Summary of the invention
For the defect existed in prior art, the object of the present invention is to provide a kind of nas server date safety storing system, safe storage and read method, realize the safe storage of NAS mass data, improve the fail safe that NAS storage server confidential data concentrates storage.
For achieving the above object, the technical solution used in the present invention is as follows:
A kind of nas server date safety storing system, comprising:
Permission server, for according to user right spanned file security strategy and user certificate, and sends to nas server by file security strategy, user certificate is sent to user; The file directory that described file security strategy comprises strategy number, needs are protected or the access rights of file type and file; Described user certificate comprises user profile and strategy number corresponding to certificate;
Nas server, for file file being carried out to safe storage and sends request to user according to the read requests of user according to the write request of user; Described nas server comprises file protection device, and file protection device comprises:
User certificate detection module, for detecting the completeness and efficiency of user certificate;
Security strategy matching module, for the file security strategy according to correspondence in number coupling nas server of the strategy in user certificate, and is sent to catalogue virtualization modules by the file security strategy matched;
Catalogue virtualization modules, for being that user fictionalizes the virtual directory and file access strategy that mate with its user right according to file security strategy; Described virtual directory is for recording the fileinfo mated with user right.
Further, a kind of nas server date safety storing system as above, described nas server also comprises file encryption-decryption device, and file encryption-decryption device comprises:
Overall situation encryption/decryption module, for asking the file read to be decrypted to user, obtains expressly, and for asking the file write to be encrypted to user, obtains ciphertext;
Type ciphertext generation module, being encrypted for deciphering to overall encryption/decryption module the plaintext obtained according to file output encryption policy, obtaining type ciphertext, and type ciphertext is sent to user; Described type ciphertext comprises common clear text file, transparent encrypted file, rights encryption file and outgoing encrypt file.
Further, a kind of nas server date safety storing system as above, described file encryption-decryption device also comprises:
File type arbiter, for differentiating the type needing the file stored;
File index maker, for generating the index information needing the file stored; Described index information comprises the type of file, title and size.
Further, a kind of nas server date safety storing system as above, described file protection device also comprises:
File index storehouse, for preserving file index information;
File index enquiry module, for the read requests according to user, the index information of the file that inquiring user request is read in file index storehouse.
Further, a kind of nas server date safety storing system as above, described permission server comprises:
User accesses application device, for user to permission server initiate access application, and user identification confirmation by rear be user's match user authority;
User authentication device, for confirming the user identity signing in permission server;
File security strategy generating device, for generating the file security strategy corresponding with user right and user certificate according to user right.
Further, a kind of nas server date safety storing system as above, described permission server also comprises:
Overall situation user list, for preserving the user ID of the whole user of nas server;
Rights database, for preserving the user right of the whole user of nas server;
Role Users group: for the user in overall user list is divided into groups.
Further, a kind of nas server date safety storing system as above, user right is divided into four grades, and user right grade is different, and user is different to the reading authority of nas server file; Highest weight limits the use of the reading authority that family has common clear text file, transparent encrypted file, rights encryption file and outgoing encrypt file, the reading authority having transparent encrypted file, rights encryption file and outgoing encrypt file of taking second place, third the reading authority having authority encrypt file and outgoing encrypt file, least privilege user has the reading authority of outgoing encrypt file.
A kind of nas server secure storage method of data, comprises the following steps:
(1) user logs on permission server, and permission server is user's match user authority, and according to user right spanned file security strategy and user certificate; The file directory that described file security strategy comprises strategy number, needs are protected or the access rights of file type and file; Described user certificate comprises user profile and strategy number corresponding to certificate;
(2) described file security strategy is sent to nas server by permission server, and user certificate is sent to user;
(3) described user certificate is carried out this locality association computing, generate the local certificate of user; The local certificate of user comprises the strategy number identical with user certificate;
(4) user logs in nas server by the local certificate of user, nas server matches file security strategy corresponding in nas server according to the strategy number in the local certificate of user, and is that user fictionalizes the virtual directory and file access strategy that mate with its user right according to file security strategy; Described virtual directory is for recording the fileinfo mated with user right;
(5) user sends file write request to nas server, and file to be written is stored into nas server.
