[go: up one dir, main page]

CN110059488A - Security level identification management method and device - Google Patents

Security level identification management method and device Download PDF

Info

Publication number
CN110059488A
CN110059488A CN201810052366.1A CN201810052366A CN110059488A CN 110059488 A CN110059488 A CN 110059488A CN 201810052366 A CN201810052366 A CN 201810052366A CN 110059488 A CN110059488 A CN 110059488A
Authority
CN
China
Prior art keywords
secret
file
identification
attribute information
confidential
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN201810052366.1A
Other languages
Chinese (zh)
Inventor
刘道斌
冯绍鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Putian Information Technology Co Ltd
Original Assignee
Putian Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Putian Information Technology Co Ltd filed Critical Putian Information Technology Co Ltd
Priority to CN201810052366.1A priority Critical patent/CN110059488A/en
Publication of CN110059488A publication Critical patent/CN110059488A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/10Office automation; Time management
    • G06Q10/103Workflow collaboration or project management
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Theoretical Computer Science (AREA)
  • Strategic Management (AREA)
  • Human Resources & Organizations (AREA)
  • Entrepreneurship & Innovation (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Economics (AREA)
  • Marketing (AREA)
  • Operations Research (AREA)
  • Quality & Reliability (AREA)
  • Tourism & Hospitality (AREA)
  • General Business, Economics & Management (AREA)
  • Storage Device Security (AREA)

Abstract

本发明提出密级标识管理方法及装置。方法包括:密级标识管理中心接收涉密计算机发来的涉密文件审批请求,该请求携带涉密文件、涉密文件的待审批信息,将所述待审批信息提供给控制台;接收控制台发来的审批通过指示,请求控制台为该涉密文件生成唯一的文件标识;根据涉密文件的安全属性信息中该涉密文件的密级对应的加密算法,对涉密文件进行加密处理,对加密后的涉密文件进行哈希运算,将哈希运算结果值和涉密文件的文件标识组合形成涉密文件的标识索引,将该标识索引添加到涉密文件头前,得到最终的涉密文件。本发明使得涉密文件的整个生命周期都能得到密级标识的有效保护。

The present invention proposes a method and a device for managing secret-level identification. The method includes: receiving a secret-related document approval request from a secret-related computer by a secret-level identification management center, the request carrying secret-related documents and information pending approval of secret-related documents, and providing the pending approval information to the console; Approval and approval instructions from the incoming, request the console to generate a unique file identifier for the confidential file; according to the encryption algorithm corresponding to the encryption level of the confidential file in the security attribute information of the confidential file, encrypt the confidential file, The secret-related file is hashed, and the result value of the hash operation and the file identification of the secret-related file are combined to form the identification index of the secret-related file, and the identification index is added to the header of the secret-related file to obtain the final secret-related file. . The invention enables the whole life cycle of the secret-related document to be effectively protected by the secret-level identification.

Description

密级标识管理方法及装置Security level identification management method and device

技术领域technical field

本发明涉及文件加密技术领域,尤其涉及密级标识管理方法及装置。The present invention relates to the technical field of file encryption, and in particular, to a method and device for managing a security level identification.

背景技术Background technique

近年来,随着互联网与多媒体技术的迅猛发展,办公自动化和电子政务系统在国家机关和企事业单位得到了广泛的应用。但是由于电子文件易复制的特点,其安全性受到了巨大挑战。在《涉及国家秘密的计算机信息系统分级保护技术要求》中强调,涉密信息系统中的信息应有相应的密级标识,密级标识应与信息主体不可分离,其自身不可篡改。密级标识是一种说明涉密文件所属保密级别的数据,密级标识与其所对应的涉密文件通过特定的技术相绑定,共同组成密级文件。In recent years, with the rapid development of Internet and multimedia technology, office automation and e-government systems have been widely used in state organs, enterprises and institutions. However, due to the characteristics of easy copying of electronic documents, its security has been challenged. In "Technical Requirements for Hierarchical Protection of Computer Information Systems Involving State Secrets", it is emphasized that information in secret-related information systems should have corresponding classification marks, which should be inseparable from the subject of information and cannot be tampered with. The secret-level identification is a kind of data that indicates the security level of the secret-related file. The secret-level identification and the corresponding secret-related file are bound by a specific technology to form a secret-level file together.

密级标识是和涉密文件绑定的一段数字实体,它和涉密文件实体紧密关联,对涉密文件进行保护性加密,同时记录文件的属性和状态信息,定义文件的操作对象和操作行为等访问权限策略,记录每个文件处理环节中的使用者身份和操作行为,确保文件在创建、编辑、存储、变更、转发及查阅等所有流程中始终处于安全可控的状态,并能追溯和审计文件的每个使用细节,实现涉密文件全生命周期的安全可控。The secret-level identification is a digital entity bound to the secret-related file. It is closely related to the secret-related file entity. It encrypts the secret-related file protectively, records the attribute and status information of the file, and defines the operation object and operation behavior of the file. Access rights policy, record user identity and operation behavior in each file processing link, ensure that files are always in a safe and controllable state in all processes such as creation, editing, storage, modification, forwarding and viewing, and can be traced and audited Every detail of the use of the file can be safely and controllable throughout the life cycle of the confidential file.

发明内容SUMMARY OF THE INVENTION

本发明提出密级标识管理方法及装置,以实现涉密文件的整个生命周期都能得到密级标识的有效保护。The present invention proposes a method and a device for managing secret-level identification, so that the entire life cycle of secret-related documents can be effectively protected by the secret-level identification.

本发明的技术方案是这样实现的:The technical scheme of the present invention is realized as follows:

一种密级标识管理方法,该方法包括:A secret-level identification management method, the method includes:

密级标识管理中心接收涉密计算机发来的涉密文件审批请求,该请求携带涉密文件、涉密文件的待审批信息,所述涉密文件的待审批信息包括:涉密文件的内容属性信息和安全属性信息;将所述待审批信息提供给控制台,以便由控制台规定的具有审批权限的审批人员进行审批;The secret-level identification management center receives a secret-related document approval request from a secret-related computer, and the request carries secret-related documents and secret-related documents pending approval information. The secret-related document pending approval information includes: content attribute information of secret-related documents and security attribute information; provide the to-be-approved information to the console, so that it can be approved by an approver with approval authority specified by the console;

密级标识管理中心接收控制台发来的审批通过指示,向控制台发送密级标识生成请求,以便由控制台为该涉密文件生成唯一的文件标识,且控制台将该涉密文件的文件标识以及内容属性信息和安全属性信息保存在涉密文件标识属性数据库中;The secret-level identification management center receives the approval instruction sent by the console, and sends a secret-level identification generation request to the console, so that the console generates a unique file identification for the secret-related file, and the console generates the file identification of the secret-related file and Content attribute information and security attribute information are stored in the database of identification attributes of classified files;

密级标识管理中心接收到控制台发来的文件标识,根据涉密文件的安全属性信息中该涉密文件的密级对应的加密算法,对涉密文件进行加密处理,对加密后的涉密文件进行哈希运算,将哈希运算结果值和涉密文件的文件标识组合形成涉密文件的标识索引,将该标识索引添加到涉密文件头前,得到最终的涉密文件。The secret-level identification management center receives the file identification sent from the console, and encrypts the secret-related file according to the encryption algorithm corresponding to the secret-level of the secret-related file in the security attribute information of the secret-related file, and encrypts the encrypted secret-related file. Hash operation, combining the hash operation result value and the file identification of the secret-related file to form the identification index of the secret-related file, and adding the identification index to the header of the secret-related file to obtain the final secret-related file.

