the file access control method, the user can decrypt one or more file directories based on the corresponding access credentials, thereby being able to access one or more file directories matching the user's identity. It can be seen that, according to the technical solution of the present invention, it is possible to control the access permissions of users with different identities to the file directory, and to realize data isolation between users with different identities.

此外,通过将用户有权限访问的一个或多个文件目录合并挂载到同一个预定目录下,使用户可以在同一个目录下查看与其身份相对应的所有文件目录下的文件、对文件进行修改操作,而不用切换到不同的目录查看不同文件目录下的文件。这样,实现了针对不同身份的用户来整理有权限访问的所有 文件目录的效果,有利于提高用户对文件的查看和操作效率,用户体验感更好。In addition, by merging and mounting one or more file directories that users have permission to access to the same predetermined directory, users can view and modify files in all file directories corresponding to their identities in the same directory operation without switching to different directories to view files in different file directories. In this way, the effect of sorting out all file directories with permission for users with different identities is realized, which is conducive to improving the efficiency of users' viewing and operation of files, and the user experience is better.

附图说明Description of drawings

为了实现上述以及相关目的,本文结合下面的描述和附图来描述某些说明性方面,这些方面指示了可以实践本文所公开的原理的各种方式,并且所有方面及其等效方面旨在落入所要求保护的主题的范围内。通过结合附图阅读下面的详细描述,本公开的上述以及其它目的、特征和优势将变得更加明显。遍及本公开,相同的附图标记通常指代相同的部件或元素。To the accomplishment of the foregoing and related ends, certain illustrative aspects are herein described, taken in conjunction with the following description and drawings, which are indicative of the various ways in which the principles disclosed herein may be practiced, and all aspects and their equivalents are intended to fall within the scope of within the scope of the claimed subject matter. The above and other objects, features and advantages of the present disclosure will become more apparent by reading the following detailed description in conjunction with the accompanying drawings. Like reference numerals generally refer to like parts or elements throughout this disclosure.

图1示出了根据本发明一个实施例的计算设备100的示意图;FIG. 1 shows a schematic diagram of a computing device 100 according to one embodiment of the present invention;

图2示出了根据本发明一个实施例的文件加密方法200的流程图;FIG. 2 shows a flowchart of a file encryption method 200 according to an embodiment of the present invention;

图3示出了根据本发明一个实施例的文件访问控制方法300的流程图;以及FIG. 3 shows a flowchart of a file access control method 300 according to an embodiment of the present invention; and

图4、图5分别示出了根据本发明一个实施例的访问凭证的数据格式示意图。FIG. 4 and FIG. 5 respectively show schematic diagrams of data formats of access credentials according to an embodiment of the present invention.

具体实施方式Detailed ways

下面将参照附图更详细地描述本公开的示例性实施例。虽然附图中显示了本公开的示例性实施例,然而应当理解,可以以各种形式实现本公开而不应被这里阐述的实施例所限制。相反,提供这些实施例是为了能够更透彻地理解本公开,并且能够将本公开的范围完整的传达给本领域的技术人员。Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. Although exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited by the embodiments set forth herein. Rather, these embodiments are provided for more thorough understanding of the present disclosure and to fully convey the scope of the present disclosure to those skilled in the art.

根据本发明的技术方案,根据文件加密方法来对每个文件目录进行加密处理,并根据用户身份为用户分发相应的访问凭证。进而,通过执行文件访问控制方法,使用户可以基于相应的访问凭证来解密一个或多个文件目录,以便访问与用户身份相匹配的一个或多个文件目录。According to the technical solution of the present invention, each file directory is encrypted according to the file encryption method, and corresponding access credentials are distributed to users according to user identities. Furthermore, by executing the file access control method, the user can decrypt one or more file directories based on corresponding access credentials, so as to access one or more file directories matching the user's identity.

图1是示例计算设备100的示意框图。FIG. 1 is a schematic block diagram of an example computing device 100 .

如图1所示,在基本的配置102中,计算设备100典型地包括系统存储器106和一个或者多个处理器104。存储器总线108可以用于在处理器104和系统存储器106之间的通信。As shown in FIG. 1 , in a basic configuration 102 , computing device 100 typically includes system memory 106 and one or more processors 104 . A memory bus 108 may be used for communication between the processor 104 and the system memory 106 .

取决于期望的配置,处理器104可以是任何类型的处理,包括但不限于:微处理器(UP)、微控制器(UC)、数字信息处理器(DSP)或者它们的任何组合。处理器104可以包括诸如一级高速缓存110和二级高速缓存112之类的一个或者多个级别的高速缓存、处理器核心114和寄存器116。示例的处理器核心114可以包括运算逻辑单元(ALU)、浮点数单元(FPU)、数字信号处理核心(DSP核心)或者它们的任何组合。示例的存储器控制器118可以与处理器104一起使用,或者在一些实现中,存储器控制器118可以是处理器104的一个内部部分。Depending on the desired configuration, processor 104 may be any type of processing including, but not limited to, a microprocessor (UP), microcontroller (UC), digital information processor (DSP), or any combination thereof. Processor 104 may include one or more levels of cache such as L1 cache 110 and L2 cache 112 , processor core 114 and registers 116 . Exemplary processor core 114 may include an arithmetic logic unit (ALU), a floating point unit (FPU), a digital signal processing core (DSP core), or any combination thereof. An example memory controller 118 may be used with the processor 104 or, in some implementations, the memory controller 118 may be an internal part of the processor 104 .

取决于期望的配置,系统存储器106可以是任意类型的存储器,包括但不限于:易失性存储器(诸如RAM)、非易失性存储器(诸如ROM、闪存等)或者它们的任何组合。系统存储器106可以包括操作系统120、一个或者多个应用122以及程序数据124。在一些实施方式中,应用122可以布置为在操作系统上由一个或多个处理器104利用程序数据124执行指令。Depending on the desired configuration, system memory 106 may be any type of memory including, but not limited to: volatile memory (such as RAM), non-volatile memory (such as ROM, flash memory, etc.), or any combination thereof. System memory 106 may include an operating system 120 , one or more applications 122 , and program data 124 . In some implementations, applications 122 may be arranged to execute instructions on an operating system with program data 124 by one or more processors 104 .

计算设备100还包括储存设备132,储存设备132包括可移除储存器136和不可移除储存器138。Computing device 100 also includes storage device 132 , which includes removable storage 136 and non-removable storage 138 .

