WO2025102725A1 - Procédé et appareil d'accès à un fichier, procédé et appareil de détermination d'une autorisation d'accès à un fichier et dispositifs associés - Google Patents

Procédé et appareil d'accès à un fichier, procédé et appareil de détermination d'une autorisation d'accès à un fichier et dispositifs associés Download PDF

Info

Publication number
WO2025102725A1
WO2025102725A1 PCT/CN2024/099581 CN2024099581W WO2025102725A1 WO 2025102725 A1 WO2025102725 A1 WO 2025102725A1 CN 2024099581 W CN2024099581 W CN 2024099581W WO 2025102725 A1 WO2025102725 A1 WO 2025102725A1
Authority
WO
WIPO (PCT)
Prior art keywords
file
policy information
target file
permission
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/CN2024/099581
Other languages
English (en)
Chinese (zh)
Inventor
蒋武
张钊
杨辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of WO2025102725A1 publication Critical patent/WO2025102725A1/fr
Anticipated expiration legal-status Critical
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Definitions

  • the present application relates to the field of data security technology, and in particular to a file access method, a file access permission determination method, a device, and related equipment.
  • the attack detection method is usually adopted to timely discover and deal with attacks to improve the security of data.
  • there are many types of attacks and it is difficult to discover various attacks through detection methods, and the effect of defending against attacks cannot meet the needs of data security.
  • the present application provides a file access method and a file access permission determination method, aiming to achieve data protection of files at the file granularity when users access files.
  • the present application also provides corresponding devices, computing devices, computer-readable storage media and computer program products.
  • the present application provides a file access method.
  • the method is applied to a first device.
  • the first device obtains a file access request for a target file triggered by a request object.
  • the file access request includes access operation information, and the access operation information is used to describe the access operation that the request object needs to perform on the target file.
  • the request object is a user who requests to access the target file.
  • the request object is a system user of an operating system program of the first device, or an application user of an application program.
  • the first device obtains permission policy information of the request object.
  • the permission policy information is determined based on the file tag policy information of the target file and the file access request, and is used to indicate the permission of the request object to operate the target file.
  • the file tag policy information corresponds to the file tag of the target file, and is used to describe the control policy for the access operation on the target file.
  • the file tag includes one or more security dimension tags.
  • the file tag is set by the manager of the target file or generated based on the file attributes of the target file.
  • the first device performs access control on the request object to access the target file according to the permission policy information. Based on the file tag, data protection with file granularity can be realized, and the security of file access can be improved.
  • File-centric data security protection can reduce security issues such as file tampering and leakage to a certain extent, and improve the protection of file integrity and confidentiality.
  • the first device generates the permission policy information of the request object according to the file tag policy information of the target file and the file access request of the request object.
  • the second device generates permission policy information of the request object.
  • the first device sends a permission request for the target file to the second device.
  • the permission request includes the file label policy information of the target file, the access operation information and the public key of the request object.
  • the file label policy information of the target file is encrypted by the public key of the target file.
  • the first device obtains the permission information fed back by the second device.
  • the permission information includes a first ciphertext.
  • the first ciphertext includes a ciphertext obtained by encrypting the permission policy information of the request object using the public key of the request object.
  • the permission policy information of the request object is obtained by the second device using the private key of the target file, the file label policy information of the target file and the access operation information.
  • the target file is encrypted using a file encryption key.
  • the file encryption key is encapsulated in the file tag policy information of the target file.
  • the permission information obtained by the first device also includes a second ciphertext obtained by encrypting the file encryption key using the public key of the requesting object.
  • the first device uses the file encryption key to decrypt the target file.
  • the file encryption key is obtained by the first device decrypting the second ciphertext using the private key of the requesting object. Encrypting each file in this way improves the file's security. Security level. Using a file's unique key can also effectively reduce the security threat to multiple files caused by key leakage when encrypting with a unified key.
  • the first device further obtains the file tag of the target file, and generates the file tag policy information of the target file based on the file tag and the tag policy template. In this way, the file tag policy information can be automatically generated according to the file tag of the target file and using the tag policy template.
  • the tag policy template is obtained from the second device.
  • the user who sets the file label policy information can also customize and update the file label policy information.
  • the first device obtains the customized label policy information for the target file; and uses the customized label policy information to update the file label policy information of the target file. In this way, the customized adjustment of the file label policy information can be achieved, the flexibility of configuring the file label policy information is improved, and it is convenient to configure the file label policy information that meets the file protection requirements for the file.
  • the first device is a host.
  • the method is applied to an application layer of the first device, or to a system layer of the first device, or to an application layer and a system layer of the first device.
  • the first device is a storage device.
  • the request object triggers a file access request through a third device connected to the first device.
  • the first device obtains a file access request for a target file sent by the third device and triggered by the request object.
  • the file access request is encapsulated by the third device using a security protocol.
  • the first device unpacks the file access request using the security protocol. In this way, the security protocol can be used to protect the security of the file access request, thereby improving the security of the file.
  • the first device generates feedback file information according to the permission policy information of the request object and the access operation information of the request object, and sends the feedback file information encapsulated by the security protocol to the third device.
  • the security protocol is used to improve the security of information transmitted between the first device and the third device.
  • the method is applied to a system layer of a first device, and the application is a preset security application.
  • the present application provides a method for determining file access rights.
  • the method is applied to a second device.
  • the second device obtains a permission request for a target file sent by the first device.
  • the permission request includes file label policy information of the target file, access operation information, and the public key of the request object.
  • the file label policy information is encrypted by the public key of the target file and is used to describe the control policy for the access operation on the target file.
  • the file label policy information corresponds to the file label of the target file.
  • the file label is set by the manager of the target file or generated based on the file attributes of the target file.
  • the file label includes one or more labels of security dimensions.
  • the request object is the system user of the operating system program of the first device, or the application user of the application program.
  • the second device decrypts the file label policy information using the private key of the target file, and determines the permission policy information of the request object based on the file label policy information and the access operation information of the target file.
  • the permission policy information is used to describe the permission policy of the request object for the access operation of the target file.
  • the second device encrypts the permission policy information of the request object using the public key of the request object to obtain the first ciphertext, and sends the permission information including the first ciphertext to the first device.
  • the second device uses the private key of the target file to decrypt the file label policy information of the target file and determine the permission policy information, which can avoid the first device having the private key of the target file, reduce the security issues caused by the leakage of the private key of the target file possessed by the first device, improve the security of the file label policy information, and thus improve the security of the target file.
  • the file label policy information and permission policy information exchanged between the first device and the second device are both encrypted information, which improves the security of the information in the interaction process between the first device and the second device and reduces the risk of information leakage during the interaction process between the first device and the second device.
  • the target file is encrypted using a file encryption key.
  • the file encryption key is encapsulated in the file tag policy information of the target file.
  • the second device also uses the public key of the request object to encrypt the file encryption key to obtain a second ciphertext.
  • the permission information sent by the second device to the first device also includes the second ciphertext.
  • the second device sends the encrypted file encryption key to the first device, so that the first device can decrypt the target file based on the file encryption key and control the access of the request object.
  • Using a key unique to the target file can also effectively avoid security threats to multiple files caused by key leakage caused by encryption using a unified key, thereby improving the data security of the target file.
  • the second device further provides the first device with a label policy template.
  • the second device sends the label policy template to the first device.
  • the second device is a server or a management device.
  • the present application provides a file access device, which is applied to a first device, and includes: an acquisition module for acquiring a file access request for a target file triggered by a request object, the file access request including access operation information, and the access operation information is used to obtain a file access request for a target file triggered by a request object.
  • the method comprises the following steps: a first device for describing an access operation that a requesting object needs to perform on a target file; the requesting object is a system user of an operating system program of a first device, or an application user of an application program; a processing module for obtaining permission policy information of the requesting object, the permission policy information being determined based on file tag policy information of the target file and a file access request; the file tag policy information corresponds to a file tag of the target file, the file tag policy information is used to describe a control policy for access operations to the target file, and the permission policy information is used to indicate the permission of the requesting object to operate the target file; the file tag includes one or more security dimension tags, the file tag is set by the administrator of the target file or generated based on the file attributes of the target file; and a control module for executing access control on the requesting object's access to the target file according to the permission policy information.