所述将该标识索引添加到涉密文件头前之后、得到最终的涉密文件之前进一步包括:The adding the identification index before and after the header of the secret-related file and before obtaining the final secret-related file further includes:

采用预设数字签名算法及密钥对涉密文件进行数字签名。Use preset digital signature algorithm and key to digitally sign confidential documents.

所述将该标识索引添加到涉密文件头前进一步包括:The adding the identification index to the header of the confidential file further includes:

密级标识管理中心将该涉密文件的标识索引发送给涉密计算机,以便涉密计算机保存涉密文件的文件名和标识索引的对应关系,以便涉密计算机在接收到用户输入的携带一涉密文件的文件名的访问或使用请求时,根据该文件名查找到对应的标识索引,并从标识索引中获取文件标识;The secret-level identification management center sends the identification index of the secret-related file to the secret-related computer, so that the secret-related computer can save the corresponding relationship between the file name and the identification index of the secret-related file, so that the secret-related computer can carry a secret-related file when it receives the input from the user. When accessing or using the file name, the corresponding identification index is found according to the file name, and the file identification is obtained from the identification index;

密级标识管理中心接收涉密计算机发来的涉密文件访问或使用请求,该请求中携带文件标识和用户标识,根据用户标识查找自身的用户信息数据库,得到用户密级,根据文件标识查找涉密文件标识属性数据库,查找到该涉密文件的安全属性信息;The secret-level identification management center receives a request for accessing or using secret-related files from a secret-related computer. The request carries the file identification and user identification, searches its own user information database according to the user identification, obtains the user secret level, and searches for secret-related files according to the file identification. Identify the attribute database and find the security attribute information of the confidential file;

密级标识管理中心根据得到的用户的密级以及该涉密文件的安全属性信息,判断该用户是否可以访问或使用该涉密文件,若可以,则根据该涉密文件的安全属性信息,解密并打开涉密文件。The security level identification management center determines whether the user can access or use the confidential file according to the obtained security level of the user and the security attribute information of the confidential file. If so, decrypt and open it according to the security attribute information of the confidential file. Confidential documents.

所述得到最终的涉密文件之后进一步包括:After obtaining the final secret-related document, it further includes:

密级标识管理中心接收涉密计算机发来的安全属性信息变更请求,该请求携带涉密文件的文件标识和要更新的安全属性名称以及更新值,将该文件标识和要更新的安全属性名称以及更新值提供给控制台,由控制台规定的具有审批权限的审批人员进行审批;The secret-level identification management center receives the security attribute information change request sent by the secret-related computer. The request carries the file identification of the secret-related file, the name of the security attribute to be updated, and the update value, and the file identification, the name of the security attribute to be updated, and the updated value. The value is provided to the console and approved by the approver with approval authority specified by the console;

密级标识管理中心接收控制台发来的审批通过指示,向涉密计算机返回审批通过指示,其中,控制台在审批通过后,根据文件标识和要更新的安全属性名称在涉密文件标识属性数据库中查找到对应的安全属性信息,根据更新的安全属性更新值更新对应的安全属性信息。The secret-level identification management center receives the approval instruction sent by the console, and returns the approval instruction to the secret-related computer. The corresponding security attribute information is found, and the corresponding security attribute information is updated according to the updated security attribute update value.

所述方法进一步包括:密级标识管理中心将涉密文件的流转属性信息和日志属性信息记录在涉密文件标识属性数据库中该涉密文件的文件标识对应记录处。The method further includes: the secret-level identification management center records the flow attribute information and log attribute information of the secret-related file in a record corresponding to the file identification of the secret-related file in the secret-related file identification attribute database.

一种密级标识管理装置,该装置包括:A security level identification management device, the device includes:

审批处理模块,用于接收涉密计算机发来的涉密文件审批请求,该请求携带涉密文件、涉密文件的待审批信息,所述涉密文件的待审批信息包括:涉密文件的内容属性信息和安全属性信息;将所述待审批信息提供给控制台,以便由控制台规定的具有审批权限的审批人员进行审批;The approval processing module is used to receive a request for approval of a confidential document sent by a confidential computer, the request carrying the confidential document and the pending approval information of the confidential document, and the pending approval information of the confidential document includes: the content of the confidential document attribute information and security attribute information; provide the information to be approved to the console, so that it can be approved by an approver with approval authority specified by the console;

标识生成模块,用于在接收到控制台发来的审批通过指示后,向控制台发送密级标识生成请求,以便由控制台为该涉密文件生成唯一的文件标识,且控制台将该涉密文件的文件标识以及内容属性信息和安全属性信息保存在涉密文件标识属性数据库中;接收到控制台发来的文件标识,根据涉密文件的安全属性信息中该涉密文件的密级对应的加密算法,对涉密文件进行加密处理,对加密后的涉密文件进行哈希运算,将哈希运算结果值和涉密文件的文件标识组合形成涉密文件的标识索引,将该标识索引添加到涉密文件头前,得到最终的涉密文件。The identifier generation module is used to send a secret-level identifier generation request to the console after receiving the approval instruction sent by the console, so that the console can generate a unique file identifier for the secret-related file, and the console will generate a unique file identifier for the secret-related file. The file identification, content attribute information and security attribute information of the file are stored in the identification attribute database of secret-related files; after receiving the file identification sent from the console, according to the encryption level corresponding to the secret-level of the secret-related file in the security attribute information of the secret-related file Algorithm, encrypt the secret-related file, perform hash operation on the encrypted secret-related file, combine the hash operation result value and the file identification of the secret-related file to form the identification index of the secret-related file, and add the identification index to the Before the header of the confidential document, the final confidential document is obtained.

所述标识生成模块将该标识索引添加到涉密文件头前之后、得到最终的涉密文件之前进一步用于,The identification generation module adds the identification index before and after the header of the secret-related file, and before obtaining the final secret-related file for further use,

采用预设数字签名算法及密钥对涉密文件进行数字签名。Use preset digital signature algorithm and key to digitally sign confidential documents.

所述标识生成模块将该标识索引添加到涉密文件头前进一步用于,The identification generation module adds the identification index to the header of the secret-related file for further use,

将该涉密文件的标识索引发送给涉密计算机,以便涉密计算机保存涉密文件的文件名和标识索引的对应关系;Send the identification index of the secret-related file to the secret-related computer, so that the secret-related computer can save the corresponding relationship between the file name and the identification index of the secret-related file;

且,所述装置进一步包括访问使用处理模块,用于接收涉密计算机发来的涉密文件访问或使用请求,该请求中携带文件标识和用户标识,根据用户标识查找自身的用户信息数据库,得到用户密级,根据文件标识查找涉密文件标识属性数据库,查找到该涉密文件的安全属性信息;根据得到的用户的密级以及该涉密文件的安全属性信息,判断该用户是否可以访问或使用该涉密文件,若可以,则根据该涉密文件的安全属性信息,解密并打开涉密文件,其中,涉密计算机在接收到用户输入的携带一涉密文件的文件名的访问或使用请求时,根据该文件名查找到对应的标识索引,并从标识索引中获取文件标识。In addition, the device further includes an access and use processing module, which is used to receive a confidential file access or use request from a confidential computer. The request carries a file identifier and a user identifier, and searches its own user information database according to the user identifier, and obtains the request. User secret level, according to the file identification, look up the identification attribute database of the secret-related file, and find the security attribute information of the secret-related file; according to the obtained user's secret level and the security attribute information of the secret-related file, determine whether the user can access or use the secret-related file. Secret-related files, if possible, decrypt and open the secret-related files according to the security attribute information of the secret-related files. , find the corresponding identification index according to the file name, and obtain the file identification from the identification index.