计算设备100还可以包括储存接口总线134。储存接口总线134实现了从储存设备132(例如,可移除储存器136和不可移除储存器138)经由总线/接口控制器130到基本配置102的通信。操作系统120、应用122以及数据124的至少一部分可以存储在可移除储存器136和/或不可移除储存器138上,并且在计算设备100上电或者要执行应用122时,经由储存接口总线134而加载到系统存储器106中,并由一个或者多个处理器104来执行。Computing device 100 may also include storage interface bus 134 . Storage interface bus 134 enables communication from storage devices 132 (eg, removable storage 136 and non-removable storage 138 ) to base configuration 102 via bus/interface controller 130 . Operating system 120, applications 122, and at least a portion of data 124 may be stored on removable storage 136 and/or non-removable storage 138, and when computing device 100 is powered on or when applications 122 are about to be executed, the storage interface bus 134 into system memory 106 and executed by one or more processors 104 .

计算设备100还可以包括有助于从各种接口设备(例如,输出设备142、外设接口144和通信设备146)到基本配置102经由总线/接口控制器130的通信的接口总线140。示例的输出设备142包括图形处理单元148和音频处理单元150。它们可以被配置为有助于经由一个或者多个A/V端口152与诸如显示器或者扬声器之类的各种外部设备进行通信。示例外设接口144可以包括串行接口控制器154和并行接口控制器156,它们可以被配置为有助于经由一个或者多个I/O端口158和诸如输入设备(例如,键盘、鼠标、笔、语音输入设备、触摸输入设备)或者其他外设(例如打印机、扫描仪等)之类的外部设备进行通信。示例的通信设备146可以包括网络控制器160,其可以被布 置为便于经由一个或者多个通信端口164与一个或者多个其他计算设备162通过网络通信链路的通信。Computing device 100 may also include interface bus 140 to facilitate communication from various interface devices (eg, output devices 142 , peripheral interfaces 144 , and communication devices 146 ) to base configuration 102 via bus/interface controller 130 . Example output devices 142 include a graphics processing unit 148 and an audio processing unit 150 . They may be configured to facilitate communication with various external devices such as a display or speakers via one or more A/V ports 152 . Example peripherals interfaces 144 may include serial interface controller 154 and parallel interface controller 156, which may be configured to facilitate communication via one or more I/O ports 158 and input devices such as (e.g., keyboard, mouse, pen) , voice input device, touch input device) or other peripherals (such as printers, scanners, etc.) to communicate with external devices such as. An example communication device 146 may include a network controller 160, which may be arranged to facilitate communication with one or more other computing devices 162 over a network communication link via one or more communication ports 164.

网络通信链路可以是通信介质的一个示例。通信介质通常可以体现为在诸如载波或者其他传输机制之类的调制数据信号中的计算机可读指令、数据结构、程序模块,并且可以包括任何信息递送介质。“调制数据信号”可以是这样的信号,它的数据集中的一个或者多个或者它的改变可以在信号中以编码信息的方式进行。作为非限制性的示例,通信介质可以包括诸如有线网络或者专线网络之类的有线介质,以及诸如声音、射频(RF)、微波、红外(IR)或者其它无线介质在内的各种无线介质。这里使用的术语计算机可读介质可以包括存储介质和通信介质二者。A network communication link may be one example of a communication medium. Communication media typically embodies computer readable instructions, data structures, program modules in a modulated data signal such as a carrier wave or other transport mechanism and may include any information delivery media. A "modulated data signal" may be a signal in which one or more of its data sets or alterations thereof may be made in such a manner as to encode information in the signal. By way of non-limiting example, communication media may include wired media such as a wired or dedicated-line network, and various wireless media such as acoustic, radio frequency (RF), microwave, infrared (IR) or other wireless media. The term computer readable media as used herein may include both storage media and communication media.

计算设备100可以实现为包括桌面计算机和笔记本计算机配置的个人计算机。当然,计算设备100也可以实现为小尺寸便携(或者移动)电子设备的一部分,这些电子设备可以是诸如蜂窝电话、数码照相机、个人数字助理(PDA)、个人媒体播放器设备、无线网络浏览设备、个人头戴设备、应用专用设备、或者可以包括上面任何功能的混合设备。甚至可以被实现为服务器,如文件服务器、数据库服务器、应用程序服务器和WEB服务器等。本发明的实施例对此均不做限制。Computing device 100 may be implemented as a personal computer including desktop and notebook computer configurations. Of course, the computing device 100 can also be implemented as part of a small-sized portable (or mobile) electronic device, such as a cellular phone, a digital camera, a personal digital assistant (PDA), a personal media player device, a wireless network browsing device, etc. , personal headsets, application-specific devices, or hybrid devices that can include any of the above. It can even be implemented as a server, such as a file server, database server, application program server, and WEB server. The embodiments of the present invention do not limit this.

在根据本发明的实施例中,计算设备100被配置为执行根据本发明的文件文件加密方法200和/或文件访问控制方法300。其中,计算设备100的应用122中包含用于执行本发明的文件加密方法200和/或文件访问控制方法300的多条程序指令,这些程序指令可以被计算设备100读取并执行,以便计算设备100执行根据本发明的文件加密方法200、文件访问控制方法300。In an embodiment according to the present invention, the computing device 100 is configured to execute the file encryption method 200 and/or the file access control method 300 according to the present invention. Wherein, the application 122 of the computing device 100 contains a plurality of program instructions for executing the file encryption method 200 and/or the file access control method 300 of the present invention, and these program instructions can be read and executed by the computing device 100, so that the computing device 100 executes the file encryption method 200 and the file access control method 300 according to the present invention.

图2示出了根据本发明一个实施例的文件加密方法200的流程图。方法200适于在计算设备(例如前述计算设备200)中执行。应当指出,根据本发明的技术方案,基于文件加密方法200对每个文件目录分别进行加密处理。Fig. 2 shows a flowchart of a file encryption method 200 according to an embodiment of the present invention. The method 200 is suitable for execution in a computing device, such as the aforementioned computing device 200 . It should be noted that, according to the technical solution of the present invention, each file directory is encrypted separately based on the file encryption method 200 .

如图2所示,方法200始于步骤S210。As shown in FIG. 2 , the method 200 begins with step S210.

在步骤S210中,对于每个文件目录,在对文件目录进行加密时,分别基于随机算法生成一个多项式,基于多项式的常数值对该文件目录进行加密处理。In step S210, for each file directory, when encrypting the file directory, a polynomial is generated based on a random algorithm, and the file directory is encrypted based on a constant value of the polynomial.