  • the processing module is specifically configured to generate permission policy information of the request object according to the file tag policy information of the target file and the file access request of the request object.
  • the processing module is specifically used to send a permission request for a target file to a second device, where the permission request includes file label policy information of the target file, access operation information, and a public key of a requesting object, where the file label policy information of the target file is encrypted by the public key of the target file; obtaining permission information fed back by the second device, where the permission information includes a first ciphertext, where the first ciphertext includes a ciphertext obtained by encrypting the permission policy information of the requesting object using the public key of the requesting object, where the permission policy information of the requesting object is processed by the second device using a private key of the target file, the file label policy information of the target file, and the access operation information; decrypting the first ciphertext using the private key of the requesting object to obtain the permission policy information of the requesting object.
  • the target file is encrypted using a file encryption key, which is encapsulated in the file tag policy information of the target file.
  • the permission information also includes a second ciphertext encrypted by the file encryption key using the public key of the requesting object.
  • the processing module is also used to decrypt the target file using the file encryption key if it is determined, based on the permission policy information, that the requesting object has access rights.
  • the file encryption key is obtained by decrypting the second ciphertext using the private key of the requesting object.
  • the acquisition module is further used to acquire the file tag of the target file; the generation module is used to generate the file tag policy information of the target file based on the file tag and the tag policy template.
  • the tag policy template is obtained from the second device.
  • the acquisition module is further used to acquire custom label policy information for the target file; the generation module is further used to update the file label policy information of the target file using the custom label policy information.
  • the first device is a host.
  • the apparatus is applied to an application layer of the first device.
  • the apparatus is applied to a system layer of a first device.
  • the application is a preset security application.
  • the first device is a storage device
  • the acquisition module is specifically used to obtain a file access request for a target file sent by a third device and triggered by a request object, and the file access request is encapsulated by the third device using a security protocol; and the file access request is unpacked using the security protocol.
  • control module is specifically used to generate feedback file information according to the permission policy information of the request object and the access operation information of the request object, and send the feedback file information encapsulated by the security protocol to the third device.
  • the present application provides a device for determining file access rights, which is applied to a second device, and the device includes: an acquisition module, which is used to obtain a permission request for a target file sent by a first device, the permission request includes file label policy information of the target file, access operation information and a public key of the request object, the file label policy information is encrypted by the public key of the target file, the file label policy information corresponds to the file label of the target file, the file label policy information is used to describe the control policy for the access operation on the target file, the file label includes one or more security dimension labels, the file label is set by the administrator of the target file or generated based on the file attributes of the target file, the request object is the system user of the operating system program of the first device, or the application user of the application program; a decryption module, which is used to decrypt the file label policy information using the private key of the target file; a determination module, which is used to determine the permission policy information of the request object based on the file label policy information and
  • the target file is encrypted using a file encryption key
  • the file encryption key is encapsulated in the file tag policy information of the target file.
  • the encryption module is also used to encrypt the file encryption key using the public key of the request object to obtain a second ciphertext, and the permission information also includes the second ciphertext.
  • the sending module is further configured to send the label policy template to the first device in response to obtaining a label policy template acquisition request sent by the first device.
  • the second device is a server or a management device.
  • the present application provides a computing device cluster, the computing device cluster includes at least one computing device, each computing device includes a processor and a memory; the memory is used to store instructions, and when the computing device cluster is running, the processor in each computing device executes the instructions stored in the memory, so that the computing device cluster executes the file access method in the above-mentioned first aspect or any possible implementation of the first aspect, or executes the file access permission determination method in the above-mentioned second aspect or any possible implementation of the second aspect.
  • the memory can be integrated into the processor or can be independent of the processor.
  • Each computing device may also include a bus.
  • the processor is connected to the memory via a bus.
  • the memory may include a readable memory and a random access memory.
  • the present application provides a computer-readable storage medium, which stores instructions.
  • the computer-readable storage medium When the computer-readable storage medium is run on a computing device cluster (the computing device cluster includes at least one computing device), the computing device cluster executes the file access method in the above-mentioned first aspect or any possible implementation of the first aspect, or executes the file access permission determination method in the above-mentioned second aspect or any possible implementation of the second aspect.
  • the present application provides a computer program product comprising instructions, which, when running on a computing device cluster (the computing device cluster includes at least one computing device), enables the computing device cluster to execute the file access method in the above-mentioned first aspect or any possible implementation of the first aspect, or execute the file access permission determination method in the above-mentioned second aspect or any possible implementation of the second aspect.
  • FIG. 1a is a schematic diagram of a scenario provided in an embodiment of the present application.
  • FIG1b is a schematic diagram of another scenario provided in an embodiment of the present application.
  • FIG1c is a schematic diagram of an interaction between a first device and a second device provided in an embodiment of the present application.
  • FIG2a is a schematic diagram of another scenario provided in an embodiment of the present application.
  • FIG2b is a schematic diagram of another scenario provided in an embodiment of the present application.
  • FIG2c is a schematic diagram of another interaction between a first device and a second device provided in an embodiment of the present application.
  • FIG3a is a schematic diagram of a scenario provided in an embodiment of the present application.
  • FIG3b is a schematic diagram of another scenario provided in an embodiment of the present application.
  • FIG3c is a schematic diagram of another interaction between a first device and a second device provided in an embodiment of the present application.
  • FIG4a is a schematic diagram of another scenario provided in an embodiment of the present application.
  • FIG4b is a schematic diagram of another scenario provided in an embodiment of the present application.
  • FIG4c is a schematic diagram of another interaction between a first device and a second device provided in an embodiment of the present application.
  • FIG5 is a schematic diagram of a flow chart of a file access method provided in an embodiment of the present application.
  • FIG6 is a flow chart of another file access method provided in an embodiment of the present application.
  • FIG. 7 is a schematic diagram of a process for generating file tag strategy information for a target file provided by an embodiment of the present application.
  • FIG8 is a schematic diagram of a file tag strategy provided by an embodiment of the present application.
  • FIG9 is a schematic diagram of another process of generating file tag strategy information of a target file provided by an embodiment of the present application.
  • FIG10 is a schematic diagram of the structure of a file access device provided in an embodiment of the present application.
  • FIG11 is a schematic diagram of the structure of a device for determining file access rights provided in an embodiment of the present application.
  • FIG12 is a schematic diagram of the structure of a computing device provided in an embodiment of the present application.
  • FIG13 is a schematic diagram of the structure of a computing device cluster provided in an embodiment of the present application.
  • FIG. 14 is a schematic diagram of the structure of another computing device cluster provided in an embodiment of the present application.
  • Data is a relatively important asset, containing important information of individuals or enterprises.
  • attack detection algorithms are usually built in dimensions such as network, host and storage. Detection algorithms are used to detect attack behaviors in a timely manner and process them to maintain data security.
  • the attack behaviors that can be detected by the detection algorithm are limited. It can only identify currently known attack behaviors and it is difficult to detect unknown attacks. There are still security risks.
  • the detection algorithm has detection errors, which may affect the normal operation of the business that processes data. The method of using detection algorithms to detect attacks is difficult to meet the needs of data security.
  • an embodiment of the present application provides a file access method applied to a first device.
  • the first device obtains a file access request including access operation information for a target file triggered by a request object.
  • the first device obtains permission policy information of the request object.
  • the permission policy information of the request object is determined based on the file tag policy information of the target file and the file access request of the request object.
  • the file tag policy information corresponds to the file tag of the target file.
  • the file tag policy information is used to describe the control policy for the access operation on the target file.
  • the first device performs access control on the request object's access to the target file according to the permission policy information.
  • the use of file tag policy information can achieve security protection for data with file as the granularity.
  • the file tag can be configured based on the security protection requirements of the file, thereby achieving flexible configuration of file tag policy information to meet the security requirements of different files.
  • the embodiments of the present application do not limit the deployment mode of the file access method and the file access permission determination method.
  • the embodiments of the present application provide four application scenario schematic diagrams.
  • the file access method provided in the embodiment of the present application can be applied to a tag policy client or a tag policy software development kit (Software Development Kit, SDK), and deployed in the application of the first device, that is, deployed in the application layer of the first device.