所述审批处理模块进一步用于,The approval processing module is further used for,

接收涉密计算机发来的安全属性信息变更请求,该请求携带涉密文件的文件标识和要更新的安全属性名称以及更新值,将该文件标识和要更新的安全属性名称以及更新值提供给控制台,由控制台规定的具有审批权限的审批人员进行审批;接收控制台发来的审批通过指示,向涉密计算机返回审批通过指示,其中,控制台在审批通过后,根据文件标识和要更新的安全属性名称在涉密文件标识属性数据库中查找到对应的安全属性信息,根据更新的安全属性更新值更新对应的安全属性信息。Receive a security attribute information change request from a secret-related computer, the request carries the file identifier of the secret-related file, the name of the security attribute to be updated, and the update value, and provide the file identifier, the name of the security attribute to be updated, and the update value to the control. The approval is carried out by the approver with approval authority specified by the console; the approval instruction sent from the console is received, and the approval instruction is returned to the secret computer. The corresponding security attribute information is found in the confidential file identification attribute database, and the corresponding security attribute information is updated according to the updated security attribute update value.

所述装置进一步包括流转和日志属性记录模块,用于将涉密文件的流转属性信息和日志属性信息记录在涉密文件标识属性数据库中该涉密文件的文件标识对应记录处。The apparatus further includes a circulation and log attribute recording module, which is used to record the circulation attribute information and log attribute information of the secret-related file at the corresponding record of the file identification of the secret-related file in the secret-related file identification attribute database.

本发明使得涉密文件的整个生命周期都能得到密级标识的有效保护。The invention enables the whole life cycle of the secret-related document to be effectively protected by the secret-level identification.

附图说明Description of drawings

图1为本发明实施例提供的密级标识管理方法流程图;FIG. 1 is a flowchart of a method for managing a security level identification provided by an embodiment of the present invention;

图2为本申请实施例提供的涉密文件的密级标识的生成与添加方法流程图;FIG. 2 is a flowchart of a method for generating and adding a secret level identifier of a secret-related file provided by an embodiment of the present application;

图3为本发明实施例提供的涉密文件访问或使用方法流程图;3 is a flowchart of a method for accessing or using a confidential file provided by an embodiment of the present invention;

图4为本发明实施例提供的涉密文件的标识属性中的安全属性信息更新的方法流程图;4 is a flowchart of a method for updating security attribute information in an identification attribute of a confidential file provided by an embodiment of the present invention;

图5为本发明实施例提供的密级标识管理装置的结构示意图。FIG. 5 is a schematic structural diagram of a security level identification management apparatus provided by an embodiment of the present invention.

具体实施方式Detailed ways

下面结合附图及具体实施例对本发明再作进一步详细的说明。The present invention will be further described in detail below with reference to the accompanying drawings and specific embodiments.

图1为本发明实施例提供的密级标识管理方法流程图,其具体步骤如下:Fig. 1 is the flow chart of the security level identification management method provided by the embodiment of the present invention, and its concrete steps are as follows:

步骤101:密级标识管理中心接收涉密计算机发来的涉密文件审批请求,该请求携带涉密文件、涉密文件的待审批信息,涉密文件的待审批信息包括:涉密文件的内容属性信息和安全属性信息。Step 101: The secret-level identification management center receives a secret-related document approval request sent by a secret-related computer. The request carries secret-related documents and secret-related documents pending approval information. The secret-related document pending approval information includes: content attributes of secret-related documents information and security attribute information.

步骤102:密级标识管理中心将待审批信息提供给控制台,以便由控制台规定的具有审批权限的审批人员进行审批。Step 102: The security-level identification management center provides the information to be approved to the console, so that it can be approved by an approver with approval authority specified in the console.

步骤103:密级标识管理中心接收控制台发来的审批通过指示,向控制台发送密级标识生成请求,以便由控制台为该涉密文件生成唯一的文件标识,且控制台将该涉密文件的文件标识以及内容属性信息和安全属性信息保存在涉密文件标识属性数据库中。Step 103: The secret-level identification management center receives the approval instruction sent by the console, and sends a secret-level identification generation request to the console, so that the console can generate a unique file identification for the secret-related file, and the console generates the secret-level identification for the secret-related file. The file identification, content attribute information and security attribute information are stored in the identification attribute database of classified files.

步骤104:密级标识管理中心接收到控制台发来的文件标识,根据涉密文件的安全属性信息中该涉密文件的密级对应的加密算法,对涉密文件进行加密处理,对加密后的涉密文件进行哈希运算,将哈希运算结果值和涉密文件的文件标识组合形成涉密文件的标识索引,将该标识索引添加到涉密文件头前,得到最终的涉密文件。Step 104: The secret-level identification management center receives the file identification sent from the console, and encrypts the secret-related file according to the encryption algorithm corresponding to the secret level of the secret-related file in the security attribute information of the secret-related file, and encrypts the encrypted secret-related file. Hash operation is performed on the secret file, the hash operation result value and the file identifier of the secret file are combined to form the identification index of the secret file, and the identification index is added before the header of the secret file to obtain the final secret file.

图2为本申请实施例提供的涉密文件的密级标识的生成与添加方法流程图,其具体步骤如下:FIG. 2 is a flowchart of a method for generating and adding a secret level identification of a secret-related file provided by an embodiment of the present application, and the specific steps are as follows:

步骤201:用户在安装有终端代理的涉密计算机上创建涉密文件。Step 201: The user creates a secret-related file on the secret-related computer installed with the terminal agent.

终端代理即专门处理涉密文件相关事项的软件模块。The terminal agent is a software module specially dealing with matters related to confidential documents.

涉密计算机上预先存储了可进行涉密文件相关事项操作的密级用户的身份信息,密级用户在登录涉密计算机前需先进行身份验证,身份验证通过,才能登录涉密计算机。The identity information of secret-level users who can perform operations related to secret-related files is pre-stored on the secret-related computer. Before logging in to the secret-related computer, secret-level users need to perform identity verification.

此时的涉密文件只是一个未加密的普通文件。The confidential file at this time is just an unencrypted ordinary file.

步骤202:涉密文件创建完成,终端代理向密级标识管理中心发送涉密文件审批请求,该请求中携带涉密文件、涉密文件的待审批信息以及用户标识(user ID)。Step 202: After the secret-related file is created, the terminal agent sends a secret-related file approval request to the secret-level identification management center, and the request carries the secret-related file, pending approval information of the secret-related file, and a user ID.

涉密文件的待审批信息包括:涉密文件的内容属性信息和安全属性信息。The pending approval information of the secret-related file includes: content attribute information and security attribute information of the secret-related file.

