[go: up one dir, main page]

CN118709166A - A document information security management system based on full-cycle management - Google Patents

A document information security management system based on full-cycle management Download PDF

Info

Publication number
CN118709166A
CN118709166A CN202410881968.3A CN202410881968A CN118709166A CN 118709166 A CN118709166 A CN 118709166A CN 202410881968 A CN202410881968 A CN 202410881968A CN 118709166 A CN118709166 A CN 118709166A
Authority
CN
China
Prior art keywords
document
server
information
identity authentication
document information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410881968.3A
Other languages
Chinese (zh)
Inventor
曾明霏
陈丽娜
蒙亮
曾虎双
全雪霞
廖邓彬
符嘉成
潘俊冰
李思蔚
孟椿智
梁彪
叶耿
黄安妮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangxi Power Grid Co Ltd
Original Assignee
Guangxi Power Grid Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangxi Power Grid Co Ltd filed Critical Guangxi Power Grid Co Ltd
Priority to CN202410881968.3A priority Critical patent/CN118709166A/en
Publication of CN118709166A publication Critical patent/CN118709166A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/16File or folder operations, e.g. details of user interfaces specifically adapted to file systems
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/17Details of further file system functions
    • G06F16/172Caching, prefetching or hoarding of files
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Databases & Information Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Data Mining & Analysis (AREA)
  • Human Computer Interaction (AREA)
  • Storage Device Security (AREA)

Abstract

本发明公开了一种基于全周期管理的文档信息安全管理系统,涉及信息安全管理技术领域,系统包括文档服务器、云服务器、统一密码验证服务器、统一身份认证服务器和若干个终端;所述文档服务器通过系统内网与所述终端进行加密的文档信息交互,并在信息交互前进行身份认证;所述文档服务器通过系统内网与所述云服务器进行加密的文档信息交互,所述终端上创建的文档信息、重新编辑的文档信息和删除前的文档信息,将通过所述文档服务器上传所述云服务器进行存储;所述文档服务器通过VPN与互联网平台进行加密的文档信息交互,并在信息交互前进行身份认证。本发明不仅实现了根据身份认证明确了安全责任和管理权限,还保证了文档信息的安全。

The present invention discloses a document information security management system based on full-cycle management, which relates to the technical field of information security management. The system includes a document server, a cloud server, a unified password verification server, a unified identity authentication server and several terminals; the document server performs encrypted document information interaction with the terminal through the system intranet, and performs identity authentication before information interaction; the document server performs encrypted document information interaction with the cloud server through the system intranet, and the document information created on the terminal, the re-edited document information and the document information before deletion will be uploaded to the cloud server through the document server for storage; the document server performs encrypted document information interaction with the Internet platform through VPN, and performs identity authentication before information interaction. The present invention not only realizes the clarification of security responsibilities and management rights according to identity authentication, but also ensures the security of document information.

Description

一种基于全周期管理的文档信息安全管理系统A document information security management system based on full-cycle management

技术领域Technical Field

本发明涉及信息安全管理技术领域,特别涉及一种基于全周期管理的文档信息安全管理系统。The present invention relates to the technical field of information security management, and in particular to a document information security management system based on full-cycle management.

背景技术Background Art

随着电力行业数字化转型的深入,电力企业的运营、管理、服务等各个环节都越来越依赖于信息系统和数字化文档,企业面临的信息安全挑战也日益加剧。电力企业的信息系统日益庞大和复杂,给黑客攻击、病毒感染和数据泄露等安全问题提供了可乘之机。同时,电力行业的信息安全不仅关乎企业自身利益,更与社会稳定息息相关。As the digital transformation of the power industry deepens, the operation, management, and service of power companies are increasingly dependent on information systems and digital documents, and the information security challenges faced by companies are also increasing. The information systems of power companies are becoming increasingly large and complex, providing opportunities for security issues such as hacker attacks, virus infections, and data leaks. At the same time, the information security of the power industry is not only related to the interests of the companies themselves, but also closely related to social stability.

由于电力企业的信息系统规模庞大,导致文档的创建、存储、访问、共享和销毁等各个环节存在安全隐患,因此出现电力企业的文档管理采用加密传输的方式进行管控,以及采用实时云储存的吧方式保护文档信息。虽然采用加密传输的方式进行文档信息管控能起到文档传输安全的作用,但是由于电力企业的从业人员众多,或多或少有出现一些缺乏专业的信息安全知识和技能,在安全责任和管理权限不明确情况下,容易导致信息安全工作难以落实的问题。Due to the large scale of information systems in power companies, there are security risks in the creation, storage, access, sharing and destruction of documents. Therefore, the document management of power companies adopts encrypted transmission to control and real-time cloud storage to protect document information. Although the use of encrypted transmission to control document information can ensure the security of document transmission, due to the large number of employees in power companies, some of them lack professional information security knowledge and skills. In the case of unclear security responsibilities and management authority, it is easy to make it difficult to implement information security work.

发明内容Summary of the invention

针对现有技术中现在文档信息管理系统中在安全责任和管理权限不明确情况下,容易导致信息安全工作难以落实的问题,本发明提供了一种基于全周期管理的文档信息安全管理系统,能够基于身份认证和加密认证的情况,再进行数据交互,并根据身份认证下明确的安全责任和管理权限,及时发现问题,保证了文档信息的安全。具体技术方案如下:Aiming at the problem that the current document information management system in the prior art is not clear about security responsibilities and management rights, which easily leads to the difficulty in implementing information security work, the present invention provides a document information security management system based on full-cycle management, which can interact with data based on identity authentication and encryption authentication, and timely discover problems based on the security responsibilities and management rights clearly defined under identity authentication, thereby ensuring the security of document information. The specific technical solution is as follows:

一种基于全周期管理的文档信息安全管理系统,包括文档服务器、云服务器、统一密码验证服务器、统一身份认证服务器和若干个终端;A document information security management system based on full-cycle management, including a document server, a cloud server, a unified password verification server, a unified identity authentication server and several terminals;

所述文档服务器通过系统内网与所述终端进行加密的文档信息交互,并在信息交互前进行身份认证;所述文档服务器通过系统内网与所述云服务器进行加密的文档信息交互,所述终端上创建的文档信息、重新编辑的文档信息和删除前的文档信息,将通过所述文档服务器上传所述云服务器进行存储;所述文档服务器通过VPN与互联网平台进行加密的文档信息交互,并在信息交互前进行身份认证;The document server exchanges encrypted document information with the terminal through the system intranet, and performs identity authentication before information exchange; the document server exchanges encrypted document information with the cloud server through the system intranet, and the document information created on the terminal, the re-edited document information, and the document information before deletion will be uploaded to the cloud server for storage through the document server; the document server exchanges encrypted document information with the Internet platform through VPN, and performs identity authentication before information exchange;

所述文档服务器将接收的身份认证信息发送到所述统一身份认证服务器进行验证,所述统一身份认证服务器将身份验证结果通过所述文档服务器反馈至对应的所述终端或所述互联网平台;The document server sends the received identity authentication information to the unified identity authentication server for verification, and the unified identity authentication server feeds back the identity authentication result to the corresponding terminal or the Internet platform through the document server;

所述文档服务器将发送/接收所述加密的文档信息传输到所述统一密码验证服务器进行解密,所述统一密码验证服务器将解密后的文档信息反馈至文档信息接收端。The document server transmits the encrypted document information sent/received to the unified password verification server for decryption, and the unified password verification server feeds back the decrypted document information to the document information receiving end.

优选的,所述身份认证信息包括用户身份认证信息和账号身份认证信息。Preferably, the identity authentication information includes user identity authentication information and account identity authentication information.