  • the first device is, for example, a host.
  • the request object requesting access to the target file can be an application user of the application of the first device, or a system user of the operating system program of the first device.
  • the scenario shown in FIG1a can be, for example, a scenario in which the application has an independent user system.
  • the application layer of the first device implements control over access to files by the application user of the application of the first device or the system user of the operating system program.
  • the application layer of the first device includes a tag policy client or a tag policy software development kit, which obtains a file access request for a target file triggered by a request object, generates permission policy information of the request object based on the file tag policy information of the target file and the file access request of the request object, and performs access control on the request object's access to the target file according to the permission policy information.
  • the first device interacts with the second device to implement access control to the target file.
  • An embodiment of the present application provides a method for determining file access rights. The method for determining file access rights can be applied to a tag policy service, or a tag policy management component, and deployed on a second device.
  • the second device is, for example, a server.
  • FIG1c this figure is a schematic diagram of the interaction between a first device and a second device provided in an embodiment of the present application.
  • the application layer of the first device includes a tag policy client or a tag policy software development kit, including an initialization module, a file tag generation module, a file tag policy information generation module, an access request processing module, and an access operation control module.
  • the tag policy service of the second device includes an initialization module and a permission information determination module.
  • the initialization module of the first device interacts with the initialization module of the second device to implement initialization authentication, that is, identity authentication and certificate issuance.
  • the file tag generation module of the first device is used to generate a file tag based on a user trigger, or automatically generate a file tag, and send a tag policy template acquisition request to the second device to obtain the tag policy template fed back by the second device.
  • the file tag policy information generation module of the first device generates file tag policy information of the target file based on the file tag and the tag policy template.
  • the file access method provided in the embodiment of the present application can be applied to a tag kernel module and deployed in the operating system program (OS) of the first device, that is, deployed in the system layer of the first device.
  • the first device is, for example, a host.
  • the request object requesting access to the target file can be the system user of the operating system program of the first device, or the application user of the application.
  • the scenario shown in FIG2a is, for example, a scenario in which the application and the OS have a unified user system, or the user system of the application can be synchronized to the user system of the OS, or the application does not have an independent user system.
  • the system of the first device The system layer implements the control of application users of application programs or system users of operating system programs accessing files.
  • the system layer of the first device includes a tag kernel module that obtains a file access request for a target file triggered by a request object, generates permission policy information of the request object based on the file tag policy information of the target file and the file access request of the request object, and performs access control on the request object's access to the target file according to the permission policy information.
  • the first device interacts with the second device to implement access control on the target file.
  • the file access permission determination method provided in the embodiment of the present application can be applied to a tag policy service, or a tag policy management component, deployed on a second device.
  • the second device is, for example, a server.
  • FIG2c this figure is a schematic diagram of another interaction between a first device and a second device provided in an embodiment of the present application.
  • the system layer of the first device includes a tag policy client or a tag policy software development kit, including an initialization module, a file tag generation module, a file tag policy information generation module, an access request processing module, and an access operation control module.
  • the tag policy service of the second device, or the tag policy management component includes an initialization module and a permission information determination module.
  • the interaction process between the first device and the second device is similar to the example corresponding to FIG1c above, and will not be repeated here.
  • the file access method provided in the embodiment of the present application can be applied to the label kernel module, and the label policy client or the label policy SDK, and deployed in the OS and application of the first device, that is, deployed in the system layer and application layer of the first device.
  • the first device is, for example, a host.
  • the request object requesting access to the target file can be the system user of the operating system program of the first device, or the application user of the application.
  • the scenario shown in FIG3a is, for example, a business scenario with high security requirements.
  • the system layer and the application layer of the first device collaborate to implement control over access to files by the application user of the application, or the system user of the operating system program.
  • the tag kernel module of the first device, and the tag policy client or tag policy SDK obtain a file access request for a target file triggered by a request object, generate permission policy information of the request object based on the file tag policy information of the target file and the file access request of the request object, and perform access control on the request object's access to the target file according to the permission policy information.
  • the first device interacts with the second device to implement access control to the target file.
  • the file access permission determination method provided in the embodiment of the present application can be applied to a tag policy service or a tag policy management component deployed on the second device.
  • the second device is, for example, a server.
  • FIG. 3c is a schematic diagram of another interaction between a first device and a second device provided in an embodiment of the present application.
  • the system layer and application layer of the first device include a label policy client or a label policy software development kit, including an initialization module, a file label generation module, a file label policy information generation module, an access request processing module, and an access operation control module.
  • the label policy service of the second device, or the label policy management component includes an initialization module and a permission information determination module.
  • the interaction process between the first device and the second device is similar to the example corresponding to Figure 1c above, and will not be repeated here.
  • the file access method provided in an embodiment of the present application can be applied to a tag kernel module and deployed in a first device.
  • the first device is, for example, a storage device.
  • the first device is also connected to a third device.
  • the third device is, for example, a production host.
  • a requesting object requesting access to a target file accesses the target file stored in the first device through a third device.
  • the first device and the third device communicate via a security protocol.
  • the first device also includes a security protocol server.
  • the third device includes a security protocol client.
  • the security protocol server and the security protocol client are used to encapsulate or unpack transmission information using a security protocol to achieve communication between the first device and the third device. In this way, the requesting object can complete the access operation to the target file stored in the first device on the third device.
  • the tag kernel module of the first device obtains a file access request for a target file triggered by a request object, generates permission policy information of the request object based on the file tag policy information of the target file and the file access request of the request object, and performs access control on the request object's access to the target file according to the permission policy information.
  • the first device interacts with the second device to implement access control on the target file.
  • the file access permission determination method provided in the embodiment of the present application can be applied to a tag policy service, or a tag policy management component, deployed on the second device.
  • the second device is, for example, a management device for a storage device.
  • FIG4c this figure is a schematic diagram of another interaction between a first device and a second device provided in an embodiment of the present application.
  • the first device includes a tag policy client or a tag policy software development kit, including an initialization module, a file tag generation module, a file tag policy information generation module, an access request processing module, and an access operation control module.
  • the first device also includes a security protocol server.
  • the tag policy service of the second device includes an initialization module and a permission information determination module.
  • the third device A and the third device B include a security protocol client.
  • the first device and the second device The interaction process between the devices is similar to the example corresponding to Figure 1c above, and will not be repeated here.
  • the security protocol client of the third device A is used to obtain the file tag selected by the user, and uses the security protocol to encapsulate the file tag and send it to the first device.
  • the security protocol server of the first device uses the security protocol to decapsulate the file tag, and sends the file tag to the file tag generation module.
  • the security protocol client of the third device A is used to obtain the file access request triggered by the request object, and uses the security protocol to encapsulate the file access request and send it to the first device.
  • the security protocol server of the first device uses the security protocol to decapsulate the file access request and sends the file access request to the access request processing module. In this way, it is possible to control the access to files by the request object, that is, the application user of the application of the third device, or the system user of the operating system program.
  • this figure is a schematic flow chart of a file access method provided in an embodiment of the present application. The method is applied to a first device and includes S501-S503.
  • S501 The first device obtains a file access request for a target file triggered by a request object.
  • the request object is an object that requests access to a target file stored in the first device through the first device.
  • the embodiment of the present application does not limit the identity of the request object.
  • the request object is, for example, a user.
  • the user is an application user of an application program of the first device, or a system user of an operating system program of the first device.
  • the request object is, for example, a user and a program process.
  • the program process is a process in which a user triggers a file access request.
  • the user who is the object of the request needs to pass security authentication.
  • a first device establishes a connection with a second device.
  • the first device exchanges user information with the second device to complete authentication of the user.
  • the authentication process includes two processes: identity authentication and the second device issuing a certificate to the first device.