内容属性信息包括:文件为密文的指示、文件创建者、文件创建时间以及文件有效期等信息。The content attribute information includes: an indication that the file is ciphertext, the file creator, the file creation time, and the file validity period and other information.

安全属性信息包括:文件的密级、访问文件的用户或终端的密级、用户或/和终端对文件的访问和使用权限(如:读、写、打印、下载等以及读、写、打印、下载等的次数)等。The security attribute information includes: the security level of the file, the security level of the user or terminal accessing the file, the access and usage authority of the user or/and the terminal to the file (such as: read, write, print, download, etc., and read, write, print, download, etc. number of times) etc.

密级用户依据文件内容和自身用户密级为涉密文件指定密级。The secret level user assigns the secret level to the secret file according to the file content and the secret level of the user.

密级用户要根据本用户的密级默认的加密、签名算法和密钥对涉密文件和待审批信息进行加密后,再携带在涉密文件审批请求中发送出去,以保证涉密文件内容与待审批信息的安全性。The secret-level user should encrypt the secret-related files and the information to be approved according to the default encryption, signature algorithm and key of the user's secret level, and then send it in the approval request of the secret-related file to ensure that the content of the secret-related file is consistent with the pending approval. Information security.

步骤203:密级标识管理中心接收终端代理发来的涉密文件审批请求,根据请求中的user ID在用户信息数据库中查找到对应的用户密级,根据该用户密级对应的解密算法,对请求中的涉密文件和待审批信息进行解密,对解密得到的涉密文件进行完整性校验,验证通过后,验证文件创建者的合法性。Step 203: The security level identification management center receives the approval request for confidential documents sent by the terminal agent, finds the corresponding user security level in the user information database according to the user ID in the request, and, according to the decryption algorithm corresponding to the user security level, interprets the secret level in the request. The secret-related files and the information to be approved are decrypted, and the integrity of the decrypted secret-related files is verified. After the verification is passed, the legality of the creator of the file is verified.

步骤204:涉密文件通过完整性校验和文件创建者合法验证后,密级标识管理中心确定进入涉密文件审批程序,将待审批信息提供给控制台,由控制台规定的具有审批权限的审批人员依次进行审批。Step 204: After the secret-related file has passed the integrity check and the legal verification of the file creator, the secret-level identification management center determines to enter the secret-related file approval procedure, and provides the information to be approved to the console, and the approval authority specified by the console has the approval authority. Personnel proceed with approval.

步骤205:审批通过后,控制台将审批通过指示以及通过审批的信息(内容属性信息和安全属性信息)返回至密级标识管理中心,密级标识管理中心向控制台发送密级标识生成请求,请求中包括涉密文件的审批通过指示和通过审批的信息。Step 205: After the approval is passed, the console returns the approval approval instruction and the approved information (content attribute information and security attribute information) to the secret-level identification management center, and the secret-level identification management center sends a secret-level identification generation request to the console. The request includes: Approval and approval information for classified documents.

步骤206:控制台接收到密级标识生成请求后,为该涉密文件生成唯一的文件标识(File ID),将该File ID和该涉密文件的安全属性信息一同返回至密级标识管理中心;同时,控制台将该涉密文件的内容属性信息和安全属性信息存储于涉密文件标识属性数据库中,且以File ID作为索引。Step 206: after receiving the secret-level identification generation request, the console generates a unique file identification (File ID) for the secret-related file, and returns the File ID and the security attribute information of the secret-related file to the secret-level identification management center; , the console stores the content attribute information and security attribute information of the secret-related file in the secret-related file identification attribute database, and uses the File ID as an index.

步骤207:密级标识管理中心收到控制台发送的File ID和涉密文件的安全属性信息后,根据涉密文件的密级对应的加密算法,对涉密文件进行加密处理,对加密后的涉密文件进行哈希运算,将哈希运算结果值和涉密文件的File ID组合形成涉密文件的标识索引,将该标识索引添加到涉密文件头前,再采用预设的数字签名算法及密钥对涉密文件进行数字签名,得到最终的涉密文件,将数字签名算法和密钥保存到涉密文件标识属性数据库中该File ID对应记录处,将涉密文件的标识索引发送给终端代理,终端代理保存涉密文件的文件名和标识索引的对应关系;同时,密级标识管理中心将整个流程的流转属性信息和日志属性信息记录在涉密文件标识属性数据库中该File ID对应记录处。Step 207: After receiving the File ID and the security attribute information of the secret-related file sent by the console, the secret-level identification management center encrypts the secret-related file according to the encryption algorithm corresponding to the secret level of the secret-related file, and encrypts the encrypted secret-related file. Hash operation is performed on the file, and the result value of the hash operation and the File ID of the confidential file are combined to form the identification index of the confidential file, and the identification index is added to the header of the confidential file, and then the preset digital signature algorithm and encryption are used. Digitally sign the secret-related file with the key to obtain the final secret-related file, save the digital signature algorithm and key to the corresponding record of the File ID in the secret-related file identification attribute database, and send the identification index of the secret-related file to the terminal agent , the terminal agent saves the correspondence between the file name and the identification index of the confidential file; at the same time, the confidential identification management center records the flow attribute information and log attribute information of the entire process in the corresponding record of the File ID in the identification attribute database of the confidential file.

密级标识被分为标识索引和标识属性两部分,标识索引跟随涉密文件在涉密系统中流转,而完整的标识属性(包括:内容属性、安全属性、流转属性和日志属性)却存放在数据库中。因此,要想读取与涉密文件一一对应的标识属性,必须首先获取标识索引,再根据标识索引中的File ID,查找涉密文件标识属性数据库中对应的标识属性。The secret-level identification is divided into two parts: identification index and identification attribute. The identification index follows the secret-related file and circulates in the secret-related system, while the complete identification attribute (including: content attribute, security attribute, circulation attribute and log attribute) is stored in the database. middle. Therefore, in order to read the identification attributes corresponding to the confidential files one-to-one, the identification index must be obtained first, and then the corresponding identification attribute in the identification attribute database of the confidential file must be searched according to the File ID in the identification index.

图3为本发明实施例提供的涉密文件访问或使用方法流程图,其具体步骤如下:3 is a flowchart of a method for accessing or using a confidential file provided by an embodiment of the present invention, and the specific steps are as follows:

步骤301:用户登录涉密计算机,输入身份信息进行身份认证,身份认证通过,成功登录到涉密计算机。Step 301: The user logs in to the secret-related computer, inputs identity information for identity authentication, and the identity authentication is passed, and the user successfully logs in to the secret-related computer.

步骤302:涉密计算机的终端代理接收到用户输入的携带一涉密文件的文件名的访问或使用请求,终端代理根据该文件名,在自身保存的各涉密文件的文件名和标识索引的对应关系中查找到对应的标识索引,验证标识索引的完整性,若标识索引完整,则从标识索引中获取File ID,将File ID和user ID携带在涉密文件访问或使用请求中发送至密级标识管理中心。Step 302: The terminal agent of the secret-related computer receives the access or use request input by the user that carries the file name of a secret-related file, and the terminal agent, according to the file name, stores the correspondence between the file name and the identification index of each secret-related file. Find the corresponding identification index in the relationship, verify the integrity of the identification index, if the identification index is complete, obtain the File ID from the identification index, carry the File ID and user ID in the access or use request of the confidential file and send it to the confidential identification control center.