这里,多项式可以表示为f(x),其中f(x)=ax (n-1)+bx (n-2)...+c。多项式的常数值是x=0时的多项式的值,即常数值f(0)。在一个实施例中,在随机生成多项式,并计算出随机多项式的常数值f(0)后,可以基于哈希函数对该常数值f(0)进行哈希计算得到哈希值,并基于常数值f(0)对应的哈希值作为文件目录的加密密钥来对文件目录进行加密处理。 Here, the polynomial can be expressed as f(x), where f(x)=ax (n-1) +bx (n-2) ...+c. The constant value of the polynomial is the value of the polynomial when x=0, that is, the constant value f(0). In one embodiment, after the polynomial is randomly generated and the constant value f(0) of the random polynomial is calculated, the constant value f(0) can be hashed based on a hash function to obtain a hash value, and based on the constant The hash value corresponding to the value f(0) is used as the encryption key of the file directory to encrypt the file directory.

随后,在步骤S220中,根据多项式随机生成与文件目录相对应的一组值对,每组值对分别包括多个值对。应当指出,每个文件目录分别对应一组值对,也即是,每个文件目录分别对应多个值对。不同的文件目录对应不同的值对组,以便基于相应的一组值对来对文件目录进行加密处理。这里,本发明对每组值对所包括的值对的数量不做限制。Subsequently, in step S220, a set of value pairs corresponding to the file directory is randomly generated according to the polynomial, and each set of value pairs includes a plurality of value pairs. It should be noted that each file directory corresponds to a set of value pairs, that is, each file directory corresponds to multiple value pairs. Different file directories correspond to different value pair groups, so that the file directory is encrypted based on the corresponding group of value pairs. Here, the present invention does not limit the number of value pairs included in each set of value pairs.

在一个实施例中,通过随机生成多个随机数,基于每个随机数分别与多项式进行计算得到相应的值对。具体地说,通过将每个随机数带入多项式来计算多项式f(x)的值,并将随机数与相应的多项式的值来组合得到与随机数相对应的值对。例如,其中一个随机数为a,则随机数a对应的值对可以表示为{a,f(a)}。这样,最终可以计算得到与多个随机数相对应的多个值对,其中每个随机数分别对应一个值对。In one embodiment, multiple random numbers are randomly generated, and corresponding value pairs are obtained by calculating each random number with a polynomial. Specifically, the value of the polynomial f(x) is calculated by substituting each random number into the polynomial, and the value pair corresponding to the random number is obtained by combining the random number with the value of the corresponding polynomial. For example, if one of the random numbers is a, then the value pair corresponding to the random number a can be expressed as {a,f(a)}. In this way, a plurality of value pairs corresponding to a plurality of random numbers can be finally calculated, wherein each random number corresponds to a value pair.

随后,在步骤S230中,根据用户身份确定用户有权限访问的一个或多个文件目录。通过确定每个文件目录对应的一组值对,基于与用户有权限访问的一个或多个文件目录相对应的一组或多组值对,来生成与用户身份相对应的访问凭证。Subsequently, in step S230, one or more file directories that the user has permission to access are determined according to the user identity. By determining a set of value pairs corresponding to each file directory, an access credential corresponding to the user identity is generated based on one or more sets of value pairs corresponding to one or more file directories that the user has permission to access.

应当指出,根据本发明的技术方案,每个用户对应的访问凭证(一组或多组值对)是根据用户身份来确定的,访问凭证也决定了根据用户身份有权限访问的一个或多个文件目录。因此,用户的访问凭证中的一组或多组值对与用户身份相关,能够证明用户身份。It should be pointed out that, according to the technical solution of the present invention, the access credentials (one or more sets of value pairs) corresponding to each user are determined according to the user identity, and the access credentials also determine one or more authorized access credentials according to the user identity. File Directory. Therefore, one or more sets of value pairs in the user's access credentials are related to the user's identity and can prove the user's identity.

在一个实施例中,每个值对分别对应一个用户属性,用户属性也即是能与用户身份相关的属性。应当指出,根据本发明的技术方案,用户身份可以由一个或多个用户属性来确定,或者说,用户身份与一个或多个用户属性相关。例如,与用户身份相关的用户属性可以包括用户所在的部门、职位、职级等,但不限于此。In an embodiment, each value pair corresponds to a user attribute, and the user attribute is an attribute that can be related to the user identity. It should be noted that, according to the technical solution of the present invention, the user identity can be determined by one or more user attributes, or in other words, the user identity is related to one or more user attributes. For example, the user attributes related to the user identity may include the user's department, position, rank, etc., but are not limited thereto.

应当理解,当用于确定用户身份的属性包括用户所在的部门、职位和职级时,用户身份便与部门、职位和职级这三个用户属性相关。而在生成与用户身份相对应的访问凭证时,每个用户属性是由相应的值对来表示,基于与多个用户属性对应的多个值对来生成访问凭证,其中每个值对分别代表了一个用户属性。这样,基于多个值对生成的访问凭证也即是与用户身份相关的访问凭证。It should be understood that when the attributes used to determine the user identity include the user's department, position, and rank, the user identity is related to the three user attributes of department, position, and rank. When generating access credentials corresponding to user identities, each user attribute is represented by a corresponding value pair, and access credentials are generated based on multiple value pairs corresponding to multiple user attributes, where each value pair represents a user attribute. In this way, the access credentials generated based on multiple value pairs are also access credentials related to user identities.

可以理解,每组值对所包括的值对的数量与用户身份相关的用户属性的种数相等。例如,用户身份与部门、职位和职级这三个用户属性相关时,每个文件目录对应的一组值对是由三个值对组成。It can be understood that the number of value pairs included in each group of value pairs is equal to the number of types of user attributes related to the user identity. For example, when the user identity is related to the three user attributes of department, position and rank, a set of value pairs corresponding to each file directory is composed of three value pairs.

根据一个实施例,在基于一组或多组值对生成与用户相对应的访问凭证时,可以将与一个或多个文件目录相对应的一组或多组值对基于预定格式进行拼装组合,来生成相应的数据值,并将该数据值作为访问凭证。这里,本发明对访问凭证对应的数据值的具体数据格式不做限定,其可以由本领域技术人员根据实际需求自行设置。According to an embodiment, when generating an access credential corresponding to a user based on one or more sets of value pairs, one or more sets of value pairs corresponding to one or more file directories may be assembled and combined based on a predetermined format, to generate the corresponding data value, and use the data value as the access credential. Here, the present invention does not limit the specific data format of the data value corresponding to the access credential, which can be set by those skilled in the art according to actual needs.

图4、图5分别示出了根据本发明一个实施例的访问凭证的数据格式示意图。FIG. 4 and FIG. 5 respectively show schematic diagrams of data formats of access credentials according to an embodiment of the present invention.