  • identity authentication the first device sends object information of an object involved in file access.
  • the first device sends user information of a user logged in to the application, or user information of a user logged in to the operating system program of the first device.
  • the second device authenticates the object based on the acquired object information and sends the authentication result to the first device.
  • the first device determines the object that has passed the security authentication based on the authentication result. If the request object is already an authenticated object, the first device can determine whether the request object has passed the security authentication based on the authentication result. In the case where the request object has passed the security authentication, the first device processes the file access request for the target file triggered by the request object. If the request object has not passed the security authentication, the first device does not process the file access request for the target file triggered by the request object. If the request object is an unauthenticated object, such as a user who logs in to the first device for the first time, the first device sends the user information of the request object to the second device.
  • the second device authenticates the request object based on the acquired user information of the request object and sends the authentication result of the request object to the first device.
  • the first device can determine whether the request object has passed the security authentication based on the authentication result of the request object. In the case where the request object has passed the security authentication, the first device processes the file access request for the target file triggered by the request object. If the request object has not passed the security authentication, the first device does not process the file access request for the target file triggered by the request object.
  • the file access method provided by the embodiment of the present application is applied to the system layer of the first device. That is, the file access method is executed by the operating system program of the first device.
  • the request object can be an application user of an application deployed by the first device.
  • the system layer of the first device After obtaining the file access request triggered by the application user, the system layer of the first device first verifies whether the application to which the application user belongs is a safe application. For example, based on a pre-established application whitelist.
  • the application whitelist includes information about safe applications. Determine whether the application user is an application user of an application included in the application whitelist.
  • the first device processes the file access request for the target file triggered by the application user. If the application user is not an application user of an application included in the application whitelist, the first device does not process the file access request for the target file triggered by the request object. In this way, it is possible to implement security authentication of the application to which the application user belongs, limit applications that access files, prevent malicious processing of files by applications, such as deleting files, and improve the security of files.
  • the target file stored in the first device is a file that pre-configures the file label policy information.
  • the file label policy information corresponds to the file label of the target file.
  • the file label can be set based on the attributes of the file and the need for file protection.
  • the file label policy information is used to describe the control policy for access operations on the target file.
  • the file label policy information is used to indicate the permission policy that needs to be followed to access the target file.
  • the target file is protected by the file label policy information.
  • the present application embodiment does not limit the configuration method of the file tag policy information of the target file.
  • it can be The owner or manager of the target file directly configures it.
  • the owner or manager of the target file edits and generates it.
  • the embodiment of the present application provides a specific implementation method for generating file tag policy information of a target file, please refer to the following for details.
  • the file access request includes access operation information.
  • the access operation information includes the object information of the request object and the operation information of the request object requesting to perform an access operation on the target file.
  • the object information of the request object may be, for example, the account information and object type of the request object.
  • the request object is a user
  • the account information is the user's account.
  • the object type may be, for example, a system user or an application user. Different types of request objects are distinguished to facilitate determining the permission policy information of different types of request objects, implement access control on different types of request objects, and improve the security of data.
  • the object information of the request object also includes the process information of the program process that triggers the file access request, such as the process number.
  • the operation information may include, for example, the type of access operation.
  • S502 The first device obtains permission policy information of the request object.
  • the permission policy information of the request object is used to indicate the permission of the request object to operate the target file.
  • the permission policy information of the request object is determined based on the file tag policy information of the target file and the file access request of the request object.
  • the embodiments of the present application do not limit possible implementation methods for the first device to obtain permission policy information.
  • the first device generates permission policy information of the request object according to the file tag policy information of the target file and the file access request of the request object.
  • the first device determines the permission policy information related to the access operation information from the file tag policy information of the target file, and obtains the permission policy information of the request object.
  • the permission policy information of the request object is used to indicate the permission of the request object to operate the target file.
  • the file label policy information of the target file includes the operations that can be performed on the target file for different security dimensions.
  • the file label policy information of the target file includes policy information of four security dimensions: file sensitivity, access user, access process, and the business type to which the file belongs.
  • the policy information of the sensitivity of the file includes encryption protection for top-secret files.
  • the policy information of the access user includes that users of type U1 have all operation permissions, users of type non-U1 are denied access, users of type U2 have read and write permissions, and users of type U3 have print permissions.
  • the policy information of the access process includes that processes of type P1 have all permissions, and processes of type non-P1 are denied access.
  • the policy information of the business type to which the file belongs restricts the sending of files including financial data to non-financial personnel.
  • the access operation information includes that the user type to which the request object belongs is U1 type, and the type of access operation is a read operation.
  • the first device determines based on the access operation information and the file label policy information that the request object of type U1 has all operation permissions.
  • the permission policy information of the request object is to have all operation permissions.
  • the access operation information includes that the user type to which the request object belongs is U3 type, and the type of access operation is a read operation.
  • the first device determines based on the access operation information and the file label policy information that the request object of type U3 has the permission for printing operations.
  • the permission policy information of the request object is to have the permission for printing operations.
  • the first device interacts with the second device to obtain the permission policy information of the request object sent by the second device.
  • the above S502 specifically includes the following steps:
  • the first device sends a permission request for the target file to the second device, where the permission request includes access operation information, a public key of the request object, and file tag policy information of the target file encrypted by the public key of the target file.
  • the first device After obtaining the file access request for the target file, the first device sends a permission request for the target file to the second device.
  • the second device can determine permission information for the request object to access the target file based on the file tag policy information and access operation information of the target file.
  • the permission request includes the file tag policy information of the target file, the access operation information included in the file access request, and the public key of the request object.
  • the file tag policy information of the target file is encrypted by the public key of the target file.
  • the file label policy information of the target file is determined in advance based on the data protection needs of the target file.
  • the file label policy information of the target file is generated by the first device and protected by encrypting the public key of the target file.
  • the first device does not have the private key corresponding to the public key of the target file, thereby avoiding the decryption of the file label policy information of the target file locally on the first device, and preventing the attacker from using the private key of the target file to decrypt and tamper with the file label policy information after the first device is attacked. This can improve the security of the file label policy information, thereby improving the security of the target file.
  • the public key of the target file can be a key set in advance by the owner of the target file, or generated based on the information of the owner of the target file.
  • the public key of the target file is the public key of the organization to which the owner of the target file belongs, such as a company or a group. Pertains to an organization's management and access to files.
  • the public key of the request object can be a public key preset by the request object.
  • the embodiment of the present application does not limit the generation method of the public key of the request object.
  • the public key of the request object is generated based on the relevant information of the request object.
  • the second device obtains a permission request for the target file sent by the first device, where the permission request includes access operation information, a public key of the request object, and file tag policy information of the target file encrypted by the first public key.
  • S5023 The second device decrypts the file tag policy information using the private key of the target file.
  • the private key of the target file is the decryption key of the public key of the target file.
  • the private key of the target file is, for example, a key pre-set by the owner of the target file, or is, for example, a key generated based on the information of the owner of the target file.
  • the private key of the target file is, for example, the private key of the organization or institution to which the owner of the target file belongs. This makes it easy for organizations and institutions to manage files in a unified manner.
  • the second device uses the private key of the target file to decrypt the file label policy information generated by the first device.
  • the first device does not have the decryption key, which can avoid the problem of decryption key leakage caused by the attack on the first device, thereby improving the security of the file label policy information and thereby improving the security of the target file.
  • the second device determines the permission policy information of the request object based on the file tag policy information and access operation information of the target file.