Further, a kind of nas server secure storage method of data as above, in step (5), the concrete mode be stored into by file to be written in nas server external memory device comprises:
1) file type of file to be written is differentiated, and the index information of spanned file;
2) treat writing in files by overall encryption/decryption module to be encrypted, the file after encryption is stored in nas server.
A kind of nas server data safe reading method, comprises the following steps:
(1) user logs on permission server, and permission server is user's match user authority, and according to user right spanned file security strategy and user certificate; The file directory that described file security strategy comprises strategy number, needs are protected or the access rights of file type and file; Described user certificate comprises user profile and strategy number corresponding to certificate;
(2) described file security strategy is sent to nas server by permission server, and user certificate is sent to user;
(3) described user certificate is carried out this locality association computing, generate the local certificate of user; The local certificate of user comprises the strategy number identical with user certificate;
(4) user logs in nas server by the local certificate of user, and initiates file read request to nas server;
(5) file of correspondence is sent to user according to the read requests of user by nas server.
Further, a kind of nas server data safe reading method as above, in step (5), file sends to the concrete mode of user to comprise by nas server:
1) ask the file read to be decrypted by overall encryption/decryption module to user, obtain the plaintext after deciphering;
2) by type ciphertext generation module, the plaintext after deciphering is encrypted, obtains type ciphertext, and type ciphertext is sent to user; Described type ciphertext comprises common clear text file, transparent encrypted file, rights encryption file and outgoing encrypt file.
Effect of the present invention is: the confidential data that the present invention is absorbed on the method protection NAS storage server of use encryption is not revealed; can online for user generates the file of 4 types; eliminate user in the unmanageable trouble of terminal, advantageously concentrate in file data and store.
Embodiment
Below in conjunction with Figure of description and embodiment, the present invention is described in further detail.
Fig. 1 and Fig. 2 shows the structured flowchart of a kind of nas server date safety storing system in the specific embodiment of the invention, can see by figure, this system mainly comprises user terminal 10 permission server 20 and nas server 30, the effect of user terminal 10 is that user is by its logon rights server 20 and nas server 30, therefore, in present embodiment, user terminal 10 is directly called user.
Permission server 20 is mainly used according to user right spanned file security strategy and user certificate, and file security strategy is sent to nas server, and user certificate is sent to user; The ciphertext type that whether file directory that described file security strategy comprises strategy number, needs are protected or file type, the access rights of file, file encrypt, generate and the cryptographic algorithm etc. of employing; Described user certificate comprises strategy number corresponding to the user profile of certificate, valid expiration date, encryption key, the length of key and certificate.The structured flowchart of the permission server 20 in present embodiment as shown in Figure 3, mainly comprise overall user list, rights database (the overall authority storehouse shown in figure), Role Users group, user access application device, user authentication device and file security strategy generating device etc., wherein:
Overall situation user list is for preserving the user ID of the whole user of nas server;
Rights database is for preserving the user right of the whole user of nas server;
Role Users group is used for the user in overall user list to divide into groups;
User access application device for user to permission server initiate access application, and user identification confirmation by rear be user's match user authority;
User authentication device is for confirming the user identity signing in permission server;
File security strategy generating device is used for generating the file security strategy corresponding with user right and user certificate according to user right.
Nas server 30 is for carrying out safe storage according to the write request of user to file and transmitting file according to the read requests of user to user; Nas server comprises file protection device and file encryption-decryption device.
As shown in Figure 4, this device mainly comprises user certificate detection module, security strategy matching module, catalogue virtualization modules, file index enquiry module and file index storehouse to the structured flowchart of file protection device.
User certificate detection module is for detecting the completeness and efficiency of user certificate;
Security strategy matching module is used for according to file security strategy corresponding in number coupling nas server of the strategy in user certificate, and file security strategy is sent to catalogue virtualization modules;
It is that user fictionalizes the virtual directory and file access strategy that mate with its user right that catalogue virtualization modules is used for according to file security strategy; Described virtual directory is for recording the fileinfo mated with user right;
File index storehouse, for preserving file index information;
File index enquiry module, for the read requests according to user, the index information of the file that inquiring user request is read in file index storehouse.