优选的,所述文档服务器将接收的身份认证信息发送到所述统一身份认证服务器进行验证,所述统一身份认证服务器将身份验证结果通过所述文档服务器反馈至所述终端包括:Preferably, the document server sends the received identity authentication information to the unified identity authentication server for verification, and the unified identity authentication server feeds back the identity authentication result to the terminal via the document server, including:

用户使用账号密码登录时,所述终端通过所述文档服务器向所述统一身份认证服务器申请公钥;所述统一身份认证服务器生成密钥对后,将公钥通过所述文档服务器返回所述终端;When a user logs in using an account and password, the terminal applies for a public key from the unified identity authentication server through the document server; after the unified identity authentication server generates a key pair, it returns the public key to the terminal through the document server;

所述终端使用公钥对账号密码进行加密,并通过所述文档服务器向所述统一身份认证服务器进行解密,获取密码明文;所述统一身份认证服务器将所述密码明文返回到所述文档服务器进行验证,所述文档服务器返回登录结果到所述终端;The terminal encrypts the account password using the public key, and decrypts the password to the unified identity authentication server through the document server to obtain the password plain text; the unified identity authentication server returns the password plain text to the document server for verification, and the document server returns the login result to the terminal;

用户使用账号密码登录时,所述终端通过所述文档服务器向所述统一身份认证服务器发送AD用户账号认证请求;所述统一身份认证服务器对AD用户账号进行AM验证,并将AD用户账号认证结果发送至所述文档服务器;所述文档服务器返回登录结果到所述终端。When a user logs in using an account and password, the terminal sends an AD user account authentication request to the unified identity authentication server through the document server; the unified identity authentication server performs AM verification on the AD user account and sends the AD user account authentication result to the document server; the document server returns the login result to the terminal.

优选的,所述文档服务器将接收的身份认证信息发送到所述统一身份认证服务器进行验证,所述统一身份认证服务器将身份验证结果通过所述文档服务器反馈至所述互联网平台包括:Preferably, the document server sends the received identity authentication information to the unified identity authentication server for verification, and the unified identity authentication server feeds back the identity authentication result to the Internet platform via the document server, including:

所述互联网平台向所述文档服务器发送账号同步请求;所述文档服务器将账号信息传输至所述统一身份认证服务器;所述统一身份认证服务器计算MAC码,并返回计算的MAC值到所述文档服务器;所述文档服务器发送所述账号信息和所述MAC值到所述统一身份认证服务器进行认证;所述统一身份认证服务器将身份认证结果返回到所述文档服务器,所述文档服务器将身份认证结果反馈至所述互联网平台。The Internet platform sends an account synchronization request to the document server; the document server transmits the account information to the unified identity authentication server; the unified identity authentication server calculates the MAC code and returns the calculated MAC value to the document server; the document server sends the account information and the MAC value to the unified identity authentication server for authentication; the unified identity authentication server returns the authentication result to the document server, and the document server feeds back the authentication result to the Internet platform.

优选的,所述文档服务器将发送/接收所述加密的文档信息传输到所述统一密码验证服务器进行解密,所述统一密码验证服务器将解密后的文档信息反馈至文档信息接收端包括:Preferably, the document server transmits the encrypted document information sent/received to the unified password verification server for decryption, and the unified password verification server feeds back the decrypted document information to the document information receiving end, including:

当所述文档服务器发送所述加密的文档信息到所述终端时,所述加密的文档信息包含已加密的密钥;所述终端通过所述文档服务器将已加密的密钥发送到所述统一密码验证服务器进行解密;所述统一密码验证服务器将解密后的密钥返回到所述文档服务器,所述文档服务器验证密钥后反馈到所述终端,所述终端接收已解密的文档信息;When the document server sends the encrypted document information to the terminal, the encrypted document information includes the encrypted key; the terminal sends the encrypted key to the unified password verification server through the document server for decryption; the unified password verification server returns the decrypted key to the document server, the document server verifies the key and then feeds it back to the terminal, and the terminal receives the decrypted document information;

当所述文档服务器接收来自所述终端的所述加密的文档信息时,所述加密的文档信息包含已加密的密钥;所述文档服务器将已加密的密钥发送到所述统一密码验证服务器进行解密;所述统一密码验证服务器将解密后的密钥返回到所述文档服务器,所述文档服务器接收并存储已解密的文档信息。When the document server receives the encrypted document information from the terminal, the encrypted document information contains an encrypted key; the document server sends the encrypted key to the unified password verification server for decryption; the unified password verification server returns the decrypted key to the document server, and the document server receives and stores the decrypted document information.

优选的,所述文档服务器通过VPN与互联网平台进行加密的文档信息交互包括:Preferably, the document server performs encrypted document information interaction with the Internet platform via VPN, including:

所述文档服务器通过VPN将加密的内部文档信息传输至所述互联网平台;The document server transmits the encrypted internal document information to the Internet platform via VPN;

所述文档服务器通过VPN接收来自所述互联网平台的加密的外部文档信息,并进行存储。The document server receives the encrypted external document information from the Internet platform through the VPN and stores it.

优选的,所述文档服务器将发送/接收所述加密的文档信息传输到所述统一密码验证服务器进行解密,所述统一密码验证服务器将解密后的文档信息反馈至文档信息接收端包括:Preferably, the document server transmits the encrypted document information sent/received to the unified password verification server for decryption, and the unified password verification server feeds back the decrypted document information to the document information receiving end, including:

当所述文档服务器发送所述加密的内部文档信息到所述互联网平台时,所述加密的内部文档信息包含已加密的密钥;所述互联网平台通过所述文档服务器将已加密的密钥发送到所述统一密码验证服务器进行解密;所述统一密码验证服务器将解密后的密钥返回到所述文档服务器,所述文档服务器验证密钥后反馈到所述互联网平台,所述互联网平台接收已解密的内部文档信息;When the document server sends the encrypted internal document information to the Internet platform, the encrypted internal document information contains the encrypted key; the Internet platform sends the encrypted key to the unified password verification server through the document server for decryption; the unified password verification server returns the decrypted key to the document server, the document server verifies the key and then feeds it back to the Internet platform, and the Internet platform receives the decrypted internal document information;

当所述文档服务器接收来自所述互联网平台的加密的外部文档信息时,所述加密的外部文档信息包含已加密的密钥;所述文档服务器将已加密的密钥发送到所述统一密码验证服务器进行解密;所述统一密码验证服务器将解密后的密钥返回到所述文档服务器,所述文档服务器接收并存储已解密的外部文档信息。When the document server receives encrypted external document information from the Internet platform, the encrypted external document information contains an encrypted key; the document server sends the encrypted key to the unified password verification server for decryption; the unified password verification server returns the decrypted key to the document server, and the document server receives and stores the decrypted external document information.

优选的,所述文档服务器通过系统内网与所述云服务器进行加密的文档信息交互,所述终端上创建的文档信息、重新编辑的文档信息和删除前的文档信息,将通过所述文档服务器上传所述云服务器进行存储包括:Preferably, the document server exchanges encrypted document information with the cloud server through the system intranet, and the document information created on the terminal, the re-edited document information, and the document information before deletion are uploaded to the cloud server through the document server for storage, including:

所述文档服务器中配置DMS,并在所述DMS中设置有所述云服务器的云存储;将所述终端上的文档存储位置设置为所述文档服务器上的预设文件夹,当在所述终端上创建、编辑或删除文档信息时,所述终端上创建、编辑或删除文档信息将自动同步到所述文档服务器的预设文件夹,所述DMS自动将所述预设文件夹上传到所述云服务器。A DMS is configured in the document server, and cloud storage of the cloud server is set in the DMS; the document storage location on the terminal is set to a preset folder on the document server, and when document information is created, edited or deleted on the terminal, the creation, editing or deletion of document information on the terminal will be automatically synchronized to the preset folder of the document server, and the DMS automatically uploads the preset folder to the cloud server.

优选的,所述文档服务器包括中央文档服务器和若干个不同级的文档服务器;不同级的文档服务器根据行政区级别进行划分为第一级文档服务器到第N级文档服务器;所述中央服务器分别与所述云服务器和第一级文档服务器连接;所述第一级文档服务器到所述第N级文档服务器依次连接。Preferably, the document server includes a central document server and several document servers of different levels; the document servers of different levels are divided into first-level document servers to N-level document servers according to the administrative district level; the central server is connected to the cloud server and the first-level document server respectively; the first-level document server to the N-level document server are connected in sequence.