  • the second device obtains the file tag policy information and access operation information of the target file based on the obtained permission request for the target file.
  • the second device can determine the permission policy information related to the access operation information from the file tag policy information of the target file based on the access operation information, and obtain the permission policy information of the request object.
  • the permission policy information of the request object is used to indicate the permission of the request object to operate the target file.
  • the second device encrypts the permission policy information of the request object using the public key of the request object to obtain a first ciphertext.
  • the second device After determining the permission policy information of the request object, the second device uses the public key of the request object to encrypt the permission policy information of the request object to obtain the first ciphertext.
  • the encrypted permission policy information of the request object has a high security level and can prevent the permission policy information from being maliciously obtained during the interaction between the second device and the first device to a certain extent.
  • S5026 The second device sends permission information including the first ciphertext to the first device.
  • S5027 The first device obtains the permission information fed back by the second device.
  • the first device decrypts the first ciphertext using the private key of the request object to obtain the permission policy information of the request object.
  • the embodiment of the present application does not limit the generation method of the public key of the request object and the private key of the request object.
  • the first device uses the private key of the request object to decrypt the first ciphertext included in the permission information to obtain the permission policy information of the request object.
  • the permission policy information of the request object indicates the permission of the request object to operate the target file.
  • the security of the file label policy information stored in the first device can be improved.
  • the second device decrypts the file label policy information and analyzes it to obtain the permission policy information.
  • the first device does not need to decrypt the file label policy information locally, which can avoid the risk of an attacker using the decryption key obtained from the first device to maliciously tamper with the file label policy information, thereby improving the security of the file label policy information and further improving the security of the target file.
  • S503 The first device performs access control on the request object's access to the target file according to the permission policy information of the request object.
  • the first device can determine the permission of the request object to access the target file based on the permission policy information of the request object.
  • the first device performs access control on the request object to access the target file according to the permission policy information of the request object.
  • the target file has a confidentiality requirement.
  • the confidentiality requirement of the target file can be configured through the file label policy information of the target file.
  • the first device determines that the target file has a confidentiality requirement based on the file label policy information generated for the target file.
  • the first device encrypts the target file using a file encryption key.
  • the embodiment of the present application does not limit the method for generating the file encryption key.
  • the file encryption key is a randomly generated symmetric key.
  • the file encryption key corresponds one-to-one to the file to be encrypted. This can improve the security of each file that needs to be encrypted, and can also ensure the security of other files when the file encryption keys of some files are cracked.
  • the file encryption key is encapsulated in the file label policy information of the target file, and the file label policy information of the target file is encrypted using the public key of the target file to protect the file encryption key and the file label policy information.
  • the second device determines the permission policy information of the request object
  • the second device uses the private key of the target file to decrypt the file label policy information to obtain the file label policy information and File encryption key.
  • the second device also uses the public key of the requesting object to encrypt the file encryption key to obtain a second ciphertext.
  • the second device sends permission information including the first ciphertext and the second ciphertext to the first device. Based on the second ciphertext of the obtained permission information, the first device can use the private key of the requesting object to decrypt the second ciphertext to obtain the file encryption key.
  • the target file is decrypted using the file encryption key obtained by decrypting the second ciphertext so that the requesting object can operate on the target file. In this way, further encryption processing of the target file can be achieved, thereby improving the data security of the target file.
  • the above is a method for implementing target file access using the file tag policy information of the target file.
  • the following provides a possible specific implementation method for generating the file tag policy information of the target file.
  • FIG. 7 is a schematic diagram of a process for generating file tag strategy information of a target file provided by an embodiment of the present application.
  • the method includes S701-S703:
  • S701 The first device obtains a file tag of a target file.
  • the file tag of the target file is a tag set for the target file.
  • the file tag includes one or more security dimension tags. It should be noted that the file tag of the target file is determined based on a tag template.
  • the tag template is a template of a pre-set configuration file tag. As an example, the tag template includes multiple selectable file tags. The file tag of the target file is selected from the tag template.
  • the embodiments of the present application do not limit the manner of generating a file tag for a target file.
  • the generation of a file tag for a target file is triggered by the manager of the target file.
  • the manager of the target file is a user with authority to manage the target file.
  • the manager of the target file is, for example, the owner of the target file.
  • the user can generate a file tag by selection or input.
  • the first device automatically generates a file tag based on the file attributes of the target file.
  • File attributes include, for example, file type, file generation time, and file priority.
  • a file tag for a target file is automatically generated based on a pre-set tag generation rule and the file attributes of the target file.
  • the tag generation rule includes, for example, a correspondence between file attributes and file tags.
  • the label template includes labels of four security dimensions, namely sensitivity labels, user labels, access process labels, and outbound permission labels.
  • Sensitivity labels include, for example, top secret, confidential, internal, public, and personal.
  • User labels include, for example, U1 type.
  • Access process labels include P1 type.
  • Outbound permission labels include financial data and sales data.
  • the file tag is determined from the tags included in the tag template, or the file tag is automatically generated based on the tags included in the tag template. For example, as shown in FIG8 , a top secret tag, a U1 type tag, a P1 type tag, and a financial data tag are selected from the tag template.
  • S703 The first device generates file tag policy information of the target file based on the file tag and the tag policy template.
  • the tag policy template is a policy template pre-configured by the tag policy management user.
  • the present application embodiment does not limit the specific content of the tag policy template.
  • the tag policy template includes policies corresponding to tags of four security dimensions: sensitivity, user, access process, and outbound permissions.
  • the tag policy template corresponds to the tag template.
  • the tag policy template includes tag policy information corresponding to each tag included in the tag template.
  • the first device obtains the tag policy information of the file tag of the target file from the tag policy template, integrates the tag policy information of the file tag, and obtains the file tag policy information of the target file.
  • the file tag of the target file is matched with the tag template included in the tag policy template, and the file tag policy information of the tag template consistent with the file tag of the target file is used as the file tag policy information corresponding to the file tag of the target file.
  • the first device can determine the file label policy information corresponding to the file label of the target file from the label policy template, that is, the file label policy information of the target file, including: 1. Sensitivity policy information: top secret file encryption; 2. Access user policy information: U1 type users have all permissions, and other types of users are denied access; 3. Access process policy information: P1 type processes have all permissions, and other processes are denied access; 4. Outbound permission policy information: limit outbound sending to non-financial personnel.
  • the first device can encapsulate the file content of the target file, the file label of the target file, and the file label policy information of the target file into a protected file.
  • the embodiment of the present application does not limit the implementation method of encapsulating files.
  • the file content of the target file, the file label of the target file, and the file label policy information of the target file are encapsulated into one file.
  • the file content of the target file, the file label of the target file, and the file label policy information of the target file are respectively encapsulated into three interrelated files.
  • the file label policy information of the target file can be encrypted by the first public key.
  • the file label and file label policy information that meet the data security requirements of the target file can be configured more flexibly to achieve fine-grained security protection for the file and meet the security requirements of different files and access files for different object types.
  • the file label policy information can be configured using file labels and label policy templates to improve the efficiency of configuring the file label policy information.
  • the embodiment of the present application does not limit the source of the label policy template.
  • the tag policy template is pre-configured in the first device.
  • the label policy template is obtained by the first device from the second device.
  • the method may further include S7021 to S7023.
  • S7021 The first device sends a label policy template acquisition request to the second device.
  • the tag policy template acquisition request is used to obtain the tag policy template.
  • the tag policy template is a policy template pre-configured by the tag policy management user.
  • the embodiment of the present application does not limit the specific content included in the tag policy template.
  • the tag policy template includes policies corresponding to tags of four security dimensions: sensitivity, access user, access process, and outbound permissions.
  • S7022 In response to obtaining the label policy template acquisition request sent by the first device, the second device sends the label policy template to the first device.
  • the second device stores the tag policy template.
  • S7023 The first device obtains the label policy template sent by the second device.
  • the file tag policy information can also be customized and adjusted.
  • FIG 9 is a schematic diagram of another process for generating file tag policy information of a target file provided by an embodiment of the present application.
  • the method is applied to a first device and a second device, and in addition to the above S701-S703, further includes S704 and S705.
  • S704 The first device obtains custom tag policy information for the target file.
  • the first device displays an editing control for editing file label policy information.
  • the user can input custom label policy information for the target file through the editing control.