As shown in Figure 5, this device mainly comprises overall encryption/decryption module, type ciphertext generation module, file type arbiter and file index maker to the structured flowchart of file encryption-decryption device.
Overall situation encryption/decryption module is used for asking the file read to be decrypted to user, obtains expressly, and for asking user the file write to be encrypted, obtains ciphertext;
Type ciphertext generation module is used for deciphering to overall encryption/decryption module the plaintext obtained according to file output encryption policy and is encrypted, and obtains type ciphertext, and type ciphertext is sent to user; Described type ciphertext comprises common clear text file, transparent encrypted file, rights encryption file and outgoing encrypt file.
File type arbiter, for differentiating the type needing the file stored;
File index maker, for generating the index information needing the file stored; Described index information comprises the type of file, title and size.
Nas server user is before login nas server 30, and user needs to sign in permission server 20 and obtains NAS use certificate (user certificate in present embodiment).After user signs in permission server 20, by user authentication device, certification is carried out to user, and access application device initiation access request to user, user accesses application device and retrieves overall user list by Role Users group, rights database and global profile index database match file and the authority of user-accessible, and the file of the user-accessible matched and authority are submitted to the rules of competence, first the rules of competence carry out conflict inspection to the file of user-accessible and authority, and to there being the authority of conflict to process according to minimum right principle, prevent the authority of conflict from exporting, secondly according to user out file type requests, the addressable file of further filter user and authority, file security strategy generating device is given by the permissions data after filtering, file security strategy generating device will according to filtration permission build file security strategy and user certificate, file security strategy is sent to nas server by permission server, user certificate is sent to user.
Wherein, when user accesses the application addressable file of device match user and authority, first user right is matched by the overall user list of retrieval and rights database, the file of user-accessible is matched afterwards according to user right, and the file of user-accessible is picked out from existing file by retrieval global profile index database, such as, the file of user-accessible DOC and XLS type, the file of DOC and XLS type is picked out from existing file with regard to needing by this.The rules of competence are the modules of filtering the user right matched, the user right such as matched has two kinds, a kind of is all xsl file of the read-write access of user, another kind is that user-readable accesses some xsl file, at this moment the rules of competence these two kinds of authorities to user are filtered, and filter out the write access authority of user to some xsl file.
Nas server user takes user certificate, local related credentials program is used to carry out association computing, produce the local certificate (mainly preventing assailant from forging user certificate by network monitoring) of operable user, after user takes the local certificate of user, can agreement http(hypertext transfer protocol be passed through)/ftp(file transfer protocol (FTP))/smb(Server Message Block)/nfs(network File System) sign in nas server, nas server provides a virtual directory by catalogue virtualization modules for submitting the user of the local certificate of user to, nas server user is by writing local certificate file input certificate information to this virtual directory, certificate is sent to the certificate detection module in file protection device by the virtual directory on nas server, certificate checkout gear detects the matching degree of certificate and user to prevent from forging certificate, match using the strategy number of certificate the file security strategy that permission server submits to nas server by the certificate detected, coupling file security strategy out will input to catalogue virtualization modules, catalogue virtualization apparatus according to file security strategy again for active user fictionalizes the file access strategy with its permission match, afterwards, user just can give according to file access strategy, sends file (storage resource request) or obtain file (read requests) to nas server.
When user initiates file read request to nas server, nas server asks the file read to be decrypted by overall encryption/decryption module to user, obtain the plaintext after deciphering, by type ciphertext generation module, the plaintext after deciphering is encrypted again, obtain type ciphertext, and type ciphertext is sent to user; Described type ciphertext comprises common clear text file, transparent encrypted file, rights encryption file and outgoing encrypt file 4 kinds of file types, wherein read the Permission Levels of type of encryption file needs as shown in Figure 6, the authority that common plaintext needs is the highest, transparent encrypted file takes second place, third, the authority that outgoing encrypt file needs is minimum for authority.