与现有技术相比,本发明的有益效果为:Compared with the prior art, the present invention has the following beneficial effects:

本发明一种基于全周期管理的文档信息安全管理系统通过在所述文档服务器与所述终端和互联网平台进行加密的文档信息交互前进行身份认证,然后再进行加密的文档信息传输;所述文档服务器将接收的身份认证信息发送到所述统一身份认证服务器进行验证,所述统一身份认证服务器将身份验证结果通过所述文档服务器反馈至对应的所述终端或所述互联网平台;所述文档服务器将发送/接收所述加密的文档信息传输到所述统一密码验证服务器进行解密,所述统一密码验证服务器将解密后的文档信息反馈至文档信息接收端。本发明配合统一密码验证服务器执行文档信息的加密和校验等流程的安全措施,实现了文档加密传输,还在文档传输交互前进行发送端和接收端的身份认证,配合统一身份认证服务器执行身份认证的安全措施。不仅实现了根据身份认证明确了安全责任和管理权限,还保证了文档信息的安全。The document information security management system based on full-cycle management of the present invention performs identity authentication before the document server interacts with the terminal and the Internet platform to perform encrypted document information, and then transmits the encrypted document information; the document server sends the received identity authentication information to the unified identity authentication server for verification, and the unified identity authentication server feeds back the identity authentication result to the corresponding terminal or the Internet platform through the document server; the document server sends/receives the encrypted document information to the unified password verification server for decryption, and the unified password verification server feeds back the decrypted document information to the document information receiving end. The present invention cooperates with the unified password verification server to execute security measures such as encryption and verification of document information, realizes encrypted document transmission, and also performs identity authentication of the sender and the receiver before document transmission interaction, and cooperates with the unified identity authentication server to execute security measures for identity authentication. Not only does it realize the clarification of security responsibilities and management authority based on identity authentication, but it also ensures the security of document information.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

为了更清楚地说明本发明具体实施方式或现有技术中的技术方案,下面将对具体实施方式或现有技术描述中所需要使用的附图作简单地介绍。在所有附图中,类似的元件或部分一般由类似的附图标记标识。附图中,各元件或部分并不一定按照实际的比例绘制。In order to more clearly illustrate the specific embodiments of the present invention or the technical solutions in the prior art, the following briefly introduces the drawings required for the specific embodiments or the description of the prior art. In all the drawings, similar elements or parts are generally identified by similar reference numerals. In the drawings, the elements or parts are not necessarily drawn according to the actual scale.

图1为本发明的一种基于全周期管理的文档信息安全管理原理图;FIG1 is a schematic diagram of a document information security management principle based on full-cycle management of the present invention;

图2为本发明的一种基于全周期管理的文档信息安全管理系统另一实施例原理图。FIG. 2 is a schematic diagram of another embodiment of a document information security management system based on full-cycle management according to the present invention.

具体实施方式DETAILED DESCRIPTION

下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The following will be combined with the drawings in the embodiments of the present invention to clearly and completely describe the technical solutions in the embodiments of the present invention. Obviously, the described embodiments are part of the embodiments of the present invention, not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by ordinary technicians in this field without creative work are within the scope of protection of the present invention.

应当理解,当在本说明书和所附权利要求书中使用时,术语“包括”和“包含”指示所描述特征、整体、步骤、操作、元素和/或组件的存在,但并不排除一个或多个其它特征、整体、步骤、操作、元素、组件和/或其集合的存在或添加。It should be understood that when used in this specification and the appended claims, the terms "include" and "comprises" indicate the presence of described features, integers, steps, operations, elements and/or components, but do not exclude the presence or addition of one or more other features, integers, steps, operations, elements, components and/or combinations thereof.

还应当理解,在本发明说明书中所使用的术语仅仅是出于描述特定实施例的目的而并不意在限制本发明。如在本发明说明书和所附权利要求书中所使用的那样,除非上下文清楚地指明其它情况,否则单数形式的“一”、“一个”及“该”意在包括复数形式。It should also be understood that the terms used in the present specification are only for the purpose of describing specific embodiments and are not intended to limit the present invention. As used in the present specification and the appended claims, the singular forms "a", "an" and "the" are intended to include plural forms unless the context clearly indicates otherwise.

还应当进一步理解,在本发明说明书和所附权利要求书中使用的术语“和/或”是指相关联列出的项中的一个或多个的任何组合以及所有可能组合,并且包括这些组合。It should be further understood that the term "and/or" used in the present description and the appended claims refers to any and all possible combinations of one or more of the associated listed items, and includes these combinations.

以下实施例请参阅图1和图2。Please refer to Figures 1 and 2 for the following embodiments.

本申请实施例提供一种基于全周期管理的文档信息安全管理系统,包括文档服务器、云服务器、统一密码验证服务器、统一身份认证服务器和若干个终端;The embodiment of the present application provides a document information security management system based on full-cycle management, including a document server, a cloud server, a unified password verification server, a unified identity authentication server and several terminals;

所述文档服务器通过系统内网与所述终端进行加密的文档信息交互,并在信息交互前进行身份认证;所述文档服务器通过系统内网与所述云服务器进行加密的文档信息交互,所述终端上创建的文档信息、重新编辑的文档信息和删除前的文档信息,将通过所述文档服务器上传所述云服务器进行存储;所述文档服务器通过VPN与互联网平台进行加密的文档信息交互,并在信息交互前进行身份认证;The document server exchanges encrypted document information with the terminal through the system intranet, and performs identity authentication before information exchange; the document server exchanges encrypted document information with the cloud server through the system intranet, and the document information created on the terminal, the re-edited document information, and the document information before deletion will be uploaded to the cloud server for storage through the document server; the document server exchanges encrypted document information with the Internet platform through VPN, and performs identity authentication before information exchange;

所述文档服务器将接收的身份认证信息发送到所述统一身份认证服务器进行验证,所述统一身份认证服务器将身份验证结果通过所述文档服务器反馈至对应的所述终端或所述互联网平台;The document server sends the received identity authentication information to the unified identity authentication server for verification, and the unified identity authentication server feeds back the identity authentication result to the corresponding terminal or the Internet platform through the document server;

所述文档服务器将发送/接收所述加密的文档信息传输到所述统一密码验证服务器进行解密,所述统一密码验证服务器将解密后的文档信息反馈至文档信息接收端。The document server transmits the encrypted document information sent/received to the unified password verification server for decryption, and the unified password verification server feeds back the decrypted document information to the document information receiving end.

在本实施例中,终端是一种具备文档创建、编辑好删除,以及具备文档信息传输和接收的智能设备,例如台式电脑、平台电脑和手机等;当然也可以是一些能够实现文档编辑创建和数据交互的其它智能设备。文档服务器具备强大的存储能力,可以存储大量的文档数据可以对存储的数据进行加密和安全控制,保障数据的安全性和保密性。同时,还为云服务器提供数据存储和处理能力。云服务器支持便捷的数据备份功能,即便遭遇硬件故障,数据依然安全,可以保护数据完整和持续保护等特点。同时,云服务器能够虚拟出多个独立服务器部分,具备卓越的安全稳定性,黑客攻击也较为困难,进一步保证文档信息管理系统的数据安全。In this embodiment, the terminal is an intelligent device that has the functions of document creation, editing, and deletion, as well as document information transmission and reception, such as desktop computers, platform computers, and mobile phones; of course, it can also be some other intelligent devices that can realize document editing and creation and data interaction. The document server has a strong storage capacity and can store a large amount of document data. It can encrypt and securely control the stored data to ensure the security and confidentiality of the data. At the same time, it also provides data storage and processing capabilities for the cloud server. The cloud server supports convenient data backup functions. Even if hardware failures occur, the data is still safe, and it can protect data integrity and continuous protection. At the same time, the cloud server can virtualize multiple independent server parts, has excellent security and stability, and is more difficult to be attacked by hackers, further ensuring the data security of the document information management system.

