CN115310060A - Computer encryption and decryption method and system - Google Patents
Computer encryption and decryption method and system Download PDFInfo
- Publication number
- CN115310060A CN115310060A CN202111613939.1A CN202111613939A CN115310060A CN 115310060 A CN115310060 A CN 115310060A CN 202111613939 A CN202111613939 A CN 202111613939A CN 115310060 A CN115310060 A CN 115310060A
- Authority
- CN
- China
- Prior art keywords
- encryption
- user
- module
- decryption
- strategy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000000034 method Methods 0.000 title claims abstract description 29
- 238000012545 processing Methods 0.000 claims abstract description 29
- 238000007726 management method Methods 0.000 claims description 43
- 238000012423 maintenance Methods 0.000 claims description 8
- 238000004364 calculation method Methods 0.000 claims description 3
- 238000004590 computer program Methods 0.000 claims 1
- 238000003491 array Methods 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008092 positive effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/32—User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Automation & Control Theory (AREA)
- Storage Device Security (AREA)
Abstract
The invention belongs to the technical field of computer security, and discloses an encryption and decryption method and system for a computer, wherein an encryption processing module is used for encrypting a file to be opened or edited by using a preset encryption strategy; the encryption dictionary management module is used for recording the specific encryption requirements of the user on the database in an encryption dictionary; and the decryption processing module is used for decrypting the file to be operated after the user passes the identity authentication of the identity authentication module. The invention can encrypt the storage device in a whole disk or in real time, prevent the data leakage caused by the loss of the storage device, store all the stored data in a ciphertext mode, even if the storage device is lost, the data in the storage device can not be decrypted due to the lack of a corresponding secret key, thereby ensuring the data safety; and different user identities can be subjected to different authority settings through the user authority management module, different encryption strategies can be selected according to different authorities, and the flexibility is high.
Description
Technical Field
The invention belongs to the technical field of computer security, and particularly relates to an encryption and decryption method and system for a computer.
Background
At present, with the continuous development of computer technology, the information security of a computer becomes one of the key points of user attention. In order to avoid the important information being viewed and used by the unauthorized user, usually, the computer manufacturer operates the system before the system is started after the hardware of the computer is started, for example: the Basic Input Output System (BIOS) and the Unified Extensible Firmware Interface (UEFI) are provided with some level of security. A common level is a set of user identification systems. The authorized user can be identified by the identification system using special authentication information, such as a user name, password, etc. And the unauthorized user can not pass the identification of the identity recognition system because the unauthorized user does not know the authentication information. This system is widely used because it is not only easy to develop but also excellent in operability.
When the method is used, the management of the user name, the password and other information of the user becomes the key of the security of the whole system, and many computer manufacturers default that the BIOS or UEFI is relatively secure, so that the verification information is usually stored in the BIOS or UEFI. Some vendors also store verification information in other storage devices, such as: hard disk, USB storage device, flash device, volatile storage device, and the like. To make computers more secure, most computer vendors have worked to make these storage devices more secure. However, once the storage device storing the authentication information is hacked by a hacker, the authentication information is easily obtained by the hacker. And, a hacker may also intercept the authentication information using interception software. Therefore, there is a great safety risk when using this method.
In the prior art, an encryption method is generally adopted to encrypt, store or transmit the document content, so that an illegal user is difficult to crack, and the leakage of confidential content is reduced to the maximum extent. However, the existing encryption method is easy to cause data leakage and the like when storage equipment such as a hard disk is lost.
Through the above analysis, the problems and defects of the prior art are as follows:
the existing encryption mode easily causes data leakage when storage equipment such as a hard disk and the like is lost.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides an encryption and decryption method and system for a computer.