When user initiates file storage resource request to nas server, first the file type of file to be written is differentiated by file type arbiter, and the index information of spanned file, treat writing in files by overall encryption/decryption module to be again encrypted, the file after encryption is stored in nas server external memory device
In present embodiment, user right is divided into four grades, and user right grade is different, and user is different to the reading authority of nas server file; Highest weight limits the use of the reading authority that family has common clear text file, transparent encrypted file, rights encryption file and outgoing encrypt file, the reading authority having transparent encrypted file, rights encryption file and outgoing encrypt file of taking second place, third the reading authority having authority encrypt file and outgoing encrypt file, least privilege user only has the reading authority of outgoing encrypt file.
Fig. 7 shows the flow chart of a kind of nas server secure storage method of data in the specific embodiment of the invention, and the method comprises the following steps:
Step S11: permission server generates user certificate and file security strategy according to user right;
Step S12: file security strategy is sent to nas server by permission server, and user certificate is sent to user;
Nas server user needed to obtain nas server and uses certificate before login nas server, and user obtains this certificate by logon rights server.After user logs on permission server, first permission server carries out authentication to user, after certification is passed through, permission server retrieves overall user list and rights database is user's match user authority, generates the file security strategy corresponding with its authority and user certificate afterwards according to user right; Wherein, described file security strategy comprise strategy number, needs protect file directory (file directory refers to the directory name of storage file, for arranging the file needing protection in batch, the file left under this file directory all will be subject to corresponding protection) or whether file type, the access rights of file, file are encrypted, the cryptographic algorithm etc. of the ciphertext type that generates and employing; Described user certificate comprises strategy number corresponding to the user profile of certificate, valid expiration date, encryption key, the length of key and certificate.
File security strategy, after spanned file security strategy and user certificate, is sent to nas server, user certificate is sent to user by permission server.
Step S13: generate local user's certificate according to user certificate;
In order to prevent assailant from forging user certificate by network monitoring, after user receiving the user certificate of permission server transmission, using local related credentials program to carry out this locality association computing to user certificate, generating the local certificate of operable user; The local certificate of user comprises the strategy number identical with user certificate.
Step S14: user logs in nas server, nas server is that user generates and the virtual directory of its permission match and file access strategy;
Step S15: user sends file write request to nas server, is stored into nas server by file to be written.
User logs in nas server by the local certificate of user, first nas server detects the validity of user certificate and integrality to prevent from forging certificate by user certificate detection module, detect and match file security strategy corresponding in nas server by rear according to the strategy number in the local certificate of user, and be that user fictionalizes the virtual directory and file access strategy that mate with its user right according to file security strategy; Described virtual directory is for recording the fileinfo mated with user right, and afterwards, user stores needing the file stored to be sent to nas server by http/ftp/smb/nfs.The concrete mode be stored into by file in nas server comprises:
1) file type of file to be written is differentiated, and the index information of spanned file;
2) treat writing in files by overall encryption/decryption module to be encrypted, the file after encryption is stored in nas server.
Document backup starts to process file to the file encryption-decryption device file encryption-decryption device on nas server by http/ftp/smb/nfs agreement, by document backup to file type discrimination module, file is determined as following possible type by file type discriminating gear, text and binary file etc., file index maker starts to do more detailed index to file afterwards, as can the document of resolution file, file integrality is made a summary, file size and other important file identifications etc., the document data writing in files index database that file index maker will generate, overall situation encryption/decryption module uses overall encryption policy to be encrypted file, file after encryption be stored in nas server or nas server external memory device in, file has write, and the file index of new write will be synchronized to authority server.