在本实施例中,文档服务器通过VPN(虚拟专用网络)与互联网平台进行加密的文档信息交互,实现加密传输保障数据安全,VPN在互联网平台的客户端和服务器之间建立一个加密的隧道,使得在访问网络资源时,所传递的数据都经过这个加密隧道传输。这种加密传输的方式可以有效防止数据在传输过程中被截获、窃取或篡改,确保数据的机密性和完整性。In this embodiment, the document server exchanges encrypted document information with the Internet platform through a VPN (virtual private network) to achieve encrypted transmission and ensure data security. The VPN establishes an encrypted tunnel between the client and server of the Internet platform, so that when accessing network resources, the transmitted data is transmitted through this encrypted tunnel. This encrypted transmission method can effectively prevent data from being intercepted, stolen or tampered during transmission, ensuring the confidentiality and integrity of the data.

在本实施例中,所述文档服务器通过系统内网与终端和云服务器进行加密的文档信息交互,可以保障文档传输的安全性。通过系统内网进行加密的文档信息交互,可以确保文档在传输过程中的安全性。文档在传输过程中被加密保护,即使被截获也无法被非法访问和查看。加密技术的使用可以确保文档的机密性,避免数据泄露的风险。文档服务器可以根据企业的实际需求,在企业内部可以建立“分部门分级别”的保密机制,通过设置不同的安全等级和访问权限,防止无关人员查看重要文档。通过系统内网进行加密的文档信息交互,可以加速数据的传输和处理速度,提高数据管理的效率。同时,系统还可以提供智能备份和恢复功能,确保数据的安全性和可用性。In this embodiment, the document server exchanges encrypted document information with the terminal and the cloud server through the system intranet, which can ensure the security of document transmission. The encrypted document information exchange through the system intranet can ensure the security of the document during transmission. The document is encrypted and protected during the transmission process, and even if it is intercepted, it cannot be illegally accessed and viewed. The use of encryption technology can ensure the confidentiality of the document and avoid the risk of data leakage. The document server can establish a "departmental and level-based" confidentiality mechanism within the enterprise according to the actual needs of the enterprise, and prevent irrelevant personnel from viewing important documents by setting different security levels and access rights. Encrypted document information exchange through the system intranet can accelerate the transmission and processing speed of data and improve the efficiency of data management. At the same time, the system can also provide intelligent backup and recovery functions to ensure the security and availability of data.

本发明一种基于全周期管理的文档信息安全管理系统通过在所述文档服务器与所述终端和互联网平台进行加密的文档信息交互前进行身份认证,然后再进行加密的文档信息传输。通过统一密码验证服务器执行文档信息的加密和校验等流程的安全措施,实现了文档加密传输,还在文档传输交互前进行发送端和接收端的身份认证,通过统一身份认证服务器执行身份认证的安全措施。不仅实现了根据身份认证明确了安全责任和管理权限,还保证了文档信息的安全。The document information security management system based on full-cycle management of the present invention performs identity authentication before the document server interacts with the terminal and the Internet platform to perform encrypted document information, and then transmits the encrypted document information. The security measures of the processes such as encryption and verification of document information are executed by a unified password verification server, and encrypted document transmission is realized. The identity authentication of the sender and the receiver is also performed before the document transmission interaction, and the security measures of identity authentication are executed by a unified identity authentication server. Not only the security responsibility and management authority are clarified according to identity authentication, but also the security of document information is guaranteed.

具体的,所述身份认证信息包括用户身份认证信息和账号身份认证信息。Specifically, the identity authentication information includes user identity authentication information and account identity authentication information.

需要说明的是,所述用户身份认证信息包括账号密码认证和AD账号认证;所述AD账号为预设的一个分组账号权限标识。通过AD账号认证的组员账号可以共享同一份通过解密的文档信息。It should be noted that the user identity authentication information includes account password authentication and AD account authentication; the AD account is a preset group account authority identifier. Group member accounts that pass the AD account authentication can share the same decrypted document information.

优选的,本申请的一个优选实施例中,所述文档服务器将接收的身份认证信息发送到所述统一身份认证服务器进行验证,所述统一身份认证服务器将身份验证结果通过所述文档服务器反馈至所述终端包括:Preferably, in a preferred embodiment of the present application, the document server sends the received identity authentication information to the unified identity authentication server for verification, and the unified identity authentication server feeds back the identity authentication result to the terminal through the document server, including:

用户使用账号密码登录时,所述终端通过所述文档服务器向所述统一身份认证服务器申请SM2公钥;所述统一身份认证服务器生成SM2密钥,将SM2公钥通过所述文档服务器返回所述终端;所述终端使用SM2公钥对账号密码进行加密,并通过所述文档服务器向所述统一身份认证服务器进行解密,获取密码明文;所述统一身份认证服务器将所述密码明文返回到所述文档服务器进行验证,所述文档服务器返回登录结果到所述终端;When a user logs in using an account and password, the terminal applies for an SM2 public key from the unified identity authentication server through the document server; the unified identity authentication server generates an SM2 key and returns the SM2 public key to the terminal through the document server; the terminal encrypts the account and password using the SM2 public key, and decrypts the key to the unified identity authentication server through the document server to obtain a plain text password; the unified identity authentication server returns the plain text password to the document server for verification, and the document server returns the login result to the terminal;

在本实施例中,通过SM2公钥加密的方式,确保账号密码在传输过程中不被窃取或篡改。用户只需在终端输入一次账号密码,后续加密、解密和验证过程均由系统自动完成,无需用户参与。通过统一身份认证服务器进行账号密码的验证,可以集中管理用户信息和访问权限,减少因多个密码带来的安全风险。In this embodiment, SM2 public key encryption is used to ensure that the account password is not stolen or tampered with during transmission. The user only needs to enter the account password once at the terminal, and the subsequent encryption, decryption and verification processes are automatically completed by the system without user participation. By verifying the account password through a unified identity authentication server, user information and access rights can be centrally managed, reducing security risks caused by multiple passwords.

用户使用账号密码登录时,所述终端通过所述文档服务器向所述统一身份认证服务器发送AD用户账号认证;所述统一身份认证服务器对所述AD用户账号进行AM验证,并将AD用户账号认证结果发送至所述文档服务器;所述文档服务器返回登录结果到所述终端。When a user logs in using an account and password, the terminal sends an AD user account authentication to the unified identity authentication server through the document server; the unified identity authentication server performs AM verification on the AD user account and sends the AD user account authentication result to the document server; the document server returns the login result to the terminal.

在本实施例中,用户在终端(如电脑、手机等)上输入AD用户账号(通常是用户名)和密码,尝试登录。终端将用户输入的AD用户账号和密码作为认证凭据,通过系统内网发送至文档服务器。文档服务器接收到来自终端的认证请求后,将包含AD用户账号和密码的认证请求转发给统一身份认证服务器。统一身份认证服务器接收到来自文档服务器的认证请求后,使用AD(Active Directory,活动目录)的身份验证机制进行AM(AuthenticationManager,认证管理器)验证。如果AM验证成功,统一身份认证服务器将生成一个认证成功的响应,并通过系统内网发送至文档服务器。如果AM验证失败,统一身份认证服务器将生成一个认证失败的响应,并包含相应的错误信息或提示,同样发送至文档服务器。文档服务器接收到统一身份认证服务器发送的认证结果后,根据结果进行相应的处理。整个流程通过系统内网进行加密的文档信息交互,确保了用户账号和密码的安全性,同时也提供了灵活的访问控制和详细的权限管理。这种基于统一身份认证服务器的认证机制,可以简化用户访问流程,提高安全性,并降低管理成本。In this embodiment, the user enters an AD user account (usually a user name) and password on a terminal (such as a computer, mobile phone, etc.) and attempts to log in. The terminal uses the AD user account and password entered by the user as authentication credentials and sends them to the document server through the system intranet. After receiving the authentication request from the terminal, the document server forwards the authentication request containing the AD user account and password to the unified identity authentication server. After receiving the authentication request from the document server, the unified identity authentication server uses the identity authentication mechanism of AD (Active Directory) to perform AM (Authentication Manager) verification. If the AM verification is successful, the unified identity authentication server will generate a successful authentication response and send it to the document server through the system intranet. If the AM verification fails, the unified identity authentication server will generate an authentication failure response and contain corresponding error information or prompts, which will also be sent to the document server. After receiving the authentication result sent by the unified identity authentication server, the document server performs corresponding processing according to the result. The entire process exchanges encrypted document information through the system intranet, ensuring the security of user accounts and passwords, while also providing flexible access control and detailed permission management. This authentication mechanism based on a unified identity authentication server can simplify the user access process, improve security, and reduce management costs.