The invention is realized in this way, an encryption and decryption system of a computer includes:
the system comprises an encryption processing module, an encryption dictionary maintenance module, an identity authentication module, a decryption processing module, a user authority management module and a central control module;
the encryption processing module, the encryption dictionary management module, the identity authentication module, the decryption processing module and the user authority management module are respectively connected with the central control module, and the coordination work of each module is controlled through the central control module;
the encryption processing module is used for encrypting a file to be opened or edited by using a preset encryption strategy, and when the file is encrypted, firstly, the authority type of a user is confirmed by using the identity authentication module and the user authority management module, the encryption degree of the file is determined according to the authority type, a corresponding encryption strategy is selected according to the encryption degree, and the file data is encrypted in real time through the selected encryption strategy according to the operation of the user on the stored file data;
the encryption dictionary management module is used for recording the specific encryption requirements of the user on the database in an encryption dictionary;
and the decryption processing module is used for decrypting the file to be operated after the user passes the identity authentication of the identity authentication module.
Further, the specific step of the decryption processing module performing decryption operation includes:
(1) Acquiring identity information collected by an identity authentication module, and retrieving the acquired identity information in a user authority management module;
(2) Confirming the authority of the identity information, and calling a decryption instruction according to the authority of the retrieved identity information;
(3) And carrying out encryption and decryption processing on the file data to be decrypted according to a preset decryption strategy to obtain a corresponding decryption result.
Further, the step (1) specifically includes:
in the user login process, firstly, identity authentication is carried out, an XML document for authentication exists in a policy folder corresponding to a user, and the document records account and password information of the corresponding user.
When a user logs in, finding a corresponding user folder according to a user login ID, finding the document in the folder, and comparing the document with an account password input by the user;
if the matching is successful, the user passes the authentication, otherwise, the authentication fails, and the login fails.
Further, the step (2) specifically includes:
loading the strategy after login is successful, if the strategy is loaded successfully, logging in by the user is successful, and the system starts to work normally;
performing authority calculation, judging whether the current process is under encryption control, and transmitting all encryption strategies in the strategies to a decryption module by the cooperative service;
and finding a corresponding process in the strategy by process identification, comparing according to the identification mode of each process in the current strategy, and controlling the application program according to the strategy.
Furthermore, the central control module is also connected with a cooperative service module and a strategy management module;
the collaborative service module is used for maintaining a strategy file required by system operation and updating a strategy when a user strategy is changed;
the strategy management module is used for carrying out storage management on different encryption and decryption strategies and loading the strategy information of the appointed user according to the control instruction.
Further, the encryption requirements include a master key identification, a database identification, an identification of a record encryption table, an identification of an encryption field, and access right information of a user to the table or the field.
Further, the encryption dictionary maintenance module is further configured to perform key management, and the key management method adopted includes:
and (3) generating a key: an administrator logs in the key management subsystem to generate a data encryption master key pair;
key distribution: distributing the key to a slave database encryption system in a ciphertext mode to synchronize the encryption keys;
and key inquiry: in the key management console, an administrator logs in and enters a key viewing interface, sets query conditions, submits the query conditions and returns a key query result;
and (3) key statistics: and counting the times of using the key and revoking the key according to the specified time period.
By combining all the technical schemes, the invention has the advantages and positive effects that:
according to the invention, the whole disk encryption or real-time encryption can be carried out on the storage equipment by utilizing the encryption processing module, the encryption dictionary maintenance module, the decryption processing module and the central control module, so that data leakage caused by loss of the storage equipment is prevented, all stored data are stored in a ciphertext form, and even if the storage equipment is lost, due to lack of a corresponding secret key, the data in the storage equipment cannot be decrypted, thereby ensuring the data security; and different user identities can be subjected to different authority settings through the user authority management module, different encryption strategies can be selected according to different authorities, and the flexibility is high.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed to be used in the embodiments of the present application will be briefly described below, and it is obvious that the drawings described below are only some embodiments of the present application, and it is obvious for those skilled in the art that other drawings can be obtained from the drawings without creative efforts.
Fig. 1 is a block diagram of an encryption/decryption system of a computer according to an embodiment of the present invention.
Fig. 2 is a flowchart of a method for performing a decryption operation by a decryption processing module according to an embodiment of the present invention.