步骤303:密级标识管理中心接收终端代理发来的涉密文件访问或使用请求,解析出File ID和user ID后,根据user ID查找自身的用户信息数据库,得到用户密级,根据File ID查找涉密文件标识属性数据库,查找到该涉密文件的标识属性。Step 303: The security level identification management center receives the confidential file access or use request sent by the terminal agent, parses out the File ID and the user ID, searches its own user information database according to the user ID, obtains the user security level, and searches for the confidential file according to the File ID. The file identification attribute database is used to find the identification attribute of the confidential file.

步骤304:密级标识管理中心根据得到的用户的密级以及该涉密文件的标识属性中的安全属性信息,判断该用户是否可以访问或使用该涉密文件;若可以,则根据该涉密文件的标识属性中的内容属性信息,判断该涉密文件是否为密文,若为密文,则根据该涉密文件的标识属性中的安全属性信息,解密并打开涉密文件,以供用户访问或使用。Step 304: The security level identification management center judges whether the user can access or use the secret-related file according to the obtained secret level of the user and the security attribute information in the identification attribute of the secret-related file; The content attribute information in the identification attribute determines whether the secret-related file is ciphertext. If it is ciphertext, decrypt and open the secret-related file according to the security attribute information in the identification attribute of the secret-related file for the user to access or use.

步骤305:密级标识管理中心更新涉密文件标识属性数据库中该涉密文件的安全属性信息中的访问或使用次数,即将访问或使用次数减1。Step 305 : the secret-level identification management center updates the access or use times in the security attribute information of the secret-related file in the secret-related file identification attribute database, that is, decrements the access or use times by 1.

密级标识中的标识属性信息可以动态变更,尤其是流转属性信息和日志属性信息,它们全程记录了涉密文件的流转过程和用户对涉密文件操作产生的日志,这些信息在涉密文件的生命过程中是不断变更的,这部分信息是由密级标识管理中心直接进行更新的。如果涉密文件标识属性中的安全属性信息需要变更,则必须要经过审批人员的审批,审批通过后方可进行更新。The identification attribute information in the secret-level identification can be dynamically changed, especially the circulation attribute information and log attribute information, which record the circulation process of secret-related files and the logs generated by users' operations on secret-related files. The process is constantly changing, and this part of the information is directly updated by the security level identification management center. If the security attribute information in the identification attribute of the confidential file needs to be changed, it must be approved by the approver, and can be updated only after the approval is passed.

图4为本发明实施例提供的涉密文件的标识属性中的安全属性信息更新的方法流程图,其具体步骤如下:4 is a flowchart of a method for updating security attribute information in an identification attribute of a confidential file provided by an embodiment of the present invention, and the specific steps are as follows:

步骤401:当用户需要变更涉密文件的标识属性中的任一安全属性信息时,通过终端代理向密级标识管理中心发送安全属性信息变更请求,该请求携带涉密文件的File ID和要更新的安全属性名称以及更新值。Step 401: When the user needs to change any security attribute information in the identification attribute of the confidential file, the terminal agent sends a security attribute information change request to the confidential identification management center, and the request carries the File ID of the confidential file and the information to be updated. Security attribute name and update value.

步骤402:密级标识管理中心接收该安全属性信息变更请求,将该请求中的FileID和要更新的安全属性名称以及更新值提供给控制台,由控制台规定的具有审批权限的审批人员进行审批。Step 402: The security attribute information change request is received by the security level identification management center, and the FileID in the request, the name of the security attribute to be updated, and the updated value are provided to the console, and the approval personnel with the approval authority specified by the console conducts the approval.

步骤403:审批通过后,控制台将审批通过指示以及通过审批的信息返回至密级标识管理中心,密级标识管理中心向终端代理发送审批通过指示以及通过审批的信息;同时,控制台根据该File ID在涉密文件标识属性数据库中查找到对应的记录,根据更新的安全属性名称以及更新值更新对应的安全属性信息。Step 403: After the approval is passed, the console returns the approval instruction and the approval information to the security-level ID management center, and the security-level ID management center sends the approval instruction and the approval information to the terminal agent; at the same time, the console according to the File ID The corresponding record is found in the identification attribute database of the confidential file, and the corresponding security attribute information is updated according to the updated security attribute name and the updated value.

本发明的有益技术效果如下:The beneficial technical effects of the present invention are as follows:

本发明可以对密级标识的生成、添加、更新以及涉密文件的访问和使用进行有效管理,保证密级标识完整,并能够正确地记录涉密文件生成、使用、流转、更新和删除等的日志信息,使得涉密文件在整个生命周期都能得到密级标识的有效保护。The invention can effectively manage the generation, addition and update of secret-level identification and the access and use of secret-related files, ensure the integrity of secret-level identification, and can correctly record the log information of secret-related file generation, use, circulation, update and deletion, etc. , so that the classified documents can be effectively protected by the classified identification in the whole life cycle.

图5为本发明实施例提供的密级标识管理装置的结构示意图,该装置位于密级标识管理中心上,该装置主要包括:审批处理模块51和标识生成模块52,其中:5 is a schematic structural diagram of a security-level identification management device provided by an embodiment of the present invention, the device is located on a security-level identification management center, and the device mainly includes: an approval processing module 51 and an identification generation module 52, wherein:

审批处理模块51,用于接收涉密计算机发来的涉密文件审批请求,该请求携带涉密文件、涉密文件的待审批信息,所述涉密文件的待审批信息包括:涉密文件的内容属性信息和安全属性信息;将所述待审批信息提供给控制台,以便由控制台规定的具有审批权限的审批人员进行审批;将控制台发来的审批通过指示和审批通过的信息发送给标识生成模块52。The approval processing module 51 is configured to receive a request for approval of a secret-related document sent by a secret-related computer, the request carrying the secret-related document and the pending approval information of the secret-related document, and the pending approval information of the secret-related document includes: Content attribute information and security attribute information; provide the information to be approved to the console for approval by the approvers with approval authority specified by the console; send the approval instruction and approval information sent from the console to Identification generation module 52 .

标识生成模块52,用于在接收到控制台发来的审批通过指示后,向控制台发送密级标识生成请求,以便由控制台为该涉密文件生成唯一的文件标识,且控制台将该涉密文件的文件标识以及内容属性信息和安全属性信息保存在涉密文件标识属性数据库中;接收到控制台发来的文件标识,根据涉密文件的安全属性信息中该涉密文件的密级对应的加密算法,对涉密文件进行加密处理,对加密后的涉密文件进行哈希运算,将哈希运算结果值和涉密文件的文件标识组合形成涉密文件的标识索引,将该标识索引添加到涉密文件头前,得到最终的涉密文件。The identifier generation module 52 is configured to send a secret-level identifier generation request to the console after receiving the approval approval instruction sent by the console, so that the console can generate a unique file identifier for the classified file, and the console will generate a unique file identifier for the classified file. The file identification, content attribute information and security attribute information of the confidential file are stored in the identification attribute database of the confidential file; after receiving the file identification sent from the console, according to the security attribute information of the confidential file, the security attribute information of the confidential file corresponds to the classification level of the confidential file. Encryption algorithm, encrypts secret-related files, performs hash operation on encrypted secret-related files, combines the hash operation result value and the file identification of secret-related files to form the identification index of secret-related files, and adds the identification index to the identification index. Before reaching the header of the confidential document, the final confidential document is obtained.