Fig. 8 shows the flow chart of a kind of nas server data safe reading method in this embodiment, and the method comprises the following steps:
Step S21: permission server generates user certificate and file security strategy according to user right;
Step S22: file security strategy is sent to nas server by permission server, and user certificate is sent to user;
Nas server user needed to obtain nas server and uses certificate before login nas server, and user obtains this certificate by logon rights server.After user logs on permission server, first permission server carries out authentication to user, after certification is passed through, permission server retrieves overall user list and rights database is user's match user authority, generates the file security strategy corresponding with its authority and user certificate afterwards according to user right; Wherein, the ciphertext type that whether file directory that described file security strategy comprises strategy number, needs are protected or file type, the access rights of file, file encrypt, generate and the cryptographic algorithm etc. of employing; Described user certificate comprises strategy number corresponding to the user profile of certificate, valid expiration date, encryption key, the length of key and certificate.
File security strategy, after spanned file security strategy and user certificate, is sent to nas server, user certificate is sent to user by permission server.
Step S23: generate local user's certificate according to user certificate;
In order to prevent assailant from forging user certificate by network monitoring, after user receiving the user certificate of permission server transmission, using local related credentials program to carry out this locality association computing to user certificate, generating the local certificate of operable user; The local certificate of user comprises the strategy number identical with user certificate.
Certainly, logged nas server before user, obtaining user certificate, and when again logging in nas server, then needing to repeat step S21-S23 again, directly used local user's certificate to enter in next step.
Step S24: user logs in nas server, nas server is that user generates and the virtual directory of its permission match and file access strategy;
Step S25: user sends file read request to nas server, obtains the file needed.
User logs in nas server by the local certificate of user, first nas server detects the validity of user certificate and integrality to prevent from forging certificate by user certificate detection module, detect and match file security strategy corresponding in nas server by rear according to the strategy number in the local certificate of user, and be that user fictionalizes the virtual directory and file access strategy that mate with its user right according to file security strategy; Described virtual directory is for recording the fileinfo mated with user right, and afterwards, user initiates file read request by http/ftp/smb/nfs to nas server, obtains the file that it needs.In present embodiment, file sends to the concrete mode of user to comprise by nas server:
1) ask the file read to be decrypted by overall encryption/decryption module to user, obtain the plaintext after deciphering;
2) by type ciphertext generation module, the plaintext after deciphering is encrypted, obtains type ciphertext, and type ciphertext is sent to user; Described type ciphertext comprises common clear text file, transparent encrypted file, rights encryption file and outgoing encrypt file.
User uses http/ftp/smb/nfs to initiate file to nas server and reads request, file (ciphertext) is input to the overall encryption/decryption module in file protection device, overall situation encryption/decryption module unties the file of user's request according to overall decryption policy, decrypted clear data is input to type ciphertext generation module; Type ciphertext generation module according to file output encryption policy output type ciphertext, and sends type ciphertext to user by one of agreement http/ftp/smb/nfs.
Wherein, transparent encrypted file, rights encryption file can effectively prevent assailant from obtaining effective plaintext from network attack.After user takes transparent ciphertext, data can be read by local certificate solution open file; After user takes outgoing document, outgoing document comprises from decrypted program and control of authority program, and user only can open file reading data under due authority.
In addition, it should be noted that, nas server date safety storing system of the present invention directly can pass through http/ftp/smb/nfs protocol access and use safety nas server except user, safe nas server can also as the background storage server of other application servers, now, other application server is then equivalent to user, and the flow process of which is as shown in Figure 9, specific as follows:
(1) user sets up for application server and clear data can be used as the rules of competence (the certainly concrete rules of competence can specifically set as required, and this place just illustrates) of output file in permission server;
(2) application server logs in safe nas server as user, and to safe nas server write certificate file, safe nas server is that virtual directory set up by application server;
(3) its data is write safe nas server as file by application server;
(4) the application server file of write uses overall situation encryption plan road to be encrypted by safe nas server, can effectively prevent from like this, when safe nas server is shut down, attacking and using the mode of diskcopy to steal data by force;
(5) when application server needs file reading, safe nas server is just for application server provides common clear text file.
Obviously, those skilled in the art can carry out various change and modification to the present invention and not depart from the spirit and scope of the present invention.Like this, if these amendments of the present invention and modification belong within the scope of the claims in the present invention and equivalent technology thereof, then the present invention is also intended to comprise these change and modification.