  • Custom label policy information for example, includes added additional label policy information.
  • the additional label policy information includes newly added access user policy information: U2 type users have read permission and write permission, U3 type users have read permission, write permission and print permission, P2 type processes have read-only permission, and P3 type processes have read permission and write permission.
  • Custom label policy information for example, includes revised label policy information.
  • the revised label policy information includes the label policy information that needs to be modified for the file label policy information of the target file, as well as the modified label policy information.
  • S705 The first device updates the file label policy information of the target file using the custom label policy information.
  • the target file can be flexibly adjusted based on the rapid configuration of the file label policy information of the target file, so that the generated file label policy information of the target file is more in line with the data security requirements of the target file.
  • the first device is a storage device.
  • the storage device is connected to a third device.
  • the third device is, for example, a production host.
  • the production host is a host connected to the storage device and capable of accessing data stored in the storage device.
  • the storage device and the production host interact through a security protocol.
  • the embodiments of the present application do not limit the type of security protocol.
  • the security protocol is a Network Attached Storage (NAS) protocol, or an Object Storage Service (OBS) protocol.
  • the request object uses a third device connected to the first device to access the file.
  • the request object triggers a file access request for the target file on the third device.
  • the third device encapsulates the file access request using a security protocol.
  • the third device sends the encapsulated file access request to the first device.
  • the first device unpacks the obtained file access request using the security protocol.
  • the first device when performing access control on the target file accessed by the request object according to the permission policy information of the request object, the first device generates feedback file information according to the permission policy information of the request object and the access operation information of the request object.
  • the third device obtains the feedback file information and decapsulates the feedback file information using the security protocol.
  • the security protocol to encapsulate and decapsulate the information exchanged between the first device and the third device, the security of the interaction between the first device and the third device can be improved, and the security requirements for accessing files can be met.
  • the file tag of the target file can be generated by the user of the third device or automatically triggered by the third device.
  • the third device uses the security protocol to encapsulate the file tag of the target file and sends the encapsulated file tag of the target file to the first device.
  • the first device obtains the file tag of the target file encapsulated by the security protocol.
  • the first device decapsulates the file tag of the encapsulated target file using the security protocol to obtain the file tag of the target file.
  • the present application also provides a file access device 1000, which is applied to a first device, as shown in FIG10 , and includes:
  • an acquisition module configured to acquire a file access request for a target file triggered by a request object, wherein the file access request includes access operation information, and the access operation information is used to describe the access operation that the request object needs to perform on the target file;
  • the request object is a system user of an operating system program of the first device, or an application user of an application program;
  • a processing module is used to obtain the permission policy information of the request object, the permission policy information is determined based on the file label policy information of the target file and the file access request; the file label policy information corresponds to the file label of the target file, the file label policy information is used to describe the control policy for the access operation on the target file, and the permission policy information is used to indicate the permission of the request object to operate the target file; the file label includes one or more security dimension labels, and the file label is set by the administrator of the target file or generated based on the file attributes of the target file;
  • a control module is used to perform access control on the request object's access to the target file according to the permission policy information.
  • the processing module is specifically configured to generate permission policy information of the request object according to the file tag policy information of the target file and the file access request of the request object.
  • the processing module is specifically used to send a permission request for the target file to a second device, the permission request including file label policy information of the target file, the access operation information and the public key of the request object, the file label policy information of the target file being encrypted by the public key of the target file; obtaining permission information fed back by the second device, the permission information including a first ciphertext, the first ciphertext including a ciphertext obtained by encrypting the permission policy information of the request object using the public key of the request object, the permission policy information of the request object being processed by the second device using the private key of the target file, the file label policy information of the target file and the access operation information; decrypting the first ciphertext using the private key of the request object to obtain the permission policy information of the request object.
  • the target file is encrypted using a file encryption key
  • the file encryption key is encapsulated in the file tag policy information of the target file.
  • the permission information also includes a second ciphertext encrypted by using the public key of the request object.
  • the processing module is also used to decrypt the target file using the file encryption key if it is determined that the request object has access rights based on the permission policy information.
  • the file encryption key is obtained by decrypting the second ciphertext using the private key of the request object.
  • the acquisition module is further used to acquire a file tag of the target file
  • a generating module is used to generate file tag policy information of the target file based on the file tag and the tag policy template.
  • the tag policy template is obtained from the second device.
  • the acquisition module is further used to acquire custom tag policy information for the target file
  • the generating module is further used to update the file label policy information of the target file by using the custom label policy information.
  • the first device is a host.
  • the apparatus is applied to an application layer of the first device.
  • the apparatus is applied to a system layer of the first device.
  • the application is a preset security application.
  • the first device is a storage device
  • the acquisition module is specifically used to obtain a file access request for a target file sent by a third device and triggered by a request object, and the file access request is encapsulated by the third device using a security protocol; and the file access request is unpacked using the security protocol.
  • control module is specifically configured to generate feedback file information according to the permission policy information of the request object and the access operation information of the request object, and send the feedback file encapsulated by the security protocol to the third device. information.
  • the acquisition module, the processing module and the control module can all be implemented by software, or can be implemented by hardware.
  • the implementation of the acquisition module is introduced below by taking the acquisition module as an example.
  • the implementation of the processing module and the control module can refer to the implementation of the acquisition module.
  • the acquisition module may include code running on a computing instance.
  • the computing instance may include at least one of a physical host (computing device), a virtual machine, and a container. Furthermore, the computing instance may be one or more.
  • the acquisition module may include code running on multiple hosts/virtual machines/containers. It should be noted that the multiple hosts/virtual machines/containers used to run the code may be distributed in the same region or in different regions. Furthermore, the multiple hosts/virtual machines/containers used to run the code may be distributed in the same availability zone (AZ) or in different AZs, each AZ including one data center or multiple data centers with similar geographical locations. Generally, a region may include multiple AZs.
  • AZ availability zone
  • VPC virtual private cloud
  • multiple hosts/virtual machines/containers used to run the code can be distributed in the same virtual private cloud (VPC) or in multiple VPCs.
  • VPC virtual private cloud
  • a VPC is set up in a region.
  • a communication gateway needs to be set up in each VPC to achieve interconnection between VPCs through the communication gateway.
  • the acquisition module may include at least one computing device, such as a server, etc.
  • the acquisition module may also be a device implemented using an application-specific integrated circuit (ASIC) or a programmable logic device (PLD).
  • ASIC application-specific integrated circuit
  • PLD programmable logic device
  • the PLD may be a complex programmable logical device (CPLD), a field-programmable gate array (FPGA), a generic array logic (GAL) or any combination thereof.
  • CPLD complex programmable logical device
  • FPGA field-programmable gate array
  • GAL generic array logic
  • the multiple computing devices included in the acquisition module can be distributed in the same region or in different regions.
  • the multiple computing devices included in the acquisition module can be distributed in the same AZ or in different AZs.
  • the multiple computing devices included in the acquisition module can be distributed in the same VPC or in multiple VPCs.
  • the multiple computing devices can be any combination of computing devices such as servers, ASICs, PLDs, CPLDs, FPGAs, and GALs.
  • the acquisition module can be used to execute any step in the file access method
  • the processing module can be used to execute any step in the file access method
  • the control module can be used to execute any step in the file access method.
  • the steps that the acquisition module, the processing module, and the control module are responsible for implementing can be specified as needed.
  • the full functions of the file access device are realized by respectively implementing different steps in the file access method through the acquisition module, the processing module, and the control module.
  • the present application also provides a device 1100 for determining file access rights, which is applied to a second device. As shown in FIG11 , the device includes:
  • an acquisition module configured to acquire a permission request for the target file sent by the first device, the permission request including file label policy information of the target file, access operation information, and a public key of a request object, the file label policy information being encrypted by the public key of the target file, the file label policy information corresponding to a file label of the target file, the file label policy information being used to describe a control policy for access operations on the target file, the file label including labels of one or more security dimensions, the file label being set by an administrator of the target file or generated based on a file attribute of the target file, and the request object being a system user of an operating system program of the first device, or an application user of an application program;
  • a decryption module used to decrypt the file tag policy information using the private key of the target file