其中,标识生成模块52将该标识索引添加到涉密文件头前之后、得到最终的涉密文件之前可进一步用于,采用预设数字签名算法及密钥对涉密文件进行数字签名。Wherein, the identification generation module 52 can further use the identification index to be further used to digitally sign the secret-involved file by using a preset digital signature algorithm and key before and after the header of the confidential-involved file and before the final confidential-involved file is obtained.

其中,标识生成模块52将该标识索引添加到涉密文件头前可进一步用于,将该涉密文件的标识索引发送给涉密计算机,以便涉密计算机保存涉密文件的文件名和标识索引的对应关系;Wherein, the identification generation module 52 can be further used to add the identification index to the header of the secret-related file and send the identification index of the secret-related file to the secret-related computer, so that the secret-related computer can save the file name of the secret-related file and the identification index of the secret-related file. Correspondence;

且,该装置可进一步包括访问使用处理模块,用于接收涉密计算机发来的涉密文件访问或使用请求,该请求中携带文件标识和用户标识,根据用户标识查找自身的用户信息数据库,得到用户密级,根据文件标识查找涉密文件标识属性数据库,查找到该涉密文件的安全属性信息;根据得到的用户的密级以及该涉密文件的安全属性信息,判断该用户是否可以访问或使用该涉密文件,若可以,则根据该涉密文件的安全属性信息,解密并打开涉密文件,其中,涉密计算机在接收到用户输入的携带一涉密文件的文件名的访问或使用请求时,根据该文件名查找到对应的标识索引,并从标识索引中获取文件标识。Moreover, the device may further include an access and use processing module, which is used to receive a confidential file access or use request from a confidential computer. The request carries a file identifier and a user identifier, and searches its own user information database according to the user identifier, and obtains the request. User secret level, according to the file identification, look up the identification attribute database of the secret-related file, and find the security attribute information of the secret-related file; according to the obtained user's secret level and the security attribute information of the secret-related file, determine whether the user can access or use the secret-related file. Secret-related files, if possible, decrypt and open the secret-related files according to the security attribute information of the secret-related files. , find the corresponding identification index according to the file name, and obtain the file identification from the identification index.

其中,审批处理模块51可进一步用于,接收涉密计算机发来的安全属性信息变更请求,该请求携带涉密文件的文件标识和要更新的安全属性名称以及更新值,将该文件标识和要更新的安全属性名称以及更新值提供给控制台,由控制台规定的具有审批权限的审批人员进行审批;接收控制台发来的审批通过指示,向涉密计算机返回审批通过指示,其中,控制台在审批通过后,根据文件标识和要更新的安全属性名称在涉密文件标识属性数据库中查找到对应的安全属性信息,根据更新的安全属性更新值更新对应的安全属性信息。Wherein, the approval processing module 51 can be further configured to receive a security attribute information change request sent by a secret-related computer, and the request carries the file identifier of the secret-related file, the name of the security attribute to be updated, and the update value, and the file identifier and the required The updated security attribute name and updated value are provided to the console, and approved by the approvers with approval authority specified by the console; the approval approval instruction sent by the console is received, and the approval approval instruction is returned to the secret computer. After approval, the corresponding security attribute information is found in the confidential file identification attribute database according to the file identification and the name of the security attribute to be updated, and the corresponding security attribute information is updated according to the updated security attribute update value.

其中,该装置可进一步包括流转和日志属性记录模块,用于将涉密文件的流转属性信息和日志属性信息记录在涉密文件标识属性数据库中该涉密文件的文件标识对应记录处。Wherein, the device may further include a circulation and log attribute recording module, which is used to record the circulation attribute information and log attribute information of the secret-related file in the corresponding record of the file identification of the secret-related file in the secret-related file identification attribute database.

以上所述仅为本发明的较佳实施例而已,并不用以限制本发明,凡在本发明的精神和原则之内,所做的任何修改、等同替换、改进等,均应包含在本发明保护的范围之内。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the present invention. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present invention shall be included in the present invention. within the scope of protection.

Claims (10)