优选的,本申请的一种优选实施例中,所述文档服务器将接收的身份认证信息发送到所述统一身份认证服务器进行验证,所述统一身份认证服务器将身份验证结果通过所述文档服务器反馈至所述互联网平台包括:Preferably, in a preferred embodiment of the present application, the document server sends the received identity authentication information to the unified identity authentication server for verification, and the unified identity authentication server feeds back the identity authentication result to the Internet platform through the document server, including:

所述互联网平台向所述文档服务器发送账号同步请求;所述文档服务器将所述账号信息传输至所述统一身份认证服务器;所述统一身份认证服务器计算MAC码,并返回计算的MAC值到所述文档服务器;所述文档服务器发送所述账号信息和所述MAC值到所述统一身份认证服务器进行认证;所述统一身份认证服务器将身份认证结果返回到所述文档服务器,所述文档服务器将身份认证结果反馈至所述互联网平台。The Internet platform sends an account synchronization request to the document server; the document server transmits the account information to the unified identity authentication server; the unified identity authentication server calculates the MAC code and returns the calculated MAC value to the document server; the document server sends the account information and the MAC value to the unified identity authentication server for authentication; the unified identity authentication server returns the authentication result to the document server, and the document server feeds back the authentication result to the Internet platform.

在文档服务器与互联网平台互联并实现帐号同步的场景中,当帐号开始建立连接时,使用密钥进行验证不仅可以确认通信双方的身份,还可以防止恶意第三方的介入。而在密钥的互联传输过程中,调用统一身份认证服务器进行加密可以实现数据机密性保护,加密可以确保密钥在传输过程中不会被未经授权的第三方窃取或截获。主要还实现了认证和身份验证,密钥本身也用于认证和身份验证过程,通过加密传输密钥,可以确保只有拥有正确密钥的服务器才能相互通信,从而防止未经授权的服务器接入网络。In the scenario where the document server is interconnected with the Internet platform and accounts are synchronized, when the account starts to establish a connection, the use of keys for verification can not only confirm the identities of the communicating parties, but also prevent the intervention of malicious third parties. During the interconnection transmission of keys, calling a unified identity authentication server for encryption can achieve data confidentiality protection. Encryption can ensure that the key will not be stolen or intercepted by unauthorized third parties during the transmission process. It also mainly implements authentication and identity verification. The key itself is also used in the authentication and identity verification process. By encrypting the transmission of keys, it can ensure that only servers with the correct keys can communicate with each other, thereby preventing unauthorized servers from accessing the network.

优选的,本申请的一种优选实施例中,所述文档服务器将发送/接收所述加密的文档信息传输到所述统一密码验证服务器进行解密,所述统一密码验证服务器将解密后的文档信息反馈至文档信息接收端包括:Preferably, in a preferred embodiment of the present application, the document server transmits the encrypted document information sent/received to the unified password verification server for decryption, and the unified password verification server feeds back the decrypted document information to the document information receiving end, including:

当所述文档服务器发送所述加密的文档信息到所述终端时,所述加密的文档信息包含已加密的密钥;所述终端通过所述文档服务器将已加密的密钥发送到所述统一密码验证服务器进行解密;所述统一密码验证服务器将解密后的密钥返回到所述文档服务器,所述文档服务器验证密钥后反馈到所述终端,所述终端接收已解密的文档信息;When the document server sends the encrypted document information to the terminal, the encrypted document information includes the encrypted key; the terminal sends the encrypted key to the unified password verification server through the document server for decryption; the unified password verification server returns the decrypted key to the document server, the document server verifies the key and then feeds it back to the terminal, and the terminal receives the decrypted document information;

当所述文档服务器接收来自所述终端的所述加密的文档信息时,所述加密的文档信息包含已加密的密钥;所述文档服务器将已加密的密钥发送到所述统一密码验证服务器进行解密;所述统一密码验证服务器将解密后的密钥返回到所述文档服务器,所述文档服务器接收并存储已解密的文档信息。When the document server receives the encrypted document information from the terminal, the encrypted document information contains an encrypted key; the document server sends the encrypted key to the unified password verification server for decryption; the unified password verification server returns the decrypted key to the document server, and the document server receives and stores the decrypted document information.

在本实施例中,文档服务器将加密的文档信息发送到终端,包括已加密的文档内容和已加密的密钥,确保了文档信息在传输到终端时的安全性,只有拥有正确密钥的终端才能解密并访问文档内容。文档服务器接收来自终端的加密的文档信息,包括已加密的文档内容和已加密的密钥,确保了文档信息在文档服务器上存储时的安全性,只有文档服务器和拥有相应解密能力的统一密码验证服务器才能访问文档的明文内容。这有助于防止未经授权的访问和数据泄露。In this embodiment, the document server sends encrypted document information to the terminal, including the encrypted document content and the encrypted key, ensuring the security of the document information when it is transmitted to the terminal. Only the terminal with the correct key can decrypt and access the document content. The document server receives the encrypted document information from the terminal, including the encrypted document content and the encrypted key, ensuring the security of the document information when it is stored on the document server. Only the document server and the unified password verification server with the corresponding decryption capability can access the plain text content of the document. This helps prevent unauthorized access and data leakage.

优选的,本申请的一种优选实施例中,所述文档服务器通过VPN与互联网平台进行加密的文档信息交互包括:Preferably, in a preferred embodiment of the present application, the document server performs encrypted document information interaction with the Internet platform via VPN, including:

所述文档服务器通过VPN将加密的内部文档信息传输至所述互联网平台;The document server transmits the encrypted internal document information to the Internet platform via VPN;

所述文档服务器通过VPN接收来自所述互联网平台的加密的外部文档信息,并进行存储。The document server receives the encrypted external document information from the Internet platform through the VPN and stores it.

所述文档服务器将发送/接收所述加密的文档信息传输到所述统一密码验证服务器进行解密,所述统一密码验证服务器将解密后的文档信息反馈至文档信息接收端包括:The document server transmits the encrypted document information sent/received to the unified password verification server for decryption, and the unified password verification server feeds back the decrypted document information to the document information receiving end, including:

当所述文档服务器发送所述加密的内部文档信息到所述互联网平台时,所述加密的内部文档信息包含已加密的密钥;所述互联网平台通过所述文档服务器将已加密的密钥发送到所述统一密码验证服务器进行解密;所述统一密码验证服务器将解密后的密钥返回到所述文档服务器,所述文档服务器验证密钥后反馈到所述互联网平台,所述互联网平台接收已解密的内部文档信息;When the document server sends the encrypted internal document information to the Internet platform, the encrypted internal document information contains the encrypted key; the Internet platform sends the encrypted key to the unified password verification server through the document server for decryption; the unified password verification server returns the decrypted key to the document server, the document server verifies the key and then feeds it back to the Internet platform, and the Internet platform receives the decrypted internal document information;

当所述文档服务器接收来自所述互联网平台的加密的外部文档信息时,所述加密的外部文档信息包含已加密的密钥;所述文档服务器将已加密的密钥发送到所述统一密码验证服务器进行解密;所述统一密码验证服务器将解密后的密钥返回到所述文档服务器,所述文档服务器接收并存储已解密的外部文档信息。When the document server receives encrypted external document information from the Internet platform, the encrypted external document information contains an encrypted key; the document server sends the encrypted key to the unified password verification server for decryption; the unified password verification server returns the decrypted key to the document server, and the document server receives and stores the decrypted external document information.