  • An encryption module used to encrypt the permission policy information of the request object using the public key of the request object to obtain a first ciphertext
  • a sending module is used to send permission information to the first device, where the permission information includes the first ciphertext.
  • the target file is encrypted using a file encryption key
  • the file encryption key is encapsulated in the file tag policy information of the target file.
  • the encryption module is also used to encrypt the file encryption key using the public key of the request object to obtain a second ciphertext, and the permission information also includes the second ciphertext.
  • the sending module is further configured to send the label policy template to the first device in response to obtaining a label policy template acquisition request sent by the first device.
  • the second device is a server or a management device.
  • the acquisition module, decryption module, determination module, encryption module and sending module can be implemented by software, or can be implemented by hardware.
  • the implementation of the acquisition module is introduced below by taking the acquisition module as an example.
  • the implementation of the decryption module, determination module, encryption module and sending module can refer to the implementation of the acquisition module.
  • the acquisition module may include code running on a computing instance.
  • the computing instance may include at least one of a physical host (computing device), a virtual machine, and a container. Furthermore, the computing instance may be one or more.
  • the acquisition module may include code running on multiple hosts/virtual machines/containers. It should be noted that the multiple hosts/virtual machines/containers used to run the code may be distributed in the same region or in different regions. Furthermore, the multiple hosts/virtual machines/containers used to run the code may be distributed in the same availability zone (AZ) or in different AZs, each AZ including one data center or multiple data centers with similar geographical locations. Generally, a region may include multiple AZs.
  • AZ availability zone
  • VPC virtual private cloud
  • multiple hosts/virtual machines/containers used to run the code can be distributed in the same virtual private cloud (VPC) or in multiple VPCs.
  • VPC virtual private cloud
  • a VPC is set up in a region.
  • a communication gateway needs to be set up in each VPC to achieve interconnection between VPCs through the communication gateway.
  • the acquisition module may include at least one computing device, such as a server, etc.
  • the acquisition module may also be a device implemented using an application-specific integrated circuit (ASIC) or a programmable logic device (PLD).
  • ASIC application-specific integrated circuit
  • PLD programmable logic device
  • the PLD may be a complex programmable logical device (CPLD), a field-programmable gate array (FPGA), a generic array logic (GAL) or any combination thereof.
  • CPLD complex programmable logical device
  • FPGA field-programmable gate array
  • GAL generic array logic
  • the multiple computing devices included in the acquisition module can be distributed in the same region or in different regions.
  • the multiple computing devices included in the acquisition module can be distributed in the same AZ or in different AZs.
  • the multiple computing devices included in the acquisition module can be distributed in the same VPC or in multiple VPCs.
  • the multiple computing devices can be any combination of computing devices such as servers, ASICs, PLDs, CPLDs, FPGAs, and GALs.
  • the acquisition module can be used to execute any step in the method for determining file access permissions
  • the decryption module can be used to execute any step in the method for determining file access permissions
  • the determination module can be used to execute any step in the method for determining file access permissions
  • the encryption module can be used to execute any step in the method for determining file access permissions
  • the sending module can be used to execute any step in the method for determining file access permissions.
  • the steps that the acquisition module, decryption module, determination module, encryption module and sending module are responsible for implementing can be specified as needed.
  • the full functions of the file access permission determination device are realized by respectively implementing different steps in the method for determining file access permissions through the acquisition module, decryption module, determination module, encryption module and sending module.
  • the present application also provides a computing device 1200.
  • the computing device 1200 includes: a bus 1202, a processor 1204, a memory 1206, and a communication interface 1208.
  • the processor 1204, the memory 1206, and the communication interface 1208 communicate with each other through the bus 1202.
  • the computing device 1200 may be a server or a terminal device. It should be understood that the present application does not limit the number of processors and memories in the computing device 1200.
  • the bus 1202 may be a peripheral component interconnect (PCI) bus or an extended industry standard architecture (EISA) bus, etc.
  • the bus may be divided into an address bus, a data bus, a control bus, etc.
  • FIG. 12 is represented by only one line, but does not mean that there is only one bus or one type of bus.
  • the bus 1202 may include a path for transmitting information between various components of the computing device 1200 (e.g., the memory 1206, the processor 1204, and the communication interface 1208).
  • Processor 1204 may include any one or more processors such as a central processing unit (CPU), a graphics processing unit (GPU), a microprocessor (MP) or a digital signal processor (DSP).
  • processors such as a central processing unit (CPU), a graphics processing unit (GPU), a microprocessor (MP) or a digital signal processor (DSP).
  • CPU central processing unit
  • GPU graphics processing unit
  • MP microprocessor
  • DSP digital signal processor
  • the memory 1206 may include a volatile memory, such as a random access memory (RAM).
  • the processor 1204 may also include a non-volatile memory, such as a read-only memory (ROM), a flash memory, a hard disk drive (HDD), or a solid state drive (SSD).
  • ROM read-only memory
  • HDD hard disk drive
  • SSD solid state drive
  • the memory 1206 stores executable program codes, and the processor 1204 executes the executable program codes to respectively implement the aforementioned
  • the functions of the acquisition module, the processing module and the control module are implemented to realize the file access method. That is, the memory 1206 stores instructions for executing the file access method.
  • the memory 1206 stores executable codes
  • the processor 1204 executes the executable codes to respectively implement the functions of the aforementioned acquisition module, decryption module, determination module, encryption module, and sending module, thereby implementing the file access method. That is, the memory 1206 stores instructions for executing the file access permission determination method.
  • the communication interface 1208 uses a transceiver module such as, but not limited to, a network interface card or a transceiver to implement communication between the computing device 1200 and other devices or communication networks.
  • a transceiver module such as, but not limited to, a network interface card or a transceiver to implement communication between the computing device 1200 and other devices or communication networks.
  • the embodiment of the present application also provides a computing device cluster.
  • the computing device cluster includes at least one computing device.
  • the computing device can be a server, such as a central server, an edge server, or a local server in a local data center.
  • the computing device can also be a terminal device such as a desktop computer, a laptop computer, or a smart phone.
  • the computing device cluster includes at least one computing device 1200.
  • the memory 1206 in one or more computing devices 1200 in the computing device cluster may store the same instructions for executing the file access method.
  • the memory 1206 of one or more computing devices 1200 in the computing device cluster may also store partial instructions for executing the file access method.
  • the combination of one or more computing devices 1200 may jointly execute instructions for executing the file access method.
  • the memory 1206 in different computing devices 1200 in the computing device cluster can store different instructions, which are respectively used to execute part of the functions of the file access device. That is, the instructions stored in the memory 1206 in different computing devices 1200 can implement the functions of one or more modules among the acquisition module, the processing module and the control module.
  • one or more computing devices in the computing device cluster can be connected via a network.
  • the network can be a wide area network or a local area network, etc.
  • FIG. 14 shows a possible implementation. As shown in FIG. 14 , two computing devices 1200A and 1200B are connected via a network. Specifically, the network is connected via a communication interface in each computing device.
  • the memory 1206 in the computing device 1200A stores instructions for executing the functions of the acquisition module. At the same time, the memory 1206 in the computing device 1200B stores instructions for executing the functions of the processing module and the control module.
  • connection method between the computing device clusters shown in Figure 14 can be considered to be that the file access method provided in this application needs to process a large amount of data, so the functions implemented by the processing module and the control module are considered to be executed by the computing device 1200B.
  • computing device 1200A shown in FIG14 may also be accomplished by multiple computing devices 1200.
  • functionality of the computing device 1200B may also be accomplished by multiple computing devices 1200.
  • the embodiment of the present application also provides another computing device cluster.
  • the connection relationship between the computing devices in the computing device cluster can be similar to the connection mode of the computing device cluster described in Figures 13 and 14.
  • the difference is that the memory 1206 in one or more computing devices 1200 in the computing device cluster can store the same instructions for executing the file access permission determination method.
  • the memory 1206 of one or more computing devices 1200 in the computing device cluster may also store some instructions for executing the method for determining file access permissions.
  • the combination of one or more computing devices 1200 may jointly execute instructions for executing the method for determining file access permissions.
  • the memory 1206 in different computing devices 1200 in the computing device cluster may store different instructions for executing part of the functions of determining the file access rights. That is, the instructions stored in the memory 1206 in different computing devices 1200 may implement the functions of one or more of the acquisition module, the decryption module, the determination module, the encryption module, and the sending module.
  • the embodiment of the present application also provides a computer program product including instructions.
  • the computer program product may be software or a program product including instructions that can be run on a computing device or stored in any available medium.
  • the at least one computing device executes a file access method or a file access permission determination method.
  • the embodiment of the present application also provides a computer-readable storage medium.
  • the computer-readable storage medium can be any available medium that can be stored by a computing device or a data storage device such as a data center that contains one or more available media.
  • the available medium can be a magnetic medium (e.g., a floppy disk, a hard disk, a tape), an optical medium (e.g., a DVD), or a semiconductor medium (e.g., a solid-state hard disk).
  • the computer-readable storage medium includes instructions that instruct the computing device to execute a file access method, or instruct the computing device to execute a file access permission determination method.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • Automation & Control Theory (AREA)
  • Storage Device Security (AREA)