在一个实施例中,基于一组或多组值对生成访问凭证可以根据以下方法执行:In one embodiment, generating access credentials based on one or more sets of value pairs may be performed according to the following method:

如图4所示,数据起始的4个字节用于存放随机数x的长度,后面紧接着存放随机数x的值,x后面紧接着存放对应的多项式f(x)值的长度,在f(x)值的长度后面存放多项式f(x)值。以此规律来处理每个值对,以便对每个值对进行组合,直到把一个多项式对应的所有值对(也即是与一个文件目录相对应的一组值对)处理完毕,并将最后的值置为0。在一个多项式对应的所有对值对处理完成后,对0值前面的数据进行哈希计算,得到一个哈希值,并将该哈希值(Hash)存放于0值后面,用于密钥值对的正确性校验和防暴力破解。As shown in Figure 4, the first 4 bytes of the data are used to store the length of the random number x, followed by the value of the random number x, followed by the length of the corresponding polynomial f(x) value, in The polynomial f(x) value is stored after the length of the f(x) value. Each value pair is processed according to this rule, so that each value pair is combined until all value pairs corresponding to a polynomial (that is, a set of value pairs corresponding to a file directory) are processed, and the final value is set to 0. After all pairs of values corresponding to a polynomial are processed, hash calculation is performed on the data before the 0 value to obtain a hash value, and the hash value (Hash) is stored behind the 0 value for the key value Correctness verification and anti-brute force cracking.

如图5所示,对于多组值对的组合生成访问凭证,由于Hash值的长度是固定的,因此,在处理完成一组值对时,只需偏移固定长度的位置即可确定下一组值对的起始位置,并按照上述方法对每组值对进行拼装组合,直到所 有值对组都处理完成,最终,便基于多组值对拼装组合得到预定数据格式的访问凭证。As shown in Figure 5, for the combination of multiple sets of value pairs to generate access credentials, since the length of the Hash value is fixed, when a set of value pairs is processed, only the position of the fixed length can be determined to determine the next The starting position of the group-value pairs, and assemble and combine each group of value pairs according to the above method until all the value-pair groups are processed, and finally, based on the combination of multiple groups of value pairs, an access credential in a predetermined data format is obtained.

最后,在步骤S240中,将访问凭证发送至用户,以便用户基于访问凭证来访问相应的一个或多个文件目录。这里,基于访问凭证能够访问的一个或多个文件目录即是与用户身份相匹配的用户有权限访问的一个或多个文件目录。Finally, in step S240, the access credential is sent to the user, so that the user can access the corresponding one or more file directories based on the access credential. Here, the one or more file directories that can be accessed based on the access credentials are the one or more file directories that the user matching the user identity has permission to access.

图3示出了根据本发明一个实施例的文件访问控制方法300的流程图。方法300可以在计算设备100中执行。Fig. 3 shows a flowchart of a file access control method 300 according to an embodiment of the present invention. Method 300 may be performed in computing device 100 .

应当指出,通过执行文件访问控制方法300,使得用户可以基于在前述方法200中获取的访问凭证有权限访问与用户身份相对应的一个或多个文件目录。这样,能实现控制不同身份的用户对文件目录的访问权限。It should be noted that by executing the file access control method 300 , the user may have access to one or more file directories corresponding to the user identity based on the access credentials obtained in the aforementioned method 200 . In this way, it is possible to control the access rights of users with different identities to the file directory.

如图3所示,方法300始于步骤S310。As shown in FIG. 3 , the method 300 starts at step S310.

在步骤S310中,接收用户基于访问凭证发送的对文件的访问请求。这里,访问凭证即是基于前述方法200为用户分发的与用户身份相对应的访问凭证,访问凭证是由一组或多组值对进行组合得到的数据值。In step S310, the file access request sent by the user based on the access credential is received. Here, the access credential is the access credential distributed to the user based on the aforementioned method 200 and corresponding to the user identity, and the access credential is a data value obtained by combining one or more sets of value pairs.

在步骤S320中,基于访问凭证获取一组或多组值对。如前文所述,每组值对包括多个值对,且每组值对分别对应一个用户有权限访问的文件目录。In step S320, one or more sets of value pairs are obtained based on the access credentials. As mentioned above, each set of value pairs includes multiple value pairs, and each set of value pairs corresponds to a file directory that a user has permission to access.

根据一个实施例,与前文所述的基于多个值对生成的访问凭证的方法和数据格式相对应,在基于访问凭证获取一组或多组值对时,根据访问凭证对应的数据值的预定格式,从访问凭证对应的数据值的起始位置开始,首先获取预定字节作为x的长度值,进而可以获取在长度值之后存放的x值,随后,可以获取到在x值之后存放的f(x)值,这样,便获取到第一组值对。进而,获取位于第一组值对之后的第二组值对。以此类推,最终可以从访问凭证对应的数据值中获取到多组值对分别包括的多个值对。According to one embodiment, corresponding to the method and data format of the access credentials generated based on multiple value pairs described above, when one or more sets of value pairs are obtained based on the access credentials, according to the reservation of the data value corresponding to the access credentials Format, starting from the starting position of the data value corresponding to the access credential, first obtain the predetermined byte as the length value of x, and then obtain the value of x stored after the length value, and then obtain the f stored after the value of x (x) value, so that the first set of value pairs is obtained. Furthermore, a second set of value pairs located after the first set of value pairs is acquired. By analogy, finally, multiple value pairs included in multiple sets of value pairs can be obtained from the data value corresponding to the access credential.

随后,在步骤S330中,分别根据每组值对对相应的文件目录进行解密处理,以得到与用户的访问凭证相对应的一个或多个解密文件目录。应当理解,解密文件目录即是用户有权限访问的文件目录。Subsequently, in step S330, the corresponding file directory is decrypted according to each set of value pairs, so as to obtain one or more decrypted file directories corresponding to the user's access credentials. It should be understood that the decrypted file directory is the file directory that the user has permission to access.

根据一个实施例,在获取到一组或多组值对后、在根据每组值对对相应的文件目录进行解密处理之前,还对每组值对进行验证处理,以便判断每组 值对的有效性。具体地,根据前文所述的基于多个值对生成的访问凭证的方法和数据格式,在对访问凭证进行验证时,基于哈希函数对0值以及0值前面的数据(一组值对中的多个值对)进行哈希计算得到H值,进而,将这里计算得到的H值与访问凭证数据值中的哈希值进行比对,如果两者相等,则验证通过,根据该值对组中的多个值对对相应的文件目录进行解密处理。According to one embodiment, after one or more sets of value pairs are acquired, before the corresponding file directory is decrypted according to each set of value pairs, each set of value pairs is also verified, so as to determine the value of each set of value pairs. effectiveness. Specifically, according to the method and data format of the access credentials generated based on multiple value pairs described above, when verifying the access credentials, based on the hash function, the 0 value and the data in front of the 0 value (a group of value pairs) multiple value pairs) to get the H value by hash calculation, and then compare the H value calculated here with the hash value in the access credential data value, if the two are equal, the verification is passed, according to the value pair Multiple value pairs in the group perform decryption processing on the corresponding file directory.