在本实施例中,文档服务器将加密的内部文档信息发送到互联网平台,此加密信息包含文档的加密内容和已加密的密钥,确保了内部文档信息在发送到互联网平台时的安全性,防止了未经授权的访问和数据泄露。只有经过统一密码验证服务器验证的互联网平台才能访问和使用这些内部文档信息;互联网平台将加密的外部文档信息发送到文档服务器,此加密信息包含文档的加密内容和已加密的密钥,确保了外部文档信息从互联网平台传输到文档服务器时的安全性。通过统一密码验证服务器的验证和解密过程,文档服务器能够安全地接收、存储和进一步处理这些外部文档信息,防止了潜在的安全风险和数据泄露。In this embodiment, the document server sends encrypted internal document information to the Internet platform. This encrypted information contains the encrypted content of the document and the encrypted key, ensuring the security of the internal document information when it is sent to the Internet platform, preventing unauthorized access and data leakage. Only the Internet platform verified by the unified password verification server can access and use this internal document information; the Internet platform sends encrypted external document information to the document server. This encrypted information contains the encrypted content of the document and the encrypted key, ensuring the security of the external document information when it is transmitted from the Internet platform to the document server. Through the verification and decryption process of the unified password verification server, the document server can safely receive, store and further process this external document information, preventing potential security risks and data leakage.

优选的,本申请的一种优选实施例中,所述文档服务器通过系统内网与所述云服务器进行加密的文档信息交互,所述终端上创建的文档信息、重新编辑的文档信息和删除前的文档信息,将通过所述文档服务器上传所述云服务器进行存储包括:Preferably, in a preferred embodiment of the present application, the document server interacts with the cloud server via the system intranet to perform encrypted document information, and the document information created on the terminal, the re-edited document information, and the document information before deletion are uploaded to the cloud server via the document server for storage, including:

所述文档服务器中安装配置DMS,并在所述DMS中配置所述云服务器的云存储;将所述终端上的文档存储位置设置为所述文档服务器上的预设文件夹,当在所述终端上创建、编辑或删除文档信息时,所述终端上创建、编辑或删除文档信息将自动同步到所述文档服务器的预设文件夹,所述DMS自动将所述预设文件夹上传到所述云服务器。A DMS is installed and configured in the document server, and the cloud storage of the cloud server is configured in the DMS; the document storage location on the terminal is set to a preset folder on the document server. When document information is created, edited or deleted on the terminal, the document information created, edited or deleted on the terminal will be automatically synchronized to the preset folder of the document server, and the DMS automatically uploads the preset folder to the cloud server.

在本实施例中,DMS(文档管理系统)允许组织将信息存储在受保护的数字文档池中,这消除了依赖纸质文档带来的问题,如文档丢失、查找文件耗时以及存储空间不足等。在文档同步的场景中,这意味着当在终端上创建、编辑或删除文档时,这些更改将自动保存到文档服务器上的预设文件夹中。当在终端上创建、编辑或删除文档信息时,这些更改将自动同步到文档服务器上的预设文件夹,确保了文档在所有设备上的实时性和一致性。自动同步减少了人工干预的需要,提高了工作效率,并降低了由于人为错误导致的数据不一致风险。DMS自动将预设文件夹中的文档上传到云服务器,实现了文档的云端备份和存储。云端存储进一步提高了数据的安全性和可靠性,即使本地设备出现故障或数据丢失,也可以从云端恢复数据。In this embodiment, the DMS (document management system) allows organizations to store information in a protected digital document pool, which eliminates the problems caused by relying on paper documents, such as document loss, time-consuming file search, and insufficient storage space. In the scenario of document synchronization, this means that when a document is created, edited, or deleted on the terminal, these changes will be automatically saved to a preset folder on the document server. When document information is created, edited, or deleted on the terminal, these changes will be automatically synchronized to the preset folder on the document server, ensuring the real-time and consistency of the document on all devices. Automatic synchronization reduces the need for manual intervention, improves work efficiency, and reduces the risk of data inconsistency due to human error. DMS automatically uploads documents in preset folders to the cloud server, realizing cloud backup and storage of documents. Cloud storage further improves the security and reliability of data, and data can be restored from the cloud even if the local device fails or data is lost.

优选的,本申请的一种优选实施例中,所述文档服务器包括中央文档服务器和若干个不同级的文档服务器;不同级的文档服务器根据行政区级别进行划分为第一级文档服务器到第N级文档服务器;所述中央服务器分别与所述云服务器和第一级文档服务器连接;所述第一级文档服务器到所述第N级文档服务器依次连接。Preferably, in a preferred embodiment of the present application, the document server includes a central document server and several document servers of different levels; the document servers of different levels are divided into first-level document servers to N-level document servers according to the administrative district level; the central server is connected to the cloud server and the first-level document server respectively; the first-level document server to the N-level document server are connected in sequence.

在本实施例中,通过将文档服务器根据行政区级别(省级、市级等)分布式建立文档服务器,存在一个中央文档服务器和若干个按照行政区级别进行划分的不同级文档服务器。这种层级架构的设计实现文档的集中管理、高效分发以及基于行政级别的访问控制。中央文档服务器作为整个文档管理系统的核心,中央文档服务器负责存储、管理和维护所有关键和重要的文档信息。中央文档服务器与云服务器直接连接,可以方便地将文档备份到云端,确保数据的安全性和可恢复性。中央文档服务器还直接连接第一级文档服务器,负责将文档分发到下一级服务器,或者从下一级服务器收集汇总数据。同时根据行政区的级别,文档服务器被划分为第一级到第N级。这种划分有助于实现文档的分级管理和访问控制。每一级文档服务器都负责其管辖范围内的文档存储、管理和访问控制。例如,省级文档服务器负责管理省级文档,市级文档服务器负责管理市级文档,以此类推。这种基于行政级别划分的文档服务器层级架构有助于实现文档的集中管理、高效分发和基于权限的访问控制,实现了一个安全、可靠和可扩展的文档信息管理系统。In this embodiment, by distributing document servers according to administrative district levels (provincial, municipal, etc.), there is a central document server and several document servers of different levels divided according to administrative district levels. The design of this hierarchical architecture realizes centralized management, efficient distribution and access control based on administrative levels of documents. As the core of the entire document management system, the central document server is responsible for storing, managing and maintaining all key and important document information. The central document server is directly connected to the cloud server, which can easily back up documents to the cloud to ensure the security and recoverability of data. The central document server is also directly connected to the first-level document server, which is responsible for distributing documents to the next-level server or collecting and summarizing data from the next-level server. At the same time, according to the level of the administrative district, the document server is divided into the first level to the Nth level. This division helps to achieve hierarchical management and access control of documents. Each level of document server is responsible for the storage, management and access control of documents within its jurisdiction. For example, the provincial document server is responsible for managing provincial documents, the municipal document server is responsible for managing municipal documents, and so on. This hierarchical architecture of document servers based on administrative level division helps to achieve centralized management, efficient distribution and permission-based access control of documents, realizing a secure, reliable and scalable document information management system.

本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元,能够以电子硬件、计算机软件或者二者的结合来实现,为了清楚地说明硬件和软件的可互换性,在上述说明中已经按照功能一般性地描述了各示例的组成。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本发明的范围。Those of ordinary skill in the art will appreciate that the units of each example described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, computer software, or a combination of the two. In order to clearly illustrate the interchangeability of hardware and software, the composition of each example has been generally described in terms of function in the above description. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technical solution. Professional and technical personnel can use different methods to implement the described functions for each specific application, but such implementation should not be considered to be beyond the scope of the present invention.