Abstract

Les modes de réalisation de la présente demande concernent un procédé et un appareil d'accès à un fichier, ainsi qu'un dispositif associé, qui sont appliqués dans le domaine technique de la sécurité des données. Au cours du procédé, un premier dispositif acquiert une demande d'accès à un fichier qui est déclenchée par un objet de demande pour un fichier cible, acquiert des informations sur une politique d'autorisation de l'objet de demande et exécute une commande d'accès sur l'accès de l'objet de demande au fichier cible en fonction des informations sur la politique d'autorisation de l'objet de demande. Les informations sur la politique d'autorisation de l'objet de demande sont déterminées sur la base d'informations sur une politique d'étiquette de fichier du fichier cible et de la demande d'accès au fichier de l'objet de demande. De cette manière, une politique correspondant à une étiquette de fichier, autrement dit aux informations sur la politique d'étiquette de fichier, peut être utilisée de façon à réaliser une protection de données à grain fin avec un fichier au titre de la granularité. La présente demande concerne également un procédé et un appareil de détermination d'une autorisation d'accès à un fichier, ainsi qu'un dispositif associé, qui sont appliqués à un second dispositif. Le second dispositif déchiffre les informations sur la politique d'étiquette de fichier puis détermine les informations sur la politique d'autorisation. Par conséquent, le degré de sécurité des informations sur la politique d'étiquette de fichier peut être amélioré, ce qui augmente le degré de sécurité du fichier cible.
PCT/CN2024/099581 2023-11-16 2024-06-17 Procédé et appareil d'accès à un fichier, procédé et appareil de détermination d'une autorisation d'accès à un fichier et dispositifs associés Pending WO2025102725A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202311534765.9A CN120012121A (zh) 2023-11-16 2023-11-16 文件访问方法、文件访问权限确定方法、装置及相关设备
CN202311534765.9 2023-11-16

Publications (1)

Publication Number Publication Date
WO2025102725A1 true WO2025102725A1 (fr) 2025-05-22

Family

ID=95672481

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2024/099581 Pending WO2025102725A1 (fr) 2023-11-16 2024-06-17 Procédé et appareil d'accès à un fichier, procédé et appareil de détermination d'une autorisation d'accès à un fichier et dispositifs associés

Country Status (2)

Country Link
CN (1) CN120012121A (fr)
WO (1) WO2025102725A1 (fr)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7992188B2 (en) * 2006-02-06 2011-08-02 Ricoh Company, Ltd. Document access control system, data processing apparatus, program product and method for performing document access control
CN104318171A (zh) * 2014-10-09 2015-01-28 中国科学院信息工程研究所 基于权限标签的Android隐私数据保护方法及系统
CN105512565A (zh) * 2015-11-26 2016-04-20 浪潮电子信息产业股份有限公司 一种防止电子文件泄漏的方法及服务器
CN109614812A (zh) * 2018-09-25 2019-04-12 北京计算机技术及应用研究所 一种安全应用环境下的文件外发管控系统及方法
CN111400269A (zh) * 2019-01-02 2020-07-10 中国移动通信有限公司研究院 一种ipfs文件处理方法、节点、介质和设备
CN115982778A (zh) * 2023-03-14 2023-04-18 北京仁科互动网络技术有限公司 Obs文件访问方法、系统、装置、电子设备及存储介质

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7992188B2 (en) * 2006-02-06 2011-08-02 Ricoh Company, Ltd. Document access control system, data processing apparatus, program product and method for performing document access control
CN104318171A (zh) * 2014-10-09 2015-01-28 中国科学院信息工程研究所 基于权限标签的Android隐私数据保护方法及系统
CN105512565A (zh) * 2015-11-26 2016-04-20 浪潮电子信息产业股份有限公司 一种防止电子文件泄漏的方法及服务器
CN109614812A (zh) * 2018-09-25 2019-04-12 北京计算机技术及应用研究所 一种安全应用环境下的文件外发管控系统及方法
CN111400269A (zh) * 2019-01-02 2020-07-10 中国移动通信有限公司研究院 一种ipfs文件处理方法、节点、介质和设备
CN115982778A (zh) * 2023-03-14 2023-04-18 北京仁科互动网络技术有限公司 Obs文件访问方法、系统、装置、电子设备及存储介质

Also Published As

Publication number Publication date
CN120012121A (zh) 2025-05-16

Similar Documents

Publication Publication Date Title
CN109104281B (zh) 令牌化硬件安全模块
EP3420492B1 (fr) Conception de système de fichiers à contrôle d'accès et à chiffrement d'idps
US10509914B1 (en) Data policy implementation in a tag-based policy architecture
US9792427B2 (en) Trusted execution within a distributed computing system
EP4218204B1 (fr) Commande de fichier chiffré
US10824571B1 (en) Separate cryptographic keys for protecting different operations on data
US20230021749A1 (en) Wrapped Keys with Access Control Predicates
CN104618096B (zh) 保护密钥授权数据的方法、设备和tpm密钥管理中心
TWI865290B (zh) 用於基於以屬性為基礎之加密金鑰之第三方資料存取授權的方法、電腦程式產品及設備
US11683159B2 (en) Hybrid content protection architecture
WO2025102725A1 (fr) Procédé et appareil d'accès à un fichier, procédé et appareil de détermination d'une autorisation d'accès à un fichier et dispositifs associés
WO2024252681A1 (fr) Système de vérification d'authenticité, procédé de vérification d'authenticité et programme
Mudgal et al. ‘International journal of engineering sciences & research technology enhancing data security using encryption and splitting technique over multi-cloud environment
US12189776B2 (en) Updating secure guest metadata of a specific guest instance
WO2024115151A1 (fr) Mise à jour de métadonnées d'invité sécurisé d'une instance d'invité spécifique
CN115499218A (zh) 一种数据加密存储的方法、系统、装置及介质
CN110321717A (zh) 一种文件加密方法和系统

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 24890094

Country of ref document: EP

Kind code of ref document: A1