Fig. 3 is a flowchart of a method for acquiring identity information collected by an identity authentication module and retrieving the acquired identity information in a user right management module according to the embodiment of the present invention.
Fig. 4 is a flowchart of a method for confirming the authority of the identity information and invoking a decryption instruction according to the authority of the retrieved identity information according to an embodiment of the present invention.
Fig. 5 is a flowchart of a key management method according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail with reference to the following embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and do not limit the invention.
In view of the problems in the prior art, the present invention provides a computer encryption and decryption method and system, which are described in detail below with reference to the accompanying drawings.
As shown in fig. 1, the encryption and decryption system of the computer provided in the embodiment of the present invention includes an encryption processing module, an encryption dictionary maintenance module, an identity authentication module, a decryption processing module, a user right management module, and a central control module;
the encryption processing module, the encryption dictionary management module, the identity authentication module, the decryption processing module and the user authority management module are respectively connected with the central control module, and the coordination work of all the modules is controlled through the central control module;
the central control module is also connected with a cooperative service module and a strategy management module; the collaborative service module is used for maintaining a strategy file required by system operation and updating a strategy when a user strategy is changed; the strategy management module is used for carrying out storage management on different encryption and decryption strategies and loading the strategy information of the appointed user according to the control instruction.
The encryption processing module is used for encrypting a file to be opened or edited by using a preset encryption strategy, and when the file is encrypted, firstly, the identity authentication module and the user authority management module are used for confirming the authority type of a user, the encryption degree of the file is determined according to the authority type, a corresponding encryption strategy is selected according to the encryption degree, and the file data is encrypted in real time through the selected encryption strategy according to the operation of the user on the stored file data;
the encryption dictionary management module is used for recording the specific encryption requirements of the user on the database in an encryption dictionary; the encryption requirements include a master key identification, a database identification, an identification of a record encryption table, an encryption field identification, and access right information of a user to the table or the field.
And the decryption processing module is used for decrypting the file to be operated after the user passes the identity authentication of the identity authentication module.
As shown in fig. 2, the specific steps of the decryption processing module in the embodiment of the present invention to perform decryption operation include:
s101, acquiring identity information collected by an identity authentication module, and retrieving the acquired identity information in a user authority management module;
s102, confirming the authority of the identity information, and calling a decryption instruction according to the retrieved authority of the identity information;
s103, encrypting and decrypting the file data to be decrypted according to a preset decryption strategy to obtain a corresponding decryption result.
As shown in fig. 3, step S101 in the embodiment of the present invention specifically includes:
s201, in the user login process, firstly, identity authentication is carried out, an XML document for authentication exists in a policy folder corresponding to a user, and the document records account and password information of the corresponding user.
S202, when a user logs in, a corresponding user folder is found according to a user login ID, the document is found in the folder, and the document is compared with an account password input by the user;
s203, if the matching is carried out, the user identity authentication is passed, otherwise, the identity authentication is failed, and the login failure is returned.
As shown in fig. 4, step S102 in this embodiment of the present invention specifically includes:
s301, loading the strategy after login is successful, and if the strategy is loaded successfully, logging in by the user is successful and the system starts to work normally;
s302, performing authority calculation, judging whether the current process is under encryption control, and transmitting all encryption strategies in the strategies to a decryption module by the cooperative service;
s303, finding the corresponding process in the strategy by process identification, comparing according to the identification mode of each process in the current strategy, and controlling the application program according to the strategy.
As shown in fig. 5, the encryption dictionary maintenance module in the embodiment of the present invention is further configured to perform key management, and the key management method adopted in the embodiment of the present invention includes:
s401, key generation: an administrator logs in the key management subsystem to generate a data encryption master key pair;
s402, key distribution: distributing the key to a slave database encryption system in a form of ciphertext to synchronize the encryption keys;
s403, key inquiry: in the key management console, an administrator logs in and enters a key viewing interface, sets query conditions, submits the query conditions and returns a key query result;
s404, key statistics: and counting the times of using the key and revoking the key according to the specified time period.