根据一个实施例,在根据每组值对对相应的文件目录进行解密处理时,首先根据拉格朗日插值算法对每组值对分别进行计算,来得到与每组值对相对应的常数值f(0)。进而,基于每组值对对应的常数值f(0)对相应的文件目录进行解密处理,从而得到与每组值对相对应的解密文件目录。这样,使得用户可以基于访问凭证来访问解密后的一个或多个文件目录。According to one embodiment, when decrypting the corresponding file directory according to each set of value pairs, firstly calculate each set of value pairs according to the Lagrangian interpolation algorithm to obtain the constant value corresponding to each set of value pairs f(0). Furthermore, the corresponding file directory is decrypted based on the constant value f(0) corresponding to each group of value pairs, so as to obtain the decrypted file directory corresponding to each group of value pairs. In this way, the user can access the decrypted one or more file directories based on the access credentials.

还应当指出,与前文所述的对文件目录进行加密的方法相对应,在步骤S330中,在基于每组值对对应的常数值f(0)对相应的文件目录进行解密处理时,实际上,可以基于哈希函数对常数值f(0)进行哈希计算得到哈希值,进而,基于常数值f(0)对应的哈希值来对文件目录进行解密处理。It should also be pointed out that, corresponding to the method for encrypting the file directory described above, in step S330, when decrypting the corresponding file directory based on the corresponding constant value f(0) of each group of values, in fact , the constant value f(0) may be hashed based on a hash function to obtain a hash value, and then the file directory may be decrypted based on the hash value corresponding to the constant value f(0).

最后,在步骤S340中,将一个或多个解密文件目录合并挂载到预定目录,以便用户在预定目录下访问一个或多个解密文件目录。应当指出,本发明对合并挂载的预定目录不做限制,只要是便于用户查看的文件目录即可,例如,预定目录可以实现为用户目录。Finally, in step S340, the one or more decrypted file directories are merged and mounted to a predetermined directory, so that the user can access the one or more decrypted file directories under the predetermined directory. It should be pointed out that the present invention does not limit the predetermined directory for merging and mounting, as long as it is a file directory that is convenient for users to view. For example, the predetermined directory can be implemented as a user directory.

在一个实施例中,通过在预定目录挂载堆叠文件系统,基于堆叠文件系统可以将一个或多个解密文件目录合并挂载到预定目录。这里,堆叠文件系统例如可以实现为AUFS。但,本发明对堆叠文件系统的具体种类不做限制,现有技术中所有能实现将多个文件目录合并挂载到同一个目录的堆叠文件系统均在本发明的保护范围之内。In one embodiment, by mounting the stack file system in the predetermined directory, one or more decrypted file directories can be combined and mounted to the predetermined directory based on the stack file system. Here, the stacked file system can be realized as AUFS, for example. However, the present invention does not limit the specific types of stacked file systems, and all stacked file systems in the prior art that can merge and mount multiple file directories into the same directory are within the protection scope of the present invention.

需要说明的是,通过将用户有权限访问的一个或多个文件目录合并挂载到同一个预定目录下,使用户可以在同一个目录下查看与其身份相对应的所有文件目录下的文件、对文件进行修改操作,而不用切换到不同的目录查看不同文件目录下的文件。这样,实现了针对不同身份的用户来整理有权限访问的所有文件目录的效果,有利于提高用户对文件的查看和操作效率,用户体验感更好。It should be noted that by merging and mounting one or more file directories that the user has access to under the same predetermined directory, the user can view the files in all file directories corresponding to his identity in the same directory. File modification operations without switching to different directories to view files in different file directories. In this way, the effect of sorting out all the file directories with permission for users with different identities is achieved, which is conducive to improving the efficiency of viewing and operating files by users, and the user experience is better.

综上,根据本发明的文件加密方法200分别对每个文件目录进行加密处理,并分别为每个文件目录生成相应的一组值对,值对与用户属性相关。根据用户有权限访问的一个或多个文件目录,来为用户分发相应权限的访问凭证,访问凭证中包括与用户有权限访问的一个或多个文件目录相对应的一组或多组值对。这样,通过执行本发明的文件访问控制方法300,使用户可以基于相应的访问凭证解密一个或多个文件目录,从而能访问与用户身份相匹配的一个或多个文件目录。可见,根据本发明的技术方案,能实现控制不同身份的用户对文件目录的访问权限,并且,实现了不同身份的用户之间的数据隔离。In summary, according to the file encryption method 200 of the present invention, each file directory is encrypted separately, and a corresponding set of value pairs is generated for each file directory, and the value pairs are related to user attributes. According to one or more file directories that the user has permission to access, the user is distributed access credentials with corresponding permissions, and the access credentials include one or more sets of value pairs corresponding to the one or more file directories that the user has permission to access. In this way, by executing the file access control method 300 of the present invention, the user can decrypt one or more file directories based on the corresponding access credentials, so as to access one or more file directories matching the user's identity. It can be seen that, according to the technical solution of the present invention, it is possible to control the access permissions of users with different identities to the file directory, and to realize data isolation between users with different identities.

这里描述的各种技术可结合硬件或软件,或者它们的组合一起实现。从而,本发明的方法和设备,或者本发明的方法和设备的某些方面或部分可采取嵌入有形媒介,例如可移动硬盘、U盘、软盘、CD-ROM或者其它任意机器可读的存储介质中的程序代码(即指令)的形式,其中当程序被载入诸如计算机之类的机器,并被所述机器执行时,所述机器变成实践本发明的设备。The various techniques described herein can be implemented in conjunction with hardware or software, or a combination thereof. Thus, the method and device of the present invention, or certain aspects or parts of the method and device of the present invention may be embedded in a tangible medium, such as a removable hard disk, USB flash drive, floppy disk, CD-ROM or any other machine-readable storage medium In the form of program code (ie, instructions) in a machine such as a computer, when the program is loaded into a machine such as a computer and executed by the machine, the machine becomes an apparatus for practicing the invention.

在程序代码在可编程计算机上执行的情况下,计算设备一般包括处理器、处理器可读的存储介质(包括易失性和非易失性存储器和/或存储元件),至少一个输入装置,和至少一个输出装置。其中,存储器被配置用于存储程序代码;处理器被配置用于根据该存储器中存储的所述程序代码中的指令,执行本发明的多语言垃圾文本的识别方法。In the case of program code execution on a programmable computer, the computing device generally includes a processor, a storage medium readable by the processor (including volatile and non-volatile memory and/or storage elements), at least one input device, and at least one output device. Wherein, the memory is configured to store program code; the processor is configured to execute the method for identifying multilingual garbage text of the present invention according to instructions in the program code stored in the memory.