1.一种密级标识管理方法,其特征在于,该方法包括:1. a method for managing secret-level identification, characterized in that the method comprises: 密级标识管理中心接收涉密计算机发来的涉密文件审批请求,该请求携带涉密文件、涉密文件的待审批信息,所述涉密文件的待审批信息包括:涉密文件的内容属性信息和安全属性信息;将所述待审批信息提供给控制台,以便由控制台规定的具有审批权限的审批人员进行审批;The secret-level identification management center receives a secret-related document approval request from a secret-related computer, and the request carries secret-related documents and secret-related documents pending approval information. The secret-related document pending approval information includes: content attribute information of secret-related documents and security attribute information; provide the to-be-approved information to the console, so that it can be approved by an approver with approval authority specified by the console; 密级标识管理中心接收控制台发来的审批通过指示,向控制台发送密级标识生成请求,以便由控制台为该涉密文件生成唯一的文件标识,且控制台将该涉密文件的文件标识以及内容属性信息和安全属性信息保存在涉密文件标识属性数据库中;The secret-level identification management center receives the approval instruction sent by the console, and sends a secret-level identification generation request to the console, so that the console generates a unique file identification for the secret-related file, and the console generates the file identification of the secret-related file and Content attribute information and security attribute information are stored in the database of identification attributes of classified files; 密级标识管理中心接收到控制台发来的文件标识,根据涉密文件的安全属性信息中该涉密文件的密级对应的加密算法,对涉密文件进行加密处理,对加密后的涉密文件进行哈希运算,将哈希运算结果值和涉密文件的文件标识组合形成涉密文件的标识索引,将该标识索引添加到涉密文件头前,得到最终的涉密文件。The secret-level identification management center receives the file identification sent from the console, and encrypts the secret-related file according to the encryption algorithm corresponding to the secret-level of the secret-related file in the security attribute information of the secret-related file, and encrypts the encrypted secret-related file. Hash operation, combining the hash operation result value and the file identification of the secret-related file to form the identification index of the secret-related file, and adding the identification index to the header of the secret-related file to obtain the final secret-related file. 2.根据权利要求1所述的方法,其特征在于,所述将该标识索引添加到涉密文件头前之后、得到最终的涉密文件之前进一步包括:2. The method according to claim 1, wherein the adding the identification index before and after the header of the secret-related file and before obtaining the final secret-related file further comprises: 采用预设数字签名算法及密钥对涉密文件进行数字签名。Use preset digital signature algorithm and key to digitally sign confidential documents. 3.根据权利要求1所述的方法,其特征在于,所述将该标识索引添加到涉密文件头前进一步包括:3. The method according to claim 1, wherein the adding the identification index to the header of the confidential file further comprises: 密级标识管理中心将该涉密文件的标识索引发送给涉密计算机,以便涉密计算机保存涉密文件的文件名和标识索引的对应关系,以便涉密计算机在接收到用户输入的携带一涉密文件的文件名的访问或使用请求时,根据该文件名查找到对应的标识索引,并从标识索引中获取文件标识;The secret-level identification management center sends the identification index of the secret-related file to the secret-related computer, so that the secret-related computer can save the corresponding relationship between the file name and the identification index of the secret-related file, so that the secret-related computer can carry a secret-related file when it receives the input from the user. When accessing or using the file name, the corresponding identification index is found according to the file name, and the file identification is obtained from the identification index; 密级标识管理中心接收涉密计算机发来的涉密文件访问或使用请求,该请求中携带文件标识和用户标识,根据用户标识查找自身的用户信息数据库,得到用户密级,根据文件标识查找涉密文件标识属性数据库,查找到该涉密文件的安全属性信息;The secret-level identification management center receives a request for accessing or using secret-related files from a secret-related computer. The request carries the file identification and user identification, searches its own user information database according to the user identification, obtains the user secret level, and searches for secret-related files according to the file identification. Identify the attribute database and find the security attribute information of the confidential file; 密级标识管理中心根据得到的用户的密级以及该涉密文件的安全属性信息,判断该用户是否可以访问或使用该涉密文件,若可以,则根据该涉密文件的安全属性信息,解密并打开涉密文件。The security level identification management center determines whether the user can access or use the confidential file according to the obtained security level of the user and the security attribute information of the confidential file. If so, decrypt and open it according to the security attribute information of the confidential file. Confidential documents. 4.根据权利要求1所述的方法,其特征在于,所述得到最终的涉密文件之后进一步包括:4. The method according to claim 1, wherein after obtaining the final secret-related document, the method further comprises: 密级标识管理中心接收涉密计算机发来的安全属性信息变更请求,该请求携带涉密文件的文件标识和要更新的安全属性名称以及更新值,将该文件标识和要更新的安全属性名称以及更新值提供给控制台,由控制台规定的具有审批权限的审批人员进行审批;The secret-level identification management center receives the security attribute information change request sent by the secret-related computer. The request carries the file identification of the secret-related file, the name of the security attribute to be updated, and the update value, and the file identification, the name of the security attribute to be updated, and the updated value. The value is provided to the console and approved by the approver with approval authority specified by the console; 密级标识管理中心接收控制台发来的审批通过指示,向涉密计算机返回审批通过指示,其中,控制台在审批通过后,根据文件标识和要更新的安全属性名称在涉密文件标识属性数据库中查找到对应的安全属性信息,根据更新的安全属性更新值更新对应的安全属性信息。The secret-level identification management center receives the approval instruction sent by the console, and returns the approval instruction to the secret-related computer. The corresponding security attribute information is found, and the corresponding security attribute information is updated according to the updated security attribute update value. 5.根据权利要求1所述的方法,其特征在于,所述方法进一步包括:密级标识管理中心将涉密文件的流转属性信息和日志属性信息记录在涉密文件标识属性数据库中该涉密文件的文件标识对应记录处。5 . The method according to claim 1 , wherein the method further comprises: the secret-level identification management center records the flow attribute information and log attribute information of the secret-related file in the secret-related file identification attribute database of the secret-related file. 6 . The file ID corresponds to the record location. 6.一种密级标识管理装置,其特征在于,该装置包括:6. A security level identification management device, characterized in that the device comprises: 审批处理模块,用于接收涉密计算机发来的涉密文件审批请求,该请求携带涉密文件、涉密文件的待审批信息,所述涉密文件的待审批信息包括:涉密文件的内容属性信息和安全属性信息;将所述待审批信息提供给控制台,以便由控制台规定的具有审批权限的审批人员进行审批;The approval processing module is used to receive a request for approval of a confidential document sent by a confidential computer, the request carrying the confidential document and the pending approval information of the confidential document, and the pending approval information of the confidential document includes: the content of the confidential document attribute information and security attribute information; provide the information to be approved to the console, so that it can be approved by an approver with approval authority specified by the console; 标识生成模块,用于在接收到控制台发来的审批通过指示后,向控制台发送密级标识生成请求,以便由控制台为该涉密文件生成唯一的文件标识,且控制台将该涉密文件的文件标识以及内容属性信息和安全属性信息保存在涉密文件标识属性数据库中;接收到控制台发来的文件标识,根据涉密文件的安全属性信息中该涉密文件的密级对应的加密算法,对涉密文件进行加密处理,对加密后的涉密文件进行哈希运算,将哈希运算结果值和涉密文件的文件标识组合形成涉密文件的标识索引,将该标识索引添加到涉密文件头前,得到最终的涉密文件。The identifier generation module is used to send a secret-level identifier generation request to the console after receiving the approval instruction sent by the console, so that the console can generate a unique file identifier for the secret-related file, and the console will generate a unique file identifier for the secret-related file. The file identification, content attribute information and security attribute information of the file are stored in the identification attribute database of secret-related files; after receiving the file identification sent from the console, according to the encryption level corresponding to the secret-level of the secret-related file in the security attribute information of the secret-related file Algorithm, encrypt the secret-related file, perform hash operation on the encrypted secret-related file, combine the hash operation result value and the file identification of the secret-related file to form the identification index of the secret-related file, and add the identification index to the Before the header of the confidential document, the final confidential document is obtained. 7.根据权利要求6所述的装置,其特征在于,所述标识生成模块将该标识索引添加到涉密文件头前之后、得到最终的涉密文件之前进一步用于,7. The device according to claim 6, wherein the identification generation module is further used to add the identification index to the header of the secret-related file before and after obtaining the final secret-related file, 采用预设数字签名算法及密钥对涉密文件进行数字签名。Use preset digital signature algorithm and key to digitally sign confidential documents. 8.根据权利要求6所述的装置,其特征在于,所述标识生成模块将该标识索引添加到涉密文件头前进一步用于,8. The device according to claim 6, wherein the identification generation module is further used for adding the identification index to the header of the secret-related file, 将该涉密文件的标识索引发送给涉密计算机,以便涉密计算机保存涉密文件的文件名和标识索引的对应关系;Send the identification index of the secret-related file to the secret-related computer, so that the secret-related computer can save the corresponding relationship between the file name and the identification index of the secret-related file; 且,所述装置进一步包括访问使用处理模块,用于接收涉密计算机发来的涉密文件访问或使用请求,该请求中携带文件标识和用户标识,根据用户标识查找自身的用户信息数据库,得到用户密级,根据文件标识查找涉密文件标识属性数据库,查找到该涉密文件的安全属性信息;根据得到的用户的密级以及该涉密文件的安全属性信息,判断该用户是否可以访问或使用该涉密文件,若可以,则根据该涉密文件的安全属性信息,解密并打开涉密文件,其中,涉密计算机在接收到用户输入的携带一涉密文件的文件名的访问或使用请求时,根据该文件名查找到对应的标识索引,并从标识索引中获取文件标识。In addition, the device further includes an access and use processing module, which is used to receive a confidential file access or use request from a confidential computer. The request carries a file identifier and a user identifier, and searches its own user information database according to the user identifier, and obtains the request. User secret level, according to the file identification, look up the identification attribute database of the secret-related file, and find the security attribute information of the secret-related file; according to the obtained user's secret level and the security attribute information of the secret-related file, determine whether the user can access or use the secret-related file. Secret-related files, if possible, decrypt and open the secret-related files according to the security attribute information of the secret-related files. , find the corresponding identification index according to the file name, and obtain the file identification from the identification index. 9.根据权利要求6所述的装置,其特征在于,所述审批处理模块进一步用于,9. The apparatus according to claim 6, wherein the approval processing module is further configured to: 接收涉密计算机发来的安全属性信息变更请求,该请求携带涉密文件的文件标识和要更新的安全属性名称以及更新值,将该文件标识和要更新的安全属性名称以及更新值提供给控制台,由控制台规定的具有审批权限的审批人员进行审批;接收控制台发来的审批通过指示,向涉密计算机返回审批通过指示,其中,控制台在审批通过后,根据文件标识和要更新的安全属性名称在涉密文件标识属性数据库中查找到对应的安全属性信息,根据更新的安全属性更新值更新对应的安全属性信息。Receive a security attribute information change request from a secret-related computer, the request carries the file identifier of the secret-related file, the name of the security attribute to be updated, and the update value, and provide the file identifier, the name of the security attribute to be updated, and the update value to the control. The approval is carried out by the approver with approval authority specified by the console; the approval instruction sent from the console is received, and the approval instruction is returned to the secret computer. The corresponding security attribute information is found in the confidential file identification attribute database, and the corresponding security attribute information is updated according to the updated security attribute update value. 10.根据权利要求6所述的装置,其特征在于,所述装置进一步包括流转和日志属性记录模块,用于将涉密文件的流转属性信息和日志属性信息记录在涉密文件标识属性数据库中该涉密文件的文件标识对应记录处。10. The device according to claim 6, characterized in that, the device further comprises a circulation and log attribute recording module, which is used to record the circulation attribute information and log attribute information of the confidential file in the identification attribute database of the confidential file The file identifier of the confidential file corresponds to the record location.
CN201810052366.1A 2018-01-19 2018-01-19 Security level identification management method and device Withdrawn CN110059488A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810052366.1A CN110059488A (en) 2018-01-19 2018-01-19 Security level identification management method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810052366.1A CN110059488A (en) 2018-01-19 2018-01-19 Security level identification management method and device