It should be noted that the embodiments of the present invention can be realized by hardware, software, or a combination of software and hardware. The hardware portion may be implemented using dedicated logic; the software portions may be stored in a memory and executed by a suitable instruction execution system, such as a microprocessor or specially designed hardware. Those skilled in the art will appreciate that the apparatus and methods described above may be implemented using computer executable instructions and/or embodied in processor control code, such code being provided on a carrier medium such as a disk, CD-or DVD-ROM, programmable memory such as read only memory (firmware), or a data carrier such as an optical or electronic signal carrier, for example. The apparatus of the present invention and its modules may be implemented by hardware circuits such as very large scale integrated circuits or gate arrays, semiconductors such as logic chips, transistors, or programmable hardware devices such as field programmable gate arrays, programmable logic devices, or software executed by various types of processors, or a combination of hardware circuits and software, e.g., firmware.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention, and the scope of the present invention is not limited thereto, and any modification, equivalent replacement, and improvement made by those skilled in the art within the technical scope of the present invention disclosed herein, which is within the spirit and principle of the present invention, should be covered by the present invention.
Claims (10)
1. An encryption and decryption system of a computer, the encryption and decryption system of the computer comprising:
the system comprises an encryption processing module, an encryption dictionary maintenance module, an identity authentication module, a decryption processing module, a user authority management module and a central control module;
the encryption processing module, the encryption dictionary management module, the identity authentication module, the decryption processing module and the user authority management module are respectively connected with the central control module, and the coordination work of all the modules is controlled through the central control module;
the encryption processing module is used for encrypting a file to be opened or edited by using a preset encryption strategy, and when the file is encrypted, firstly, the identity authentication module and the user authority management module are used for confirming the authority type of a user, the encryption degree of the file is determined according to the authority type, a corresponding encryption strategy is selected according to the encryption degree, and the file data is encrypted in real time through the selected encryption strategy according to the operation of the user on the stored file data;
the encryption dictionary management module is used for recording the specific encryption requirements of the user on the database in an encryption dictionary;
and the decryption processing module is used for decrypting the file to be operated after the user passes the identity authentication of the identity authentication module.
2. The encryption and decryption system of claim 1, wherein the decryption processing module performs the decryption operation by:
(1) Acquiring identity information collected by an identity authentication module, and retrieving the acquired identity information in a user authority management module;
(2) Confirming the authority of the identity information, and calling a decryption instruction according to the retrieved authority of the identity information;
(3) And carrying out encryption and decryption processing on the file data to be decrypted according to a preset decryption strategy to obtain a corresponding decryption result.
3. The encryption and decryption system of the computer according to claim 2, wherein the step (1) specifically comprises:
in the user login process, firstly, identity authentication is carried out, an XML document for authentication exists in a strategy folder corresponding to a user, and the document records account number and password information of the corresponding user;
when a user logs in, finding a corresponding user folder according to a user login ID, finding the document in the folder, and comparing the document with an account password input by the user;
if the matching is successful, the user passes the authentication, otherwise, the authentication fails, and the login fails.
4. The encryption and decryption system of the computer according to claim 2, wherein the step (2) specifically comprises:
loading the strategy after login is successful, if the strategy is loaded successfully, logging in by the user is successful, and the system starts to work normally;
performing authority calculation, judging whether the current process is under encryption control, and transmitting all encryption strategies in the strategies to a decryption module by the cooperative service;
and finding a corresponding process in the strategy by process identification, comparing according to the identification mode of each process in the current strategy, and controlling the application program according to the strategy.
5. The encryption and decryption system of claim 1, wherein the central control module is further connected with a cooperative service module and a policy management module;
the collaborative service module is used for maintaining a strategy file required by system operation and updating a strategy when a user strategy is changed;
the strategy management module is used for carrying out storage management on different encryption and decryption strategies and loading the strategy information of the appointed user according to the control instruction.