以示例而非限制的方式,可读介质包括可读存储介质和通信介质。可读存储介质存储诸如计算机可读指令、数据结构、程序模块或其它数据等信息。通信介质一般以诸如载波或其它传输机制等已调制数据信号来体现计算机可读指令、数据结构、程序模块或其它数据,并且包括任何信息传递介质。以上的任一种的组合也包括在可读介质的范围之内。Readable media include, by way of example and not limitation, readable storage media and communication media. Readable storage media store information such as computer readable instructions, data structures, program modules or other data. Communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media. Combinations of any of the above are also included within the scope of readable media.

在此处所提供的说明书中,算法和显示不与任何特定计算机、虚拟系统或者其它设备固有相关。各种通用系统也可以与本发明的示例一起使用。根据上面的描述,构造这类系统所要求的结构是显而易见的。此外,本发明也不针对任何特定编程语言。应当明白,可以利用各种编程语言实现在此描述的本发明的内容,并且上面对特定语言所做的描述是为了披露本发明的最佳 实施方式。In the description provided herein, the algorithms and displays are not inherently related to any particular computer, virtual system, or other device. Various general-purpose systems can also be used with examples of the invention. The structure required to construct such a system is apparent from the above description. Furthermore, the present invention is not specific to any particular programming language. It should be understood that various programming languages can be used to implement the content of the present invention described herein, and the above description of specific languages is for disclosing the best mode of the present invention.

在此处所提供的说明书中,说明了大量具体细节。然而,能够理解,本发明的实施例可以在没有这些具体细节的情况下被实践。在一些实例中,并未详细示出公知的方法、结构和技术,以便不模糊对本说明书的理解。In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure the understanding of this description.

类似地,应当理解,为了精简本公开并帮助理解各个发明方面中的一个或多个,在上面对本发明的示例性实施例的描述中,本发明的各个特征有时被一起分组到单个实施例、图、或者对其的描述中。然而,并不应将该公开的方法解释成反映如下意图:即所要求保护的本发明要求比在每个权利要求中所明确记载的特征更多特征。更确切地说,如下面的权利要求书所反映的那样,发明方面在于少于前面公开的单个实施例的所有特征。因此,遵循具体实施方式的权利要求书由此明确地并入该具体实施方式,其中每个权利要求本身都作为本发明的单独实施例。Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, in order to streamline this disclosure and to facilitate an understanding of one or more of the various inventive aspects, various features of the invention are sometimes grouped together in a single embodiment, figure, or its description. This method of disclosure, however, is not to be interpreted as reflecting an intention that the claimed invention requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the Detailed Description are hereby expressly incorporated into this Detailed Description, with each claim standing on its own as a separate embodiment of this invention.

本领域那些技术人员应当理解在本文所公开的示例中的设备的模块或单元或组件可以布置在如该实施例中所描述的设备中,或者可替换地可以定位在与该示例中的设备不同的一个或多个设备中。前述示例中的模块可以组合为一个模块或者此外可以分成多个子模块。Those skilled in the art will understand that the modules or units or components of the devices in the examples disclosed herein may be arranged in the device as described in this embodiment, or alternatively may be located in a different location than the device in this example. in one or more devices. The modules in the preceding examples may be combined into one module or furthermore may be divided into a plurality of sub-modules.

本领域那些技术人员可以理解,可以对实施例中的设备中的模块进行自适应性地改变并且把它们设置在与该实施例不同的一个或多个设备中。可以把实施例中的模块或单元或组件组合成一个模块或单元或组件,以及此外可以把它们分成多个子模块或子单元或子组件。除了这样的特征和/或过程或者单元中的至少一些是相互排斥之外,可以采用任何组合对本说明书(包括伴随的权利要求、摘要和附图)中公开的所有特征以及如此公开的任何方法或者设备的所有过程或单元进行组合。除非另外明确陈述,本说明书(包括伴随的权利要求、摘要和附图)中公开的每个特征可以由提供相同、等同或相似目的的替代特征来代替。Those skilled in the art can understand that the modules in the device in the embodiment can be adaptively changed and arranged in one or more devices different from the embodiment. Modules or units or components in the embodiments may be combined into one module or unit or component, and furthermore may be divided into a plurality of sub-modules or sub-units or sub-assemblies. All features disclosed in this specification (including accompanying claims, abstract and drawings) and any method or method so disclosed may be used in any combination, except that at least some of such features and/or processes or units are mutually exclusive. All processes or units of equipment are combined. Each feature disclosed in this specification (including accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.

此外,本领域的技术人员能够理解,尽管在此所述的一些实施例包括其它实施例中所包括的某些特征而不是其它特征,但是不同实施例的特征的组合意味着处于本发明的范围之内并且形成不同的实施例。例如,在下面的权利要求书中,所要求保护的实施例的任意之一都可以以任意的组合方式来使 用。Furthermore, those skilled in the art will understand that although some embodiments described herein include some features included in other embodiments but not others, combinations of features from different embodiments are meant to be within the scope of the invention. and form different embodiments. For example, in the following claims, any one of the claimed embodiments can be used in any combination.

此外,所述实施例中的一些在此被描述成可以由计算机系统的处理器或者由执行所述功能的其它装置实施的方法或方法元素的组合。因此,具有用于实施所述方法或方法元素的必要指令的处理器形成用于实施该方法或方法元素的装置。此外,装置实施例的在此所述的元素是如下装置的例子:该装置用于实施由为了实施该发明的目的的元素所执行的功能。Furthermore, some of the described embodiments are described herein as a method or combination of method elements that may be implemented by a processor of a computer system or by other means for performing the described function. Thus, a processor with the necessary instructions for carrying out the described method or element of a method forms a means for carrying out the method or element of a method. Furthermore, elements described herein of an apparatus embodiment are examples of means for carrying out the function performed by the element for the purpose of carrying out the invention.

如在此所使用的那样,除非另行规定,使用序数词“第一”、“第二”、“第三”等等来描述普通对象仅仅表示涉及类似对象的不同实例,并且并不意图暗示这样被描述的对象必须具有时间上、空间上、排序方面或者以任意其它方式的给定顺序。As used herein, unless otherwise specified, the use of ordinal numbers "first," "second," "third," etc. to describe generic objects merely means referring to different instances of similar objects and is not intended to imply such The described objects must have a given order temporally, spatially, sequentially or in any other way.