在本发明所提供的实施例中,应该理解到,单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元可结合为一个单元,一个单元可拆分为多个单元,或一些特征可以忽略等。In the embodiments provided by the present invention, it should be understood that the division of units is only a logical function division, and there may be other division methods in actual implementation, for example, multiple units can be combined into one unit, one unit can be split into multiple units, or some features can be ignored, etc.

另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit. The above-mentioned integrated unit may be implemented in the form of hardware or in the form of software functional units.

所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可为个人计算机、服务器或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、只读存储器(ROM,Read-0nlyMemory)、随机存取存储器(RAM,RandomAccessMemory)、移动硬盘、磁碟或者光盘等各种可以存储程序代码的介质。If the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention, in essence, or the part that contributes to the prior art, or all or part of the technical solution can be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for a computer device (which can be a personal computer, a server or a network device, etc.) to perform all or part of the steps of the method described in each embodiment of the present invention. The aforementioned storage medium includes: U disk, read-only memory (ROM, Read-0nlyMemory), random access memory (RAM, RandomAccessMemory), mobile hard disk, magnetic disk or optical disk, etc., which can store program code.

最后应说明的是:以上各实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述各实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分或者全部技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的范围,其均应涵盖在本发明的权利要求和说明书的范围当中。Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, rather than to limit it. Although the present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that they can still modify the technical solutions described in the aforementioned embodiments, or replace some or all of the technical features therein by equivalents. These modifications or replacements do not make the essence of the corresponding technical solutions deviate from the scope of the technical solutions of the embodiments of the present invention, and they should all be included in the scope of the claims and specification of the present invention.

Claims (9)

1.一种基于全周期管理的文档信息安全管理系统,其特征在于,包括文档服务器、云服务器、统一密码验证服务器、统一身份认证服务器和若干个终端;1. A document information security management system based on full-cycle management, characterized by comprising a document server, a cloud server, a unified password verification server, a unified identity authentication server and a number of terminals; 所述文档服务器通过系统内网与所述终端进行加密的文档信息交互,并在信息交互前进行身份认证;所述文档服务器通过系统内网与所述云服务器进行加密的文档信息交互,所述终端上创建的文档信息、重新编辑的文档信息和删除前的文档信息,将通过所述文档服务器上传所述云服务器进行存储;所述文档服务器通过VPN与互联网平台进行加密的文档信息交互,并在信息交互前进行身份认证;The document server exchanges encrypted document information with the terminal through the system intranet, and performs identity authentication before information exchange; the document server exchanges encrypted document information with the cloud server through the system intranet, and the document information created on the terminal, the re-edited document information, and the document information before deletion will be uploaded to the cloud server for storage through the document server; the document server exchanges encrypted document information with the Internet platform through VPN, and performs identity authentication before information exchange; 所述文档服务器将接收的身份认证信息发送到所述统一身份认证服务器进行验证,所述统一身份认证服务器将身份验证结果通过所述文档服务器反馈至对应的所述终端或所述互联网平台;The document server sends the received identity authentication information to the unified identity authentication server for verification, and the unified identity authentication server feeds back the identity authentication result to the corresponding terminal or the Internet platform through the document server; 所述文档服务器将发送/接收所述加密的文档信息传输到所述统一密码验证服务器进行解密,所述统一密码验证服务器将解密后的文档信息反馈至文档信息接收端。The document server transmits the encrypted document information sent/received to the unified password verification server for decryption, and the unified password verification server feeds back the decrypted document information to the document information receiving end. 2.根据权利要求1所述的一种基于全周期管理的文档信息安全管理系统,其特征在于,所述身份认证信息包括用户身份认证信息和账号身份认证信息。2. A document information security management system based on full-cycle management according to claim 1, characterized in that the identity authentication information includes user identity authentication information and account identity authentication information. 3.根据权利要求2所述的一种基于全周期管理的文档信息安全管理系统,其特征在于,所述文档服务器将接收的身份认证信息发送到所述统一身份认证服务器进行验证,所述统一身份认证服务器将身份验证结果通过所述文档服务器反馈至所述终端包括:3. A document information security management system based on full-cycle management according to claim 2, characterized in that the document server sends the received identity authentication information to the unified identity authentication server for verification, and the unified identity authentication server feeds back the identity authentication result to the terminal through the document server, comprising: 用户使用账号密码登录时,所述终端通过所述文档服务器向所述统一身份认证服务器申请公钥;所述统一身份认证服务器生成密钥对后,将公钥通过所述文档服务器返回所述终端;所述终端使用公钥对账号密码进行加密,并通过所述文档服务器向所述统一身份认证服务器进行解密,获取密码明文;所述统一身份认证服务器将所述密码明文返回到所述文档服务器进行验证,所述文档服务器返回登录结果到所述终端;When a user logs in using an account and password, the terminal applies for a public key from the unified identity authentication server through the document server; after the unified identity authentication server generates a key pair, it returns the public key to the terminal through the document server; the terminal encrypts the account and password using the public key, and decrypts the password to the unified identity authentication server through the document server to obtain the plain text of the password; the unified identity authentication server returns the plain text of the password to the document server for verification, and the document server returns the login result to the terminal; 用户使用账号密码登录时,所述终端通过所述文档服务器向所述统一身份认证服务器发送AD用户账号认证请求;所述统一身份认证服务器对AD用户账号进行AM验证,并将AD用户账号认证结果发送至所述文档服务器;所述文档服务器返回登录结果到所述终端。When a user logs in using an account and password, the terminal sends an AD user account authentication request to the unified identity authentication server through the document server; the unified identity authentication server performs AM verification on the AD user account and sends the AD user account authentication result to the document server; the document server returns the login result to the terminal. 4.根据权利要求2所述的一种基于全周期管理的文档信息安全管理系统,其特征在于,所述文档服务器将接收的身份认证信息发送到所述统一身份认证服务器进行验证,所述统一身份认证服务器将身份验证结果通过所述文档服务器反馈至所述互联网平台包括:4. A document information security management system based on full-cycle management according to claim 2, characterized in that the document server sends the received identity authentication information to the unified identity authentication server for verification, and the unified identity authentication server feeds back the identity authentication result to the Internet platform through the document server, including: 所述互联网平台向所述文档服务器发送账号同步请求;所述文档服务器将账号信息传输至所述统一身份认证服务器;所述统一身份认证服务器计算MAC码,并返回计算的MAC值到所述文档服务器;所述文档服务器发送所述账号信息和所述MAC值到所述统一身份认证服务器进行验证;所述统一身份认证服务器将身份认证结果返回到所述文档服务器,所述文档服务器将身份认证结果反馈至所述互联网平台。The Internet platform sends an account synchronization request to the document server; the document server transmits the account information to the unified identity authentication server; the unified identity authentication server calculates the MAC code and returns the calculated MAC value to the document server; the document server sends the account information and the MAC value to the unified identity authentication server for verification; the unified identity authentication server returns the authentication result to the document server, and the document server feeds back the authentication result to the Internet platform. 5.根据权利要求1所述的一种基于全周期管理的文档信息安全管理系统,其特征在于,所述文档服务器将发送/接收所述加密的文档信息传输到所述统一密码验证服务器进行解密,所述统一密码验证服务器将解密后的文档信息反馈至文档信息接收端包括:5. According to claim 1, a document information security management system based on full-cycle management is characterized in that the document server transmits the encrypted document information sent/received to the unified password verification server for decryption, and the unified password verification server feeds back the decrypted document information to the document information receiving end, including: 当所述文档服务器发送所述加密的文档信息到所述终端时,所述加密的文档信息包含已加密的密钥;所述终端通过所述文档服务器将已加密的密钥发送到所述统一密码验证服务器进行解密;所述统一密码验证服务器将解密后的密钥返回到所述文档服务器,所述文档服务器验证密钥后反馈到所述终端,所述终端接收已解密的文档信息;When the document server sends the encrypted document information to the terminal, the encrypted document information includes the encrypted key; the terminal sends the encrypted key to the unified password verification server through the document server for decryption; the unified password verification server returns the decrypted key to the document server, the document server verifies the key and then feeds it back to the terminal, and the terminal receives the decrypted document information; 当所述文档服务器接收来自所述终端的所述加密的文档信息时,所述加密的文档信息包含已加密的密钥;所述文档服务器将已加密的密钥发送到所述统一密码验证服务器进行解密;所述统一密码验证服务器将解密后的密钥返回到所述文档服务器,所述文档服务器接收并存储已解密的文档信息。When the document server receives the encrypted document information from the terminal, the encrypted document information contains an encrypted key; the document server sends the encrypted key to the unified password verification server for decryption; the unified password verification server returns the decrypted key to the document server, and the document server receives and stores the decrypted document information. 6.根据权利要求1所述的一种基于全周期管理的文档信息安全管理系统,其特征在于,所述文档服务器通过VPN与互联网平台进行加密的文档信息交互包括:6. A document information security management system based on full-cycle management according to claim 1, characterized in that the document information interaction between the document server and the Internet platform through VPN includes: 所述文档服务器通过VPN将加密的内部文档信息传输至所述互联网平台;The document server transmits the encrypted internal document information to the Internet platform via VPN; 所述文档服务器通过VPN接收来自所述互联网平台的加密的外部文档信息,并进行存储。The document server receives the encrypted external document information from the Internet platform through the VPN and stores it. 7.根据权利要求6所述的一种基于全周期管理的文档信息安全管理系统,其特征在于,所述文档服务器将发送/接收所述加密的文档信息传输到所述统一密码验证服务器进行解密,所述统一密码验证服务器将解密后的文档信息反馈至文档信息接收端包括:7. A document information security management system based on full-cycle management according to claim 6, characterized in that the document server transmits the encrypted document information sent/received to the unified password verification server for decryption, and the unified password verification server feeds back the decrypted document information to the document information receiving end, comprising: 当所述文档服务器发送所述加密的内部文档信息到所述互联网平台时,所述加密的内部文档信息包含已加密的密钥;所述互联网平台通过所述文档服务器将已加密的密钥发送到所述统一密码验证服务器进行解密;所述统一密码验证服务器将解密后的密钥返回到所述文档服务器,所述文档服务器验证密钥后反馈到所述互联网平台,所述互联网平台接收已解密的内部文档信息;When the document server sends the encrypted internal document information to the Internet platform, the encrypted internal document information contains the encrypted key; the Internet platform sends the encrypted key to the unified password verification server through the document server for decryption; the unified password verification server returns the decrypted key to the document server, the document server verifies the key and then feeds it back to the Internet platform, and the Internet platform receives the decrypted internal document information; 当所述文档服务器接收来自所述互联网平台的加密的外部文档信息时,所述加密的外部文档信息包含已加密的密钥;所述文档服务器将已加密的密钥发送到所述统一密码验证服务器进行解密;所述统一密码验证服务器将解密后的密钥返回到所述文档服务器,所述文档服务器接收并存储已解密的外部文档信息。When the document server receives encrypted external document information from the Internet platform, the encrypted external document information contains an encrypted key; the document server sends the encrypted key to the unified password verification server for decryption; the unified password verification server returns the decrypted key to the document server, and the document server receives and stores the decrypted external document information. 8.根据权利要求1所述的一种基于全周期管理的文档信息安全管理系统,其特征在于,所述文档服务器通过系统内网与所述云服务器进行加密的文档信息交互,所述终端上创建的文档信息、重新编辑的文档信息和删除前的文档信息,将通过所述文档服务器上传所述云服务器进行存储包括:8. A document information security management system based on full-cycle management according to claim 1, characterized in that the document server exchanges encrypted document information with the cloud server through the system intranet, and the document information created on the terminal, the re-edited document information and the document information before deletion are uploaded to the cloud server through the document server for storage, including: 所述文档服务器中配置DMS,并在所述DMS中设置有所述云服务器的云存储;将所述终端上的文档存储位置设置为所述文档服务器上的预设文件夹,当在所述终端上创建、编辑或删除文档信息时,所述终端上创建、编辑或删除文档信息将自动同步到所述文档服务器的预设文件夹,所述DMS自动将所述预设文件夹上传到所述云服务器。A DMS is configured in the document server, and cloud storage of the cloud server is set in the DMS; the document storage location on the terminal is set to a preset folder on the document server, and when document information is created, edited or deleted on the terminal, the creation, editing or deletion of document information on the terminal will be automatically synchronized to the preset folder of the document server, and the DMS automatically uploads the preset folder to the cloud server. 9.根据权利要求1-8任一项所述的一种基于全周期管理的文档信息安全管理系统,其特征在于,所述文档服务器包括中央文档服务器和若干个不同级的文档服务器;不同级的文档服务器根据行政区级别进行划分为第一级文档服务器到第N级文档服务器;所述中央服务器分别与所述云服务器和第一级文档服务器连接;所述第一级文档服务器到所述第N级文档服务器依次连接。9. A document information security management system based on full-cycle management according to any one of claims 1-8, characterized in that the document server includes a central document server and several document servers of different levels; the document servers of different levels are divided into first-level document servers to N-th-level document servers according to the administrative district level; the central server is connected to the cloud server and the first-level document server respectively; the first-level document server to the N-th-level document server are connected in sequence.
CN202410881968.3A 2024-07-03 2024-07-03 A document information security management system based on full-cycle management Pending CN118709166A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410881968.3A CN118709166A (en) 2024-07-03 2024-07-03 A document information security management system based on full-cycle management