6. The encryption and decryption system of claim 1, wherein the encryption requirements include a master key identification, a database identification, an identification of a record encryption table, an identification of an encryption field, and access right information of a user to the table or field.
7. The encryption and decryption system of claim 1, wherein the encryption dictionary maintenance module is further configured to perform key management, and the key management method adopted by the encryption dictionary maintenance module includes:
and (3) key generation: an administrator logs in the key management subsystem to generate a data encryption master key pair;
key distribution: distributing the key to a slave database encryption system in a ciphertext mode to synchronize the encryption keys;
and (3) key inquiry: in a key management console, an administrator logs in and enters a key viewing interface, sets query conditions, submits the query conditions and returns a key query result;
and (3) key statistics: and counting the times of using the key and revoking the key according to the specified time period.
8. A computer program product stored on a computer readable medium, comprising a computer readable program for providing a user input interface for applying the encryption and decryption system of a computer according to any one of claims 1 to 7 when executed on an electronic device.
9. A computer-readable storage medium storing instructions that, when executed on a computer, cause the computer to apply the encryption and decryption system of the computer according to any one of claims 1 to 7.
10. An information data processing terminal characterized by being used to implement the encryption and decryption system of the computer according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111613939.1A CN115310060A (en) | 2021-12-27 | 2021-12-27 | Computer encryption and decryption method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111613939.1A CN115310060A (en) | 2021-12-27 | 2021-12-27 | Computer encryption and decryption method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115310060A true CN115310060A (en) | 2022-11-08 |
Family
ID=83853571
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111613939.1A Withdrawn CN115310060A (en) | 2021-12-27 | 2021-12-27 | Computer encryption and decryption method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115310060A (en) |
-
2021
- 2021-12-27 CN CN202111613939.1A patent/CN115310060A/en not_active Withdrawn
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7644278B2 (en) | Method for securely creating an endorsement certificate in an insecure environment | |
| US7751568B2 (en) | Method for securely creating an endorsement certificate utilizing signing key pairs | |
| US7540018B2 (en) | Data security for digital data storage | |
| US7587608B2 (en) | Method and apparatus for storing data on the application layer in mobile devices | |
| US8997198B1 (en) | Techniques for securing a centralized metadata distributed filesystem | |
| US8621036B1 (en) | Secure file access using a file access server | |
| CN110889130B (en) | Database-based fine-grained data encryption method, system and device | |
| CN111783075A (en) | Authority management method, device and medium based on secret key and electronic equipment | |
| US20080040613A1 (en) | Apparatus, system, and method for secure password reset | |
| US8953805B2 (en) | Authentication information generating system, authentication information generating method, client apparatus, and authentication information generating program for implementing the method | |
| US11711213B2 (en) | Master key escrow process | |
| US20090083539A1 (en) | Method for Securely Creating an Endorsement Certificate in an Insecure Environment | |
| KR20080071528A (en) | System and method of storage device data encryption and data access | |
| CN116490868A (en) | System and method for secure and fast machine learning reasoning in trusted execution environments | |
| WO2011148224A1 (en) | Method and system of secure computing environment having auditable control of data movement | |
| CN112685786A (en) | Financial data encryption and decryption method, system, equipment and storage medium | |
| US12039317B2 (en) | Systems and methods for secure over-the-air updates for cyber-physical systems | |
| CN114697061B (en) | Access control method, device, network side equipment, terminal and blockchain node | |
| CN113886862A (en) | Trusted computing system and resource processing method based on trusted computing system | |
| CN115730339B (en) | Plug-in code anti-disclosure method and system based on IDE source code protection | |
| CN116842545A (en) | File encryption-based data anti-luxury method and system | |
| CN115310060A (en) | Computer encryption and decryption method and system | |
| CN117272358A (en) | Data storage encryption method, device, electronic equipment and computer program product | |
| US11340801B2 (en) | Data protection method and electronic device implementing data protection method | |
| KR102648908B1 (en) | User authentication system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20221108 |
|
| WW01 | Invention patent application withdrawn after publication |