尽管根据有限数量的实施例描述了本发明,但是受益于上面的描述,本技术领域内的技术人员明白,在由此描述的本发明的范围内,可以设想其它实施例。此外,应当注意,本说明书中使用的语言主要是为了可读性和教导的目的而选择的,而不是为了解释或者限定本发明的主题而选择的。因此,在不偏离所附权利要求书的范围和精神的情况下,对于本技术领域的普通技术人员来说许多修改和变更都是显而易见的。对于本发明的范围,对本发明所做的公开是说明性的,而非限制性的,本发明的范围由所附权利要求书限定。While the invention has been described in terms of a limited number of embodiments, it will be apparent to a person skilled in the art having the benefit of the above description that other embodiments are conceivable within the scope of the invention thus described. In addition, it should be noted that the language used in the specification has been chosen primarily for the purpose of readability and instruction rather than to explain or define the inventive subject matter. Accordingly, many modifications and alterations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the appended claims. With respect to the scope of the present invention, the disclosure of the present invention is intended to be illustrative rather than restrictive, and the scope of the present invention is defined by the appended claims.

Claims (12)

一种文件访问控制方法,在计算设备中执行,包括步骤:A file access control method, executed in a computing device, comprising the steps of: 接收用户基于访问凭证对文件的访问请求;Receive the user's access request to the file based on the access credential; 基于所述访问凭证获取一组或多组值对,每组值对包括多个值对,且每组值对分别对应一个文件目录;Obtain one or more sets of value pairs based on the access credentials, each set of value pairs includes a plurality of value pairs, and each set of value pairs corresponds to a file directory; 分别根据每组值对对相应的文件目录进行解密处理,以得到与用户的访问凭证相对应的一个或多个解密文件目录;以及Decrypt the corresponding file directory according to each set of value pairs to obtain one or more decrypted file directories corresponding to the user's access credentials; and 将所述一个或多个解密文件目录合并挂载到预定目录,以便用户在所述预定目录下访问所述一个或多个解密文件目录。Merge and mount the one or more decrypted file directories to a predetermined directory, so that the user can access the one or more decrypted file directories under the predetermined directory. 如权利要求1所述的方法,其中,将所述一个或多个解密文件目录合并挂载到预定目录的步骤包括:The method according to claim 1, wherein the step of merging and mounting the one or more decrypted file directories to a predetermined directory comprises: 在预定目录挂载堆叠文件系统,以便基于堆叠文件系统将一个或多个解密文件目录合并挂载到预定目录。Mount the stacked file system in a predetermined directory, so as to merge and mount one or more decrypted file directories to the predetermined directory based on the stacked file system. 如权利要求1所述的方法,其中,分别根据每组值对对相应的文件目录进行解密处理的步骤包括:The method according to claim 1, wherein, according to each set of values, the step of decrypting the corresponding file directory comprises: 根据拉格朗日插值算法对每组值对分别进行计算,以得到与每组值对相对应的常数值;Each set of value pairs is calculated separately according to the Lagrangian interpolation algorithm to obtain a constant value corresponding to each set of value pairs; 基于每组值对对应的常数值对相应的文件目录进行解密处理,以得到与每组值对相对应的解密文件目录。The corresponding file directory is decrypted based on the constant value corresponding to each group of value pairs, so as to obtain the decrypted file directory corresponding to each group of value pairs. 如权利要求1-3中任一项所述的方法,其中,在根据每组值对对相应的文件目录进行解密处理之前,包括步骤:The method according to any one of claims 1-3, wherein, before decrypting the corresponding file directory according to each set of values, comprising the steps of: 对每组值对进行验证。Validation is performed on each set of value pairs. 如权利要求1-3中任一项所述的方法,其中,The method according to any one of claims 1-3, wherein, 所述每个值对分别对应一个用户属性;Each value pair corresponds to a user attribute; 所述用户属性包括部门、职位、职级中的一种或多种。The user attributes include one or more of department, position, and rank. 一种文件加密方法,在计算设备中执行,包括步骤:A file encryption method, executed in a computing device, comprising the steps of: 对于每个文件目录,分别基于随机算法生成多项式,基于多项式的常数值对所述文件目录进行加密处理;For each file directory, a polynomial is generated based on a random algorithm, and the file directory is encrypted based on a constant value of the polynomial; 根据所述多项式随机生成与所述文件目录相对应的一组值对,每组值对分别包括多个值对;Randomly generate a set of value pairs corresponding to the file directory according to the polynomial, each set of value pairs includes a plurality of value pairs; 根据用户身份确定用户有权限访问的一个或多个文件目录,基于与一个或多个文件目录相对应的一组或多组值对生成与用户身份相对应的访问凭证;以及Determine one or more file directories that the user has permission to access based on the user identity, and generate access credentials corresponding to the user identity based on one or more sets of value pairs corresponding to the one or more file directories; and 将所述访问凭证发送至用户,以便用户基于所述访问凭证来访问相应的一个或多个文件目录。Sending the access credential to the user, so that the user can access the corresponding one or more file directories based on the access credential. 如权利要求6所述的方法,其中,根据所述多项式随机生成与文件目录相对应的一组值对的步骤包括:The method according to claim 6, wherein the step of randomly generating a set of value pairs corresponding to the file directory according to the polynomial comprises: 随机生成多个随机数;Randomly generate multiple random numbers; 基于每个随机数分别与所述多项式计算得到相应的值对,以得到与多个随机数相对应的多个值对。A corresponding value pair is obtained based on each random number and the polynomial calculation, so as to obtain a plurality of value pairs corresponding to the plurality of random numbers. 如权利要求6所述的方法,其中,生成与用户身份相对应的访问凭证的步骤包括:The method of claim 6, wherein the step of generating an access credential corresponding to a user identity comprises: 将与一个或多个文件目录相对应的一组或多组值对基于预定格式进行组合,生成相应的数据值,将所述数据值作为访问凭证。Combining one or more sets of value pairs corresponding to one or more file directories based on a predetermined format to generate a corresponding data value, and using the data value as an access credential. 如权利要求6-8中任一项所述的方法,其中,基于多项式的常数值对文件目录进行加密处理包括:The method according to any one of claims 6-8, wherein encrypting the file directory based on a polynomial constant value comprises: 计算所述多项式的常数值,并基于对常数值进行哈希计算后得到的哈希值对文件目录进行加密处理。The constant value of the polynomial is calculated, and the file directory is encrypted based on the hash value obtained after performing hash calculation on the constant value. 如权利要求6-8中任一项所述的方法,其中,The method according to any one of claims 6-8, wherein, 所述每个值对分别对应一个用户属性;Each value pair corresponds to a user attribute; 所述用户属性包括部门、职位、职级中的一种或多种。The user attributes include one or more of department, position, and rank. 一种计算设备,包括:A computing device comprising: 至少一个处理器;以及at least one processor; and 存储器,存储有程序指令,其中,所述程序指令被配置为适于由所述至少一个处理器执行,所述程序指令包括用于执行如权利要求1-5和/或6-10中任一项所述的方法的指令。A memory storing program instructions, wherein the program instructions are configured to be executed by the at least one processor, and the program instructions include instructions for performing any one of claims 1-5 and/or 6-10 Directives for the methods described in Item . 一种存储有程序指令的可读存储介质,当所述程序指令被计算设备读取并执行时,使得所述计算设备执行如权利要求1-5和/或6-10中任一项所述方法。A readable storage medium storing program instructions, when the program instructions are read and executed by a computing device, the computing device is made to execute any one of claims 1-5 and/or 6-10 method.
PCT/CN2021/120591 2021-05-31 2021-09-26 File access control method, file encryption method, and computing device WO2022252449A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202110604096.2 2021-05-31
CN202110604096.2A CN113051598B (en) 2021-05-31 2021-05-31 File access control method, file encryption method and computing device

Publications (1)

Publication Number Publication Date
WO2022252449A1 true WO2022252449A1 (en) 2022-12-08

Family

ID=76518608

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/120591 WO2022252449A1 (en) 2021-05-31 2021-09-26 File access control method, file encryption method, and computing device

Country Status (2)

Country Link
CN (1) CN113051598B (en)
WO (1) WO2022252449A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116627272A (en) * 2023-07-21 2023-08-22 深圳市则成电子股份有限公司 Touch control method and device and computer equipment

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113051598B (en) * 2021-05-31 2021-10-15 统信软件技术有限公司 File access control method, file encryption method and computing device
CN114329574B (en) * 2022-03-11 2022-06-24 统信软件技术有限公司 Encrypted partition access control method and system based on domain management platform and computing equipment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102136911A (en) * 2011-03-11 2011-07-27 西京学院 Method for encrypting electronic document
CN103473490A (en) * 2013-08-16 2013-12-25 亚太宝龙科技(湖南)有限公司 Directory encryption and access method and device of encrypted directory
CN104866391A (en) * 2015-05-13 2015-08-26 三星电子(中国)研发中心 Terminal information backup method and apparatus based on incremental information system
CN107241191A (en) * 2017-05-25 2017-10-10 西南交通大学 A kind of anti-key clone, key abuse based on encryption attribute method
CN108632237A (en) * 2017-09-15 2018-10-09 湖南科技大学 A kind of position service method based on the anonymity of more Anonymizers
CN113051598A (en) * 2021-05-31 2021-06-29 统信软件技术有限公司 File access control method, file encryption method and computing device

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101753304B (en) * 2008-12-17 2012-07-04 中国科学院自动化研究所 Method for binding biological specificity and key
US20130238900A1 (en) * 2011-12-12 2013-09-12 Cleversafe, Inc. Dispersed storage network secure hierarchical file directory
CN109672529A (en) * 2019-01-07 2019-04-23 苏宁易购集团股份有限公司 A kind of method and system for going anonymization of combination block chain and privacy sharing
CN112035574A (en) * 2020-08-28 2020-12-04 山东爱城市网信息技术有限公司 Private data distributed storage method based on block chain technology
CN112148678B (en) * 2020-09-18 2023-01-06 苏州浪潮智能科技有限公司 File access method, system, device and medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102136911A (en) * 2011-03-11 2011-07-27 西京学院 Method for encrypting electronic document
CN103473490A (en) * 2013-08-16 2013-12-25 亚太宝龙科技(湖南)有限公司 Directory encryption and access method and device of encrypted directory
CN104866391A (en) * 2015-05-13 2015-08-26 三星电子(中国)研发中心 Terminal information backup method and apparatus based on incremental information system
CN107241191A (en) * 2017-05-25 2017-10-10 西南交通大学 A kind of anti-key clone, key abuse based on encryption attribute method
CN108632237A (en) * 2017-09-15 2018-10-09 湖南科技大学 A kind of position service method based on the anonymity of more Anonymizers
CN113051598A (en) * 2021-05-31 2021-06-29 统信软件技术有限公司 File access control method, file encryption method and computing device

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116627272A (en) * 2023-07-21 2023-08-22 深圳市则成电子股份有限公司 Touch control method and device and computer equipment
CN116627272B (en) * 2023-07-21 2024-01-26 深圳市则成电子股份有限公司 Touch control method and device and computer equipment

Also Published As

Publication number Publication date
CN113051598A (en) 2021-06-29
CN113051598B (en) 2021-10-15

Similar Documents

Publication Publication Date Title
CN113169877B (en) Computer-implemented system and method for storing, retrieving and communicating data via a peer-to-peer network
CN109074434B (en) Method and system for verifying ownership of digital assets using distributed hash tables and peer-to-peer distributed ledgers
EP2731044B1 (en) Client computer for querying a database stored on a server via a network
US8707404B2 (en) System and method for transparently authenticating a user to a digital rights management entity
WO2022252449A1 (en) File access control method, file encryption method, and computing device
JP5480135B2 (en) Creation and verification of cryptographically protected documents
US8359473B1 (en) System and method for digital rights management using digital signatures
Alrebdi et al. SVBE: Searchable and verifiable blockchain-based electronic medical records system
US20130132733A1 (en) System And Method For Digital Rights Management With System Individualization
JP2005536951A (en) Apparatus, system, and method for securing digital documents in a digital device
US9275249B1 (en) Accelerated encrypted database operations
KR102407699B1 (en) Device, method and program for providing electronic document management service through authentication of biometric information
JP2010534035A (en) Updating and verifying cryptographically protected documents
Tan et al. Blockchain-based healthcare management system with two-side verifiability
Shen et al. Algebraic signatures-based data integrity auditing for efficient data dynamics in cloud computing
US20240171407A1 (en) Improved methods & systems for signature verification in blockchain-implemented data applications
Gan et al. An encrypted medical blockchain data search method with access control mechanism
CN113254951B (en) Data processing method and computing device
CN102882933B (en) A kind of encryption cloud storage system
JP2019530332A (en) Access control through data structures
US20230134619A1 (en) Method of generating a hash-based message authentication code
CN113536361B (en) Method and device for realizing trusted reference library and computing equipment
Handa et al. Keyword binning-based efficient search on encrypted cloud data
WO2017209228A1 (en) Encrypted information matching device, encrypted information matching method, and recording medium having encrypted information matching program stored thereon
Huang et al. Intellectual property protection for FPGA designs using the public key cryptography

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21943802

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 20.03.2024)

122 Ep: pct application non-entry in european phase

Ref document number: 21943802

Country of ref document: EP

Kind code of ref document: A1