Publications (1)

Publication Number Publication Date
CN110059488A true CN110059488A (en) 2019-07-26

Family

ID=67315283

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810052366.1A Withdrawn CN110059488A (en) 2018-01-19 2018-01-19 Security level identification management method and device

Country Status (1)

Country Link
CN (1) CN110059488A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112632625A (en) * 2020-12-31 2021-04-09 深圳昂楷科技有限公司 Database security gateway system, data processing method and electronic equipment
CN114968925A (en) * 2022-05-30 2022-08-30 中国建设银行股份有限公司 File processing method, device, equipment, medium and product
CN115600238A (en) * 2022-09-09 2023-01-13 平安银行股份有限公司(Cn) Log desensitization method and device, electronic equipment and storage medium
CN116502251A (en) * 2023-06-21 2023-07-28 东方空间技术(山东)有限公司 Data encryption storage method, device, equipment and storage medium
CN118551412A (en) * 2024-06-13 2024-08-27 应急管理部大数据中心 A method for real-time dynamic processing of structured data security identification
CN119691806A (en) * 2024-12-16 2025-03-25 北京中鼎昊硕科技有限责任公司 A method and system for managing confidentiality level identification

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102006302A (en) * 2010-12-03 2011-04-06 中国软件与技术服务股份有限公司 Method for identifying security classification of electronic file
CN102930225A (en) * 2012-10-25 2013-02-13 中国航天科工集团第二研究院七〇六所 Electronic document access control method based on confidential identifier
CN102999732A (en) * 2012-11-23 2013-03-27 富春通信股份有限公司 Multi-stage domain protection method and system based on information security level identifiers
CN106790174A (en) * 2016-12-29 2017-05-31 成都三零盛安信息系统有限公司 Security level identification method and device
CN108664797A (en) * 2017-03-30 2018-10-16 北京北信源软件股份有限公司 It is a kind of for pdf documents into rower it is close and verification method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102006302A (en) * 2010-12-03 2011-04-06 中国软件与技术服务股份有限公司 Method for identifying security classification of electronic file
CN102930225A (en) * 2012-10-25 2013-02-13 中国航天科工集团第二研究院七〇六所 Electronic document access control method based on confidential identifier
CN102999732A (en) * 2012-11-23 2013-03-27 富春通信股份有限公司 Multi-stage domain protection method and system based on information security level identifiers
CN106790174A (en) * 2016-12-29 2017-05-31 成都三零盛安信息系统有限公司 Security level identification method and device
CN108664797A (en) * 2017-03-30 2018-10-16 北京北信源软件股份有限公司 It is a kind of for pdf documents into rower it is close and verification method and device

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112632625A (en) * 2020-12-31 2021-04-09 深圳昂楷科技有限公司 Database security gateway system, data processing method and electronic equipment
CN114968925A (en) * 2022-05-30 2022-08-30 中国建设银行股份有限公司 File processing method, device, equipment, medium and product
CN115600238A (en) * 2022-09-09 2023-01-13 平安银行股份有限公司(Cn) Log desensitization method and device, electronic equipment and storage medium
CN116502251A (en) * 2023-06-21 2023-07-28 东方空间技术(山东)有限公司 Data encryption storage method, device, equipment and storage medium
CN116502251B (en) * 2023-06-21 2024-04-16 东方空间技术(山东)有限公司 Data encryption storage method, device, equipment and storage medium
CN118551412A (en) * 2024-06-13 2024-08-27 应急管理部大数据中心 A method for real-time dynamic processing of structured data security identification
CN119691806A (en) * 2024-12-16 2025-03-25 北京中鼎昊硕科技有限责任公司 A method and system for managing confidentiality level identification

Similar Documents

Publication Publication Date Title
US6976165B1 (en) System and method for secure storage, transfer and retrieval of content addressable information
US7594257B2 (en) Data security for digital data storage
CN102483792B (en) Method and device for sharing documents
US7320076B2 (en) Method and apparatus for a transaction-based secure storage file system
RU2500075C2 (en) Creating and validating cryptographically secured documents
CN110059488A (en) Security level identification management method and device
JP3943090B2 (en) Review of cached user-group information for digital rights management (DRM) license issuance of content
US8621036B1 (en) Secure file access using a file access server
US8887298B2 (en) Updating and validating documents secured cryptographically
US8793503B2 (en) Managing sequential access to secure content using an encrypted wrap
JP2006526851A (en) Data object management in dynamic, distributed and collaborative environments
CN116090000A (en) File security management method, system, device, medium and program product
CN116686316A (en) Encrypted file control
CN108304724A (en) Document is traced to the source device, system and method
US10726104B2 (en) Secure document management
US8296826B1 (en) Secure transfer of files
CN114401117B (en) Blockchain-based account login verification system
CN109858217B (en) Electronic file authenticity verification method and system
CN108540426A (en) A method, device and server for realizing data processing
JP4192738B2 (en) Electronic document editing device, electronic document editing program
CN115470525B (en) File protection method, system, computing device and storage medium
US20220174067A1 (en) Securing data and tracking actions upon data
CN119691806A (en) A method and system for managing confidentiality level identification
JP2021051738A (en) Id in access management system, additional information management system, and program thereof
CN116956319A (en) Non-relational database data security protection method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication
WW01 Invention patent application withdrawn after publication

Application publication date: 20190726