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410881968.3A CN118709166A (en) 2024-07-03 2024-07-03 A document information security management system based on full-cycle management

Publications (1)

Publication Number Publication Date
CN118709166A true CN118709166A (en) 2024-09-27

Family

ID=92811134

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410881968.3A Pending CN118709166A (en) 2024-07-03 2024-07-03 A document information security management system based on full-cycle management

Country Status (1)

Country Link
CN (1) CN118709166A (en)

Similar Documents

Publication Publication Date Title
US11647007B2 (en) Systems and methods for smartkey information management
CN101605137B (en) Safe distribution file system
US8549326B2 (en) Method and system for extending encrypting file system
CN109327481B (en) A blockchain-based unified online authentication method and system for the entire network
US8196186B2 (en) Security architecture for peer-to-peer storage system
US20210119781A1 (en) Systems and methods for re-using cold storage keys
CN104917741B (en) A kind of plain text document public network secure transmission system based on USBKEY
CN114244508B (en) Data encryption method, device, equipment and storage medium
CN104023085A (en) Security cloud storage system based on increment synchronization
CN111090622A (en) Cloud storage information processing system and method based on dynamic encryption RBAC model
US12425198B2 (en) Method and apparatus for sharing encrypted data, device and readable medium
JP2003233589A (en) Method for safely sharing personal devices among different users
CN202663444U (en) Cloud safety data migration model
CN110932850B (en) Communication encryption method and system
CN115473655B (en) Terminal authentication method, device and storage medium for access network
CN113647051B (en) System and method for secure electronic data transmission
CN113992702A (en) Storage state encryption reinforcing method and system for ceph distributed file system
JP2024501326A (en) Access control methods, devices, network equipment, terminals and blockchain nodes
CN120017386A (en) A cloud computing data secure transmission system and method
KR101858207B1 (en) System for security network
CN118740420A (en) A security protection system and method for an Internet of Things server
CN114329395A (en) Supply chain financial privacy protection method and system based on block chain
WO2024088145A1 (en) Data processing method and apparatus, and program product, computer device and storage medium
CN111698203A (en) Cloud data encryption method
CN114173303B (en) Vehicle-ground session key generation method and system for CTCS-3 level train control system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination