技术领域technical field
本发明涉及信息安全领域,并且更具体地,涉及一种针对安全区域进行数据加密保护的系统、方法以及移动终端。The present invention relates to the field of information security, and more specifically, to a system, method and mobile terminal for data encryption protection for a security area.
背景技术Background technique
目前,基于安全区域进行信息保护的技术通常会将应用所创建、修改以及删除的文件和数据进行虚拟化重定向,也就是说所有操作都是虚拟的。而真实的文件和注册表不会被改动,这样可以确保病毒或恶意代码无法对系统关键部位进行改动破坏系统。这种技术通过重定向把应用生成和修改的文件定向到安全文件夹中。当某个应用试图发挥作用时,可以先让它在安全区域中运行。如果这个应用含有恶意代码,则禁止其进一步运行,而这不会对系统造成任何危害。例如,在安全区域中运行浏览器或其他应用时,浏览器或其他应用所产生的变化可以随时被删除。这种方式可用来保护浏览网页或启动应用时系统的安全,也可以用来清除上网、运行程序的痕迹,还可以用来测试软件,测试病毒等用途。At present, technologies for information protection based on security zones usually virtualize and redirect files and data created, modified, and deleted by applications, that is to say, all operations are virtual. The real files and registry will not be changed, which can ensure that viruses or malicious codes cannot modify key parts of the system and damage the system. This technique directs files generated and modified by the application to a secure folder through redirection. When an app tries to do something, it can be run in a secure enclave first. If this app contains malicious code, it will be blocked from running further without causing any harm to the system. For example, changes made by a browser or other application can be removed at any time while the browser or other application is running in a secure enclave. This method can be used to protect the security of the system when browsing webpages or starting applications, and can also be used to remove traces of surfing the Internet and running programs, and can also be used to test software, test viruses, etc.
通常地,用户会将需要进行额外安全保护的应用放置在安全区域中,以获得由安全区域提供的安全保护。这种安全保护技术通常需要对安全区域内部和外部之间的数据交换进行控制。一般地,安全区域内的应用在运行中所产生的数据由安全区域进行保护,并且非安全区域内的应用等无法访问安全区域内的数据。然而,安全区域一旦被攻破,会导致安全区域内的数据被恶意方获取并且因此会对用户产生重大损失。这是因为安全区域内的信息项通常是诸如银行应用之类的应用所产生的数据,而这种数据通常会包括用户的账户信息、身份信息等隐私数据。可以想象的是,如果诸如用户的账户信息、身份信息等隐私数据被泄露,那么对用户造成的威胁是巨大的。Usually, the user will place applications requiring additional security protection in the security area to obtain the security protection provided by the security area. This security protection technology usually requires the control of data exchange between the inside and outside of the security area. Generally, data generated by applications in the security zone during operation is protected by the security zone, and applications in the non-security zone cannot access data in the security zone. However, once the security zone is breached, the data in the security zone will be obtained by malicious parties and thus cause heavy losses to users. This is because the information items in the security area are usually data generated by applications such as banking applications, and such data usually includes private data such as user account information and identity information. It is conceivable that if private data such as user account information and identity information are leaked, the threat to users is enormous.
发明内容Contents of the invention
本发明针对目前安全区域被攻破时,会导致安全区域内的敏感数据被恶意方获取的问题,提供一种针对安全区域进行数据加密保护的系统及方法。本发明的技术方案能够保证即使安全区域被攻破,恶意方也无法获取安全区域内存储的敏感数据。The present invention aims at the problem that sensitive data in the security area will be obtained by malicious parties when the current security area is breached, and provides a system and method for encrypting and protecting data in the security area. The technical scheme of the invention can ensure that even if the security area is breached, malicious parties cannot obtain sensitive data stored in the security area.
根据本发明的一个方面,提供一种数据加密系统,包括:According to one aspect of the present invention, a data encryption system is provided, comprising:
生成单元,用于生成安全区域,所述安全区域用于容纳需要进行安全保护的应用;A generating unit, configured to generate a security area, where the security area is used to accommodate applications requiring security protection;
监听单元,用于监听与数据项的内容改变相关的操作;A monitoring unit, configured to monitor operations related to content changes of data items;
控制单元,用于判断所述数据项的存储位置,并且在所述数据项的存储位置位于安全区域中时,将所述操作标识为加密操作;以及a control unit configured to determine a storage location of the data item, and identify the operation as an encryption operation when the storage location of the data item is in a secure area; and
加密单元,对所述加密操作所涉及的数据项进行加密。The encryption unit encrypts the data items involved in the encryption operation.
优选地,其中所述与数据项的内容改变相关的操作是由安全区域内的应用发起的。Preferably, the operation related to the content change of the data item is initiated by an application in the security area.
优选地,其中所述与数据项的内容改变相关的操作是由非安全区域内的应用发起的。Preferably, the operation related to the content change of the data item is initiated by an application in the non-secure area.
优选地,其中所述数据项是以下内容中的一个或多个:文本文件、数据库文件、图像文件、音频文件、视频文件以及应用配置文件。Preferably, the data items are one or more of the following: text files, database files, image files, audio files, video files, and application configuration files.
优选地,其中所述数据项的内容改变包括以下内容中的一个或多个:数据项的内容删除、数据项的内容修改或数据项的内容增加。Preferably, the change of the content of the data item includes one or more of the following content: deletion of the content of the data item, modification of the content of the data item or addition of the content of the data item.
优选地,在所述数据项的存储位置位于非安全区域中时,控制单元将所述操作标识为非加密操作。Preferably, the control unit identifies the operation as a non-encrypted operation when the storage location of the data item is located in a non-secure area.
优选地,所述对所述加密操作所涉及的数据项进行加密包括:在所述加密操作对数据项进行内容改变后,对内容改变后的数据项进行加密。Preferably, the encrypting the data items involved in the encryption operation includes: after the content of the data items is changed by the encryption operation, encrypting the data items whose content has been changed.
优选地,所述对所述加密操作所涉及的数据项进行加密包括:在所述加密操作对数据项进行内容改变后,对数据项中涉及内容改变的数据部分进行加密。Preferably, the encrypting the data item involved in the encryption operation includes: after the encryption operation changes the content of the data item, encrypting the data part of the data item involved in the content change.
优选地,当与数据项的内容改变相关的操作是由非安全区域内的应用发起的并且所述数据项位于安全区域内时,访问控制器促使非安全区域内的应用发送认证请求给安全服务器,在非安全区域内的应用成功通过安全服务器的认证后,允许对数据项进行内容改变。Preferably, when the operation related to the content change of the data item is initiated by the application in the non-secure area and the data item is located in the secure area, the access controller prompts the application in the non-secure area to send an authentication request to the security server , after the application in the non-secure area successfully passes the authentication of the security server, it is allowed to change the content of the data item.
优选地,还包括通信单元,用于将对经过加密的数据项进行解密的密码发送给预先设定的网络位置。Preferably, a communication unit is further included, configured to send a password for decrypting the encrypted data item to a preset network location.
根据本发明的另一方面,提供一种移动终端,包括或用于执行如上所述的数据加密系统。According to another aspect of the present invention, a mobile terminal is provided, including or configured to implement the above-mentioned data encryption system.
根据本发明的另一方面,提供一种数据加密方法,包括:According to another aspect of the present invention, a data encryption method is provided, comprising:
生成安全区域,所述安全区域用于容纳需要进行安全保护的应用;generating a security area for accommodating applications requiring security protection;
监听与数据项的内容改变相关的操作;Listen for operations related to changes in the content of data items;
判断所述数据项的存储位置,并且在所述数据项的存储位置位于安全区域中时,将所述操作标识为加密操作;以及determining a storage location of the data item, and identifying the operation as an encryption operation if the storage location of the data item is in a secure area; and
对所述加密操作所涉及的数据项进行加密。Data items involved in the encryption operation are encrypted.
优选地,其中所述与数据项的内容改变相关的操作是由安全区域内的应用发起的。Preferably, the operation related to the content change of the data item is initiated by an application in the security area.
优选地,其中所述与数据项的内容改变相关的操作是由非安全区域内的应用发起的。Preferably, the operation related to the content change of the data item is initiated by an application in the non-secure area.
优选地,其中所述数据项是以下内容中的一个或多个:文本文件、数据库文件、图像文件、音频文件、视频文件以及应用配置文件。Preferably, the data items are one or more of the following: text files, database files, image files, audio files, video files, and application configuration files.
优选地,其中所述数据项的内容改变包括以下内容中的一个或多个:数据项的内容删除、数据项的内容修改或数据项的内容增加。Preferably, the change of the content of the data item includes one or more of the following content: deletion of the content of the data item, modification of the content of the data item or addition of the content of the data item.
优选地,在所述数据项的存储位置位于非安全区域中时,控制单元将所述操作标识为非加密操作。Preferably, the control unit identifies the operation as a non-encrypted operation when the storage location of the data item is located in a non-secure area.
优选地,所述对所述加密操作所涉及的数据项进行加密包括:在所述加密操作对数据项进行内容改变后,对内容改变后的数据项进行加密。Preferably, the encrypting the data items involved in the encryption operation includes: after the content of the data items is changed by the encryption operation, encrypting the data items whose content has been changed.
优选地,所述对所述加密操作所涉及的数据项进行加密包括:在所述加密操作对数据项进行内容改变后,对数据项中涉及内容改变的数据部分进行加密。Preferably, the encrypting the data item involved in the encryption operation includes: after the encryption operation changes the content of the data item, encrypting the data part of the data item involved in the content change.
优选地,当与数据项的内容改变相关的操作是由非安全区域内的应用发起的并且所述数据项位于安全区域内时,访问控制器促使非安全区域内的应用发送认证请求给安全服务器,在非安全区域内的应用成功通过安全服务器的认证后,允许对数据项进行内容改变。Preferably, when the operation related to the content change of the data item is initiated by the application in the non-secure area and the data item is located in the secure area, the access controller prompts the application in the non-secure area to send an authentication request to the security server , after the application in the non-secure area successfully passes the authentication of the security server, it is allowed to change the content of the data item.
优选地,还包括将对经过加密的数据项进行解密的密码发送给预先设定的网络位置。Preferably, it also includes sending a password for decrypting the encrypted data item to a preset network location.
本发明的技术方案能够保证在安全区域被攻破的情况下,安全区域内存储的敏感数据不会被恶意方获取的效果,为此极大地提升了安全区域的安全性。The technical solution of the present invention can ensure that sensitive data stored in the security area will not be obtained by malicious parties when the security area is breached, thereby greatly improving the security of the security area.
附图说明Description of drawings
通过参考下面的附图,可以更为完整地理解本发明的示例性实施方式:A more complete understanding of the exemplary embodiments of the present invention can be had by referring to the following drawings:
图1为根据本发明优选实施方式的数据加密系统的结构示意图;以及Fig. 1 is a schematic structural diagram of a data encryption system according to a preferred embodiment of the present invention; and
图2为根据本发明优选实施方式的数据加密方法的流程图。Fig. 2 is a flowchart of a data encryption method according to a preferred embodiment of the present invention.
具体实施方式detailed description
现在参考附图介绍本发明的示例性实施方式,然而,本发明可以用许多不同的形式来实施,并且不局限于此处描述的实施例,提供这些实施例是为了详尽地且完全地公开本发明,并且向所属技术领域的技术人员充分传达本发明的范围。对于表示在附图中的示例性实施方式中的术语并不是对本发明的限定。在附图中,相同的单元/元件使用相同的附图标记。Exemplary embodiments of the present invention will now be described with reference to the drawings; however, the present invention may be embodied in many different forms and are not limited to the embodiments described herein, which are provided for the purpose of exhaustively and completely disclosing the present invention. invention and fully convey the scope of the invention to those skilled in the art. The terms used in the exemplary embodiments shown in the drawings do not limit the present invention. In the figures, the same units/elements are given the same reference numerals.
除非另有说明,此处使用的术语(包括科技术语)对所属技术领域的技术人员具有通常的理解含义。另外,可以理解的是,以通常使用的词典限定的术语,应当被理解为与其相关领域的语境具有一致的含义,而不应该被理解为理想化的或过于正式的意义。Unless otherwise specified, the terms (including scientific and technical terms) used herein have the commonly understood meanings to those skilled in the art. In addition, it can be understood that terms defined by commonly used dictionaries should be understood to have consistent meanings in the context of their related fields, and should not be understood as idealized or overly formal meanings.
图1为根据本发明优选实施方式的数据加密系统10的结构示意图。数据加密系统10针对目前安全区域被攻破时,会导致安全区域内的敏感数据被恶意方获取的问题,对安全区域进行数据加密保护。数据加密系统10的技术方案能够保证即使安全区域被攻破,恶意方也无法获取安全区域内存储的敏感数据。Fig. 1 is a schematic structural diagram of a data encryption system 10 according to a preferred embodiment of the present invention. The data encryption system 10 performs data encryption protection on the security area to solve the problem that sensitive data in the security area will be obtained by malicious parties when the current security area is breached. The technical solution of the data encryption system 10 can ensure that even if the security area is breached, malicious parties cannot obtain sensitive data stored in the security area.
如图1所示,数据加密系统100包括用户设备100和安全服务器110。其中,用户设备100包括:生成单元101、监听单元102、控制单元103、加密单元104以及通信单元105。其中安全服务器110包括:通信单元111、认证单元112和存储单元113。优选地,用户设备100可以是任意类型的移动终端、固定终端、或便携式终端,包括移动手机、站、单元、设备、多媒体计算机、多媒体平板、因特网节点、通信器、桌面计算机、膝上型计算机、个人数字助理(PDA)、或其任意组合。As shown in FIG. 1 , a data encryption system 100 includes a user equipment 100 and a security server 110 . Wherein, the user equipment 100 includes: a generation unit 101 , a monitoring unit 102 , a control unit 103 , an encryption unit 104 and a communication unit 105 . The security server 110 includes: a communication unit 111 , an authentication unit 112 and a storage unit 113 . Preferably, the user equipment 100 may be any type of mobile terminal, fixed terminal, or portable terminal, including a mobile handset, station, unit, device, multimedia computer, multimedia tablet, Internet node, communicator, desktop computer, laptop computer , a personal digital assistant (PDA), or any combination thereof.
优选地,在逻辑上,可以将用户设备划分为安全区域和非安全区域。其中,用户设备对安全区域中的项目,例如应用、数据(文本、音频、视频以及图片等)等,进行额外的安全保护。通常,用户设备会对其中的任何项目进行安全保护。但是,由于越来越多的项目需要进行网络访问或交互、需要与其他项目进行交互,因此用户设备不得不放开部分安全限制以对这种交互提供方便。然而,这种安全限制的放开会威胁部分安全级别较高的项目的安全性。例如,安全区域的银行应用、理财应用、个人隐私数据等内容,可能面临着极大的安全挑战。为此,安全区域需要对这些数据项目进行额外的安全保护。Preferably, logically, the user equipment can be divided into a secure area and a non-secure area. Wherein, the user equipment performs additional security protection on items in the security area, such as applications and data (text, audio, video, and pictures, etc.). Typically, any item therein is secured by the user device. However, since more and more items need to perform network access or interaction, and need to interact with other items, the user equipment has to release some security restrictions to provide convenience for this interaction. However, the release of such security restrictions will threaten the security of some projects with higher security levels. For example, content such as banking applications, financial management applications, and personal privacy data in the secure area may face great security challenges. For this reason, secure areas require additional security protection for these data items.
优选地,在用户设备上设置非安全区域以方便用户的操作,这是因为在例如非安全区域中的项目进行网络访问或交互时不需要进行额外的安全控制,并且因此能够提高速度和效率。此外,非安全区域也可以包括用户设备之外的区域,例如网络服务器等。优选地,用户设备100可以是任意类型的移动终端、固定终端、或便携式终端,包括移动手机、站、单元、设备、多媒体计算机、多媒体平板、因特网节点、通信器、桌面计算机、膝上型计算机、个人数字助理(PDA)、或其任意组合。Preferably, a non-secure area is set on the user equipment to facilitate user operations, because, for example, items in the non-secure area do not require additional security control when accessing or interacting with the network, and thus speed and efficiency can be improved. In addition, the non-secure area may also include an area outside the user equipment, such as a network server. Preferably, the user equipment 100 may be any type of mobile terminal, fixed terminal, or portable terminal, including a mobile handset, station, unit, device, multimedia computer, multimedia tablet, Internet node, communicator, desktop computer, laptop computer , a personal digital assistant (PDA), or any combination thereof.
优选地,安全区域中的项目存在与外部项目进行交互的需求。其中外部项目例如是非安全区域中的项目,或者是经由通信单元进行网络访问。为了满足这种需求,用户设备提供灵活的安全控制,以使得安全区域内的应用访问安全区域外的应用、数据以及网络等,以及使安全区域外的应用访问安全区域内的应用和数据等。Preferably, projects in the security area have a need to interact with external projects. The external items are, for example, items in the non-secure area, or network access via the communication unit. In order to meet this requirement, the user equipment provides flexible security control, so that applications in the security zone can access applications, data, and networks outside the security zone, and applications outside the security zone can access applications and data in the security zone.
优选地,生成单元101用于生成安全区域,所述安全区域用于容纳需要进行安全保护的应用。优选地,所述需要进行安全保护的应用在运行时所生成的数据被存储在安全区域内。安全区域提供应用、数据以及网络的安全保护。安全区域会在用户终端内生成安全区域并且对安全区域内的应用、数据以及网络进行安全保护。附加地,在安全区域内的应用在运行时所产生的数据存储在与非安全区域内应用在运行时所产生的数据不同的位置,例如,将处于非安全区域中过的普通应用所生成的数据存储到分区A中,而将处于安全区域中的沙箱应用所生成的数据存储到分区B中。这种方式使得普通应用和安全应用之间的数据存储是独立的,并且因此不会造成安全应用的数据被非法读取、修改或删除。优选地,分区B可以位于安全区域内。Preferably, the generating unit 101 is configured to generate a security area, and the security area is used for accommodating applications requiring security protection. Preferably, the data generated by the application requiring security protection during operation is stored in the security area. The security zone provides security protection for applications, data, and networks. The security zone will generate a security zone in the user terminal and perform security protection on applications, data and networks in the security zone. In addition, the data generated by the application in the security area during operation is stored in a different location from the data generated by the application in the non-security area. For example, the data generated by the normal application in the non-security area Data is stored in partition A, and data generated by sandbox applications in the security area is stored in partition B. This way makes the data storage between the normal application and the security application independent, and thus will not cause the data of the security application to be illegally read, modified or deleted. Preferably, partition B may be located in a safe area.
优选地,监听单元102用于监听与数据项的内容改变相关的操作。其中,与数据项的内容改变相关的操作可以是由安全区域内的应用发起的。或者,所述与数据项的内容改变相关的操作可以是由非安全区域内的应用发起的。并且,所述数据项可能位于安全区域内或非安全区域内。当与数据项的内容改变相关的操作是由非安全区域内的应用发起的且所涉及的数据项位于安全区域内时,控制单元使非安全区域内的应用发送认证请求给安全服务器,在非安全区域内的应用成功通过安全服务器的认证后,允许对数据项进行内容改变。此外,当与数据项的内容改变相关的操作是由非安全区域内的应用发起的并且所涉及的数据项位于非安全区域内时,不需要对非安全区域内的应用进行认证。Preferably, the monitoring unit 102 is configured to monitor operations related to content changes of data items. Wherein, the operation related to the content change of the data item may be initiated by the application in the security area. Alternatively, the operation related to the content change of the data item may be initiated by an application in the non-secure area. Also, the data item may be located in a secure area or in a non-secure area. When the operation related to the change of the content of the data item is initiated by the application in the non-secure area and the data item involved is located in the secure area, the control unit makes the application in the non-secure area send an authentication request to the security server. After the application in the security zone successfully passes the authentication of the security server, it is allowed to change the content of the data item. In addition, when the operation related to the content change of the data item is initiated by the application in the non-secure area and the data item involved is located in the non-secure area, the application in the non-secure area does not need to be authenticated.
通常,非安全区域的应用可能需要访问安全区域内的信息项,例如,非安全区域内的即时消息应用可能需要获取安全区域内的银行应用的屏幕截图并且将所述屏幕截图通过网路进行发送。然而,银行应用的屏幕截图通常包括用户的账户信息、账务信息和隐私信息。此外,当非安全区域内的即时消息应用可能需要获取安全区域内的用户隐私图片并且通过网路进行发送时,有可能造成用户隐私信息的泄露。通常,安全区域内的数据项包括以下内容中的至少一种:账户信息、账务信息和隐私信息等。还可以将数据项定义为,用户存储在安全区域中的不希望其他用户获取的信息。其中,账户信息例如是用户在各个网站或应用进行登录的用户名信息、密码信息、安全问题信息等。其中,账务信息例如是用户操作应用所产生的信息,例如账户余额信息、账户信息、转账信息等。其中,隐私信息例如是用户的私人图片、私人视频、私人文档等。优选地,数据项也可以是存储在非安全区域内的数据文件,例如文本文件、图像文件和视频文件等。Generally, an application in a non-secure area may need to access information items in a secure area, for example, an instant messaging application in a non-secure area may need to obtain a screenshot of a banking application in a secure area and send the screenshot over the network . However, screenshots of banking applications usually include user's account information, billing information and private information. In addition, when the instant messaging application in the non-secure area may need to obtain the user's private picture in the safe area and send it through the network, it may cause the leakage of the user's private information. Usually, the data items in the security area include at least one of the following contents: account information, accounting information, privacy information, and the like. A data item can also be defined as information that a user stores in a secure area and does not want other users to obtain it. Wherein, the account information is, for example, user name information, password information, security question information and the like for the user to log in to various websites or applications. Wherein, the accounting information is, for example, information generated by a user operating an application, such as account balance information, account information, transfer information, and the like. Wherein, the private information is, for example, the user's private pictures, private videos, private documents, and the like. Preferably, the data item may also be a data file stored in a non-secure area, such as a text file, an image file, a video file, and the like.
根据本发明的优选实施方式,监听单元102用于监听与数据项的内容改变相关的操作。并且与数据项的内容改变相关的操作可以是由安全区域内的应用或非安全区域内的应用来完成的。由此可知,监听单元102可以监听用户设备100中所有针对数据项的内容进行相关的操作。According to a preferred embodiment of the present invention, the monitoring unit 102 is configured to monitor operations related to content changes of data items. And the operations related to the content change of the data item can be completed by the application in the security area or the application in the non-security area. It can be known from this that the monitoring unit 102 can monitor all operations related to the content of the data item in the user equipment 100 .
优选地,控制单元103用于判断所述数据项的存储位置,并且在所述数据项的存储位置位于安全区域中时,将所述操作标识为加密操作。如上所述,数据项包括存储位置在安全区域内的数据项和存储位置在安全区域外的数据项。其中安全区域内的数据项包括以下内容中的至少一种:账户信息、账务信息和隐私信息等。还可以将安全区域内的数据项定义为,用户存储在安全区域中的不希望其他用户获取的信息。优选地,数据项也可以是存储在非安全区域内的数据文件,例如文本文件、图像文件和视频文件等。Preferably, the control unit 103 is configured to determine the storage location of the data item, and when the storage location of the data item is in a secure area, identify the operation as an encryption operation. As described above, the data items include data items whose storage location is within the secure area and data items whose storage location is outside the secure area. The data items in the security area include at least one of the following contents: account information, accounting information, privacy information, and the like. The data items in the security area can also be defined as the information that the user stores in the security area and does not want other users to obtain. Preferably, the data item may also be a data file stored in a non-secure area, such as a text file, an image file, a video file, and the like.
优选地,控制单元103需要根据数据项的位置来进行不同的操作,以实现数据加密系统10对不同位置的数据项的不同操作。通常,数据加密系统10需要对安全区域内的数据项进行加密,而不需要对非安全区域内的数据项进行加密。为此,控制单元103首先需要于判断所述数据项的存储位置。并且然后,在所述数据项的存储位置位于安全区域中时,控制单元103将所述操作标识为加密操作。而当在所述数据项的存储位置位于非安全区域中时,控制单元103不将所述操作标识为加密操作。其中,加密操作所进行的对数据项的修改必须进行加密,从而保证安全区域内的数据安全。Preferably, the control unit 103 needs to perform different operations according to the locations of the data items, so as to implement different operations of the data encryption system 10 on the data items in different locations. Generally, the data encryption system 10 needs to encrypt data items in the secure area, but does not need to encrypt data items in the non-secure area. To this end, the control unit 103 first needs to determine the storage location of the data item. And then, when the storage location of the data item is located in the secure area, the control unit 103 identifies the operation as an encryption operation. However, when the storage location of the data item is in the non-secure area, the control unit 103 does not identify the operation as an encryption operation. Among them, the modification of the data items carried out by the encryption operation must be encrypted, so as to ensure the data security in the security area.
优选地,所述数据项是以下内容中的一个或多个:文本文件、数据库文件、图像文件、音频文件、视频文件以及应用配置文件。其中所述数据项的内容改变包括以下内容中的一个或多个:数据项的内容删除、数据项的内容修改或数据项的内容增加。通常,安全区域内的数据项包括以下内容中的至少一种:账户信息、账务信息和隐私信息等。Preferably, the data item is one or more of the following: text files, database files, image files, audio files, video files, and application configuration files. The content change of the data item includes one or more of the following content: deletion of data item content, modification of data item content or addition of data item content. Usually, the data items in the security area include at least one of the following contents: account information, accounting information, privacy information, and the like.
优选地,加密单元104对所述加密操作所涉及的数据项进行加密。其中,所述对所述加密操作所涉及的数据项进行加密包括:在所述加密操作对数据项进行内容改变后,对内容改变后的数据项进行加密。例如,所述加密操作对数据项进行的内容改变为修改或删除已有的数据文件或其一部分。数据文件例如是涉及账户信息、账务信息和隐私信息的单独的文本文件、数据库文件、图像文件、音频文件、视频文件和/或应用配置文件。针对这种情况,加密单元104在加密操作对数据项进行修改或删除时对数据项进行解密,并且在加密操作对数据项进行修改或删除后对数据项进行加密。Preferably, the encryption unit 104 encrypts the data items involved in the encryption operation. Wherein, the encrypting the data item involved in the encryption operation includes: after the encryption operation changes the content of the data item, encrypting the content-changed data item. For example, the encryption operation changes the content of the data item to modify or delete the existing data file or a part thereof. Data files are, for example, individual text files, database files, image files, audio files, video files and/or application configuration files related to account information, accounting information and privacy information. For this situation, the encryption unit 104 decrypts the data item when the encryption operation modifies or deletes the data item, and encrypts the data item after the encryption operation modifies or deletes the data item.
此外,所述对所述加密操作所涉及的数据项进行加密包括:在所述加密操作对数据项进行内容改变后,对数据项中涉及内容改变的数据部分进行加密。例如,所述加密操作对数据项进行的内容改变为增加了独立的数据文件。独立的数据文件例如是涉及账户信息、账务信息和隐私信息的单独的文本文件、数据库文件、图像文件、音频文件、视频文件和/或应用配置文件。针对这种情况,加密单元104仅对新增加的数据项内容进行加密,即增量加密。In addition, the encrypting the data item involved in the encryption operation includes: after the encryption operation changes the content of the data item, encrypting the data part of the data item involved in the content change. For example, the encryption operation changes the content of the data item to add an independent data file. The independent data files are, for example, individual text files, database files, image files, audio files, video files and/or application configuration files related to account information, accounting information and privacy information. In this case, the encryption unit 104 only encrypts the content of the newly added data item, that is, incremental encryption.
优选地,通信单元105用于将对经过加密的数据项进行解密的密码经由通信网络发送给预先设定的网络位置。通信网络例如是数据网络、无线网络、电话网络、或其任意组合。数据网络可以是任意局域网(LAN)、城域网(MAN)、广域网(WAN)、公共数据网(例如因特网)、或任意其他适合的分组交换网络,例如商业所有、私有分组交换网,例如私有电缆或光纤网络。此外,无线网络可以是例如蜂窝网络,并且可采用各种技术,包括用于全球演进的增强数据率(EDGE)、通用分组无线业务(GPRS)、全球移动通信系统(GSM)、因特网协议多媒体子系统(IMS)、通用移动电信系统(UMTS)等、以及任意其他适合的无线介质,例如微波接入(WiMAX)、长期演进(LTE)网络、码分多址(CDMA)、宽带码分多址(WCDMA)、无线保真(WiFi)、卫星、移动自组织网络(MANET)等。优选地,预先设定的网络位置可以是用户的邮箱。Preferably, the communication unit 105 is configured to send a password for decrypting the encrypted data item to a preset network location via a communication network. The communication network is, for example, a data network, a wireless network, a telephone network, or any combination thereof. The data network can be any local area network (LAN), metropolitan area network (MAN), wide area network (WAN), public data network (such as the Internet), or any other suitable packet-switched network, such as a commercially owned, private packet-switched network, such as a private cable or fiber optic network. Furthermore, the wireless network may be, for example, a cellular network and may employ various technologies including Enhanced Data Rates for Global Evolution (EDGE), General Packet Radio Service (GPRS), Global System for Mobile Communications (GSM), Internet Protocol Multimedia Subclass System (IMS), Universal Mobile Telecommunications System (UMTS), etc., and any other suitable wireless medium, such as Microwave Access (WiMAX), Long Term Evolution (LTE) networks, Code Division Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA), wireless fidelity (WiFi), satellite, mobile ad hoc network (MANET), etc. Preferably, the preset network location may be the user's mailbox.
优选地,安全服务器110能够通过通信网络与用户设备100进行交互。其中,通信单元111可以通过各种类型的通信网络与用户设备100进行交互。认证单元112用于对非安全区域内应用所发送的认证请求进行处理。认证单元112对所述应用进行安全认证,在非安全区域内应用成功通过认证后,允许所述访问请求;以及在非安全区域内应用未成功通过认证时,拒绝所述访问请求。其中,认证单元112通过对非安全区域内应用的名称、发行商、版本等信息进行核对来确定所述应用是否通过安全认证。优选地,存储单元113还用于存储各种应用的名称、发行商、版本等信息,以用于进行安全认证。Preferably, the security server 110 is capable of interacting with the user equipment 100 through a communication network. Wherein, the communication unit 111 may interact with the user equipment 100 through various types of communication networks. The authentication unit 112 is configured to process authentication requests sent by applications in the non-secure area. The authentication unit 112 performs security authentication on the application, allows the access request after the application successfully passes the authentication in the non-secure area; and rejects the access request when the application fails to pass the authentication in the non-secure area. Wherein, the authentication unit 112 determines whether the application passes the security authentication by checking information such as the name, publisher, and version of the application in the non-secure area. Preferably, the storage unit 113 is also used to store information such as names, publishers, and versions of various applications for security authentication.
在一个实施方式中,安全区域可以是沙箱并且通过沙箱应用的方式来提供应用、数据以及网络的安全保护。沙箱应用会在用户终端内建立安全区域并且对安全区域内的应用、数据以及网络进行安全保护。其中对安全区域内的应用、数据以及网络进行安全保护的主要方式为:In one embodiment, the security zone may be a sandbox and provide application, data, and network security protection in a sandbox application manner. The sandbox application will establish a security zone in the user terminal and perform security protection on applications, data and networks in the security zone. The main ways to protect applications, data, and networks in the security zone are:
1.针对应用进行安全保护:针对API组件的调用进行隔离。针对Andriod系统的四个主要组件Activity,Service,Content Provider以及BroadcastReceiver的调用进行保护。当安全区域内的应用调用安全区域外部应用的上述组件或与上述组件进行数据交互时,安全保护系统接收安全区域内的应用针对非安全区域内组件的访问请求并且将所述访问请求发送给访问控制器。随后,访问控制器根据访问控制策略确定所述访问请求是否被允许,在根据所述访问控制策略确定所述访问请求被允许的情况下,允许安全区域内的应用对非安全区域内项目进行访问。1. Security protection for applications: isolation for API component calls. Protect the calls of the four main components of the Andriod system: Activity, Service, Content Provider and BroadcastReceiver. When an application in the security area calls the above-mentioned components of an application outside the security area or performs data interaction with the above-mentioned components, the security protection system receives the access request of the application in the security area for the components in the non-security area and sends the access request to the access controller. Subsequently, the access controller determines whether the access request is allowed according to the access control policy, and allows applications in the secure area to access items in the non-secure area if it is determined that the access request is allowed according to the access control policy .
此外,当非安全区域内的应用调用安全区域内应用的上述组件或与上述组件进行数据交互时,安全保护系统接收非安全区域内的应用针对安全区域内项目的访问请求并且将所述访问请求发送给访问控制器。随后,访问控制器根据访问控制策略确定所述访问请求是否被允许,在根据所述访问控制策略确定所述访问请求被允许的情况下,允许非安全区域内的应用对安全区域内项目进行访问。In addition, when the application in the non-secure area calls the above-mentioned components of the application in the secure area or performs data interaction with the above-mentioned components, the security protection system receives the application in the non-secure area. sent to the access controller. Subsequently, the access controller determines whether the access request is allowed according to the access control policy, and allows applications in the non-secure area to access items in the secure area if it is determined that the access request is allowed according to the access control policy .
2.数据隔离:通过命名空间Namespace将数据存储在不同分区,例如,将处于非安全区域中过的普通应用所生成的数据存储到分区NamespaceA中,而将处于安全区域中的沙箱应用所生成的数据存储到分区NamespaceB中。这种方式使得普通应用和沙箱应用之间的数据存储是独立的,并且因此不会造成沙箱应用的数据被非法读取、修改或删除。2. Data isolation: store data in different partitions through namespace Namespace, for example, store data generated by common applications in non-secure areas in partition NamespaceA, and store data generated by sandbox applications in secure areas The data stored in the partition NamespaceB. This method makes the data storage between the common application and the sandbox application independent, and thus will not cause the data of the sandbox application to be illegally read, modified or deleted.
此外,当安全区域内的应用希望获取(包括修改、删除、读取等)安全区域外部数据时,安全保护系统接收安全区域内的应用针对非安全区域内数据的获取请求并且将所述获取请求发送给访问控制器。随后,访问控制器根据访问控制策略确定所述获取请求是否被允许,在根据所述访问控制策略确定所述获取请求被允许的情况下,允许安全区域内的应用对非安全区域内的数据进行获取。In addition, when an application in the security area wishes to obtain (including modify, delete, read, etc.) data outside the security area, the security protection system receives the application in the security area for obtaining data in the non-security area. sent to the access controller. Subsequently, the access controller determines whether the acquisition request is allowed according to the access control policy, and if it is determined that the acquisition request is allowed according to the access control policy, the application in the security area is allowed to perform data processing on the data in the non-security area. Obtain.
此外,当非安全区域内的应用希望获取(包括修改、删除、读取等)安全区域内的数据时,安全保护系统接收非安全区域内的应用针对安全区域内数据的获取请求并且将所述获取请求发送给访问控制器。随后,访问控制器根据访问控制策略确定所述获取请求是否被允许,在根据所述访问控制策略确定所述获取请求被允许的情况下,允许非安全区域内的应用对安全区域内数据进行获取。In addition, when an application in the non-secure area wishes to obtain (including modify, delete, read, etc.) data in the secure area, the security protection system receives the application in the non-secure area for obtaining data in the secure area. A get request is sent to the access controller. Subsequently, the access controller determines whether the acquisition request is allowed according to the access control policy, and allows applications in the non-secure area to acquire data in the secure area if it is determined that the acquisition request is allowed according to the access control policy .
3.网络隔离:将网络访问引导至安全服务器,由安全服务器实现安全区域内部应用与外部应用的交互。通常,当沙箱内部的应用想要访问外部网络时,安全保护系统在这个应用和安全服务器建立VPN连接,从而使得安全服务器替代外部网络中的服务器。这种方式能够保证沙箱内部应用的网络访问是安全的。3. Network isolation: guide network access to the security server, and the security server realizes the interaction between internal applications and external applications in the security area. Usually, when an application inside the sandbox wants to access the external network, the security protection system establishes a VPN connection between the application and the security server, so that the security server replaces the server in the external network. This method can ensure that the network access of the application inside the sandbox is safe.
通常地,沙箱可以针对内部应用进行全部三种安全保护,或者针对内部应用进行三种安全保护中的任意一种或两种。Generally, the sandbox can perform all three security protections for internal applications, or any one or two of the three security protections for internal applications.
优选地,根据本发明的优选实施方式,如上所述的系统10可以被包括在移动终端中,或由移动终端来执行。Preferably, according to a preferred embodiment of the present invention, the above-mentioned system 10 can be included in a mobile terminal, or executed by the mobile terminal.
图2为根据本发明优选实施方式的数据加密方法20的流程图。数据加密方法20针对目前安全区域被攻破时,会导致安全区域内的敏感数据被恶意方获取的问题,对安全区域进行数据加密保护。数据加密方法20的技术方案能够保证即使安全区域被攻破,恶意方也无法获取安全区域内存储的敏感数据。FIG. 2 is a flowchart of a data encryption method 20 according to a preferred embodiment of the present invention. The data encryption method 20 aims at the problem that when the current security zone is breached, the sensitive data in the security zone will be obtained by a malicious party, and data encryption protection is performed on the security zone. The technical solution of the data encryption method 20 can ensure that even if the security zone is breached, malicious parties cannot obtain sensitive data stored in the security zone.
如图2所示,数据加密方法20从步骤201处开始。在步骤201处,生成安全区域,所述安全区域用于容纳需要进行安全保护的应用。优选地,所述需要进行安全保护的应用在运行时所生成的数据被存储在安全区域内。As shown in FIG. 2 , the data encryption method 20 starts from step 201 . At step 201, a security area is generated, and the security area is used for accommodating applications requiring security protection. Preferably, the data generated by the application requiring security protection during operation is stored in the security area.
在步骤202,监听与数据项的内容改变相关的操作。优选地,安全区域中的项目存在与外部项目进行交互的需求。其中外部项目例如是非安全区域中的项目,或者是经由通信单元进行网络访问。为了满足这种需求,用户设备提供灵活的安全控制,以使得安全区域内的应用访问安全区域外的应用、数据以及网络等,以及使安全区域外的应用访问安全区域内的应用和数据等。In step 202, operations related to content changes of data items are monitored. Preferably, projects in the security area have a need to interact with external projects. The external items are, for example, items in the non-secure area, or network access via the communication unit. In order to meet this requirement, the user equipment provides flexible security control, so that applications in the security zone can access applications, data, and networks outside the security zone, and applications outside the security zone can access applications and data in the security zone.
优选地,数据加密方法20监听与数据项的内容改变相关的操作。其中,与数据项的内容改变相关的操作可以是由安全区域内的应用发起的。或者,所述与数据项的内容改变相关的操作可以是由非安全区域内的应用发起的。并且,所述数据项可能位于安全区域内或非安全区域内。当与数据项的内容改变相关的操作是由非安全区域内的应用发起的且所涉及的数据项位于安全区域内时,控制大暖促使非安全区域内的应用发送认证请求给安全服务器,在非安全区域内的应用成功通过安全服务器的认证后,允许对数据项进行内容改变。此外,当与数据项的内容改变相关的操作是由非安全区域内的应用发起的并且所涉及的数据项位于非安全区域内时,不需要对非安全区域内的应用进行认证。Preferably, the data encryption method 20 listens for operations related to content changes of data items. Wherein, the operation related to the content change of the data item may be initiated by the application in the security area. Alternatively, the operation related to the content change of the data item may be initiated by an application in the non-secure area. Also, the data item may be located in a secure area or in a non-secure area. When the operation related to the content change of the data item is initiated by the application in the non-secure area and the data item involved is located in the secure area, the control mechanism prompts the application in the non-secure area to send an authentication request to the security server. After the application in the non-secure area successfully passes the authentication of the security server, it is allowed to change the content of the data item. In addition, when the operation related to the content change of the data item is initiated by the application in the non-secure area and the data item involved is located in the non-secure area, the application in the non-secure area does not need to be authenticated.
通常,非安全区域的应用可能需要访问安全区域内的信息项,例如,非安全区域内的即时消息应用可能需要获取安全区域内的银行应用的屏幕截图并且将所述屏幕截图通过网路进行发送。然而,银行应用的屏幕截图通常包括用户的账户信息、账务信息和隐私信息。此外,当非安全区域内的即时消息应用可能需要获取安全区域内的用户隐私图片并且通过网路进行发送时,有可能造成用户隐私信息的泄露。通常,安全区域内的数据项包括以下内容中的至少一种:账户信息、账务信息和隐私信息等。还可以将数据项定义为,用户存储在安全区域中的不希望其他用户获取的信息。其中,账户信息例如是用户在各个网站或应用进行登录的用户名信息、密码信息、安全问题信息等。其中,账务信息例如是用户操作应用所产生的信息,例如账户余额信息、账户信息、转账信息等。其中,隐私信息例如是用户的私人图片、私人视频、私人文档等。优选地,数据项也可以是存储在非安全区域内的数据文件,例如文本文件、图像文件和视频文件等。Generally, an application in a non-secure area may need to access information items in a secure area, for example, an instant messaging application in a non-secure area may need to obtain a screenshot of a banking application in a secure area and send the screenshot over the network . However, screenshots of banking applications usually include user's account information, billing information and private information. In addition, when the instant messaging application in the non-secure area may need to obtain the user's private picture in the safe area and send it through the network, it may cause the leakage of the user's private information. Usually, the data items in the security area include at least one of the following contents: account information, accounting information, privacy information, and the like. A data item can also be defined as information that a user stores in a secure area and does not want other users to obtain it. Wherein, the account information is, for example, user name information, password information, security question information and the like for the user to log in to various websites or applications. Wherein, the accounting information is, for example, information generated by a user operating an application, such as account balance information, account information, transfer information, and the like. Wherein, the private information is, for example, the user's private pictures, private videos, private documents, and the like. Preferably, the data item may also be a data file stored in a non-secure area, such as a text file, an image file, a video file, and the like.
根据本发明的优选实施方式,数据加密方法20监听与数据项的内容改变相关的操作。并且与数据项的内容改变相关的操作可以是由安全区域内的应用或非安全区域内的应用来完成的。由此可知,数据加密方法20可以监听用户设备中所有针对数据项的内容进行相关的操作。According to a preferred embodiment of the present invention, the data encryption method 20 listens for operations related to changes in the content of data items. And the operations related to the content change of the data item can be completed by the application in the security area or the application in the non-security area. It can be seen from this that the data encryption method 20 can monitor all operations related to the content of the data item in the user equipment.
在步骤203处,判断所述数据项的存储位置,并且在所述数据项的存储位置位于安全区域中时,将所述操作标识为加密操作。数据加密方法20用于判断所述数据项的存储位置,并且在所述数据项的存储位置位于安全区域中时,将所述操作标识为加密操作。如上所述,数据项包括存储位置在安全区域内的数据项和存储位置在安全区域外的数据项。其中安全区域内的数据项包括以下内容中的至少一种:账户信息、账务信息和隐私信息等。还可以将安全区域内的数据项定义为,用户存储在安全区域中的不希望其他用户获取的信息。优选地,数据项也可以是存储在非安全区域内的数据文件,例如文本文件、图像文件和视频文件等。At step 203, the storage location of the data item is judged, and the operation is identified as an encryption operation when the storage location of the data item is in a secure area. The data encryption method 20 is used to determine the storage location of the data item, and when the storage location of the data item is in a secure area, identify the operation as an encryption operation. As described above, the data items include data items whose storage location is within the secure area and data items whose storage location is outside the secure area. The data items in the security area include at least one of the following contents: account information, accounting information, privacy information, and the like. The data items in the security area can also be defined as the information that the user stores in the security area and does not want other users to obtain. Preferably, the data item may also be a data file stored in a non-secure area, such as a text file, an image file, a video file, and the like.
优选地,数据加密方法20需要根据数据项的位置来进行不同的操作,以实现数据加密系统对不同位置的数据项的不同操作。通常,数据加密系统需要对安全区域内的数据项进行加密,而不需要对非安全区域内的数据项进行加密。为此,数据加密方法20首先需要于判断所述数据项的存储位置。并且然后,在所述数据项的存储位置位于安全区域中时,数据加密方法20将所述操作标识为加密操作。而当在所述数据项的存储位置位于非安全区域中时,数据加密方法20不将所述操作标识为加密操作。其中,加密操作所进行的对数据项的修改必须进行加密,从而保证安全区域内的数据安全。Preferably, the data encryption method 20 needs to perform different operations according to the locations of the data items, so as to implement different operations of the data encryption system on data items in different locations. Generally, a data encryption system needs to encrypt data items in a secure area, but does not need to encrypt data items in a non-secure area. To this end, the data encryption method 20 first needs to determine the storage location of the data item. And then, the data encryption method 20 identifies the operation as an encryption operation when the storage location of the data item is in the secure area. However, when the storage location of the data item is located in a non-secure area, the data encryption method 20 does not identify the operation as an encryption operation. Among them, the modification of the data items carried out by the encryption operation must be encrypted, so as to ensure the data security in the security area.
优选地,所述数据项是以下内容中的一个或多个:文本文件、数据库文件、图像文件、音频文件、视频文件以及应用配置文件。其中所述数据项的内容改变包括以下内容中的一个或多个:数据项的内容删除、数据项的内容修改或数据项的内容增加。通常,安全区域内的数据项包括以下内容中的至少一种:账户信息、账务信息和隐私信息等。Preferably, the data item is one or more of the following: text files, database files, image files, audio files, video files, and application configuration files. The content change of the data item includes one or more of the following content: deletion of data item content, modification of data item content or addition of data item content. Usually, the data items in the security area include at least one of the following contents: account information, accounting information, privacy information, and the like.
在步骤204处,对所述加密操作所涉及的数据项进行加密。其中,所述对所述加密操作所涉及的数据项进行加密包括:在所述加密操作对数据项进行内容改变后,对内容改变后的数据项进行加密。例如,所述加密操作对数据项进行的内容改变为修改或删除已有的数据文件或其一部分。数据文件例如是涉及账户信息、账务信息和隐私信息的单独的文本文件、数据库文件、图像文件、音频文件、视频文件和/或应用配置文件。针对这种情况,数据加密方法20在加密操作对数据项进行修改或删除时对数据项进行解密,并且在加密操作对数据项进行修改或删除后对数据项进行加密。At step 204, the data items involved in the encryption operation are encrypted. Wherein, the encrypting the data item involved in the encryption operation includes: after the encryption operation changes the content of the data item, encrypting the content-changed data item. For example, the encryption operation changes the content of the data item to modify or delete the existing data file or a part thereof. Data files are, for example, individual text files, database files, image files, audio files, video files and/or application configuration files related to account information, accounting information and privacy information. For this situation, the data encryption method 20 decrypts the data item when the encryption operation modifies or deletes the data item, and encrypts the data item after the encryption operation modifies or deletes the data item.
此外,所述对所述加密操作所涉及的数据项进行加密包括:在所述加密操作对数据项进行内容改变后,对数据项中涉及内容改变的数据部分进行加密。例如,所述加密操作对数据项进行的内容改变为增加了独立的数据文件。独立的数据文件例如是涉及账户信息、账务信息和隐私信息的单独的文本文件、数据库文件、图像文件、音频文件、视频文件和/或应用配置文件。针对这种情况,数据加密方法20仅对新增加的数据项内容进行加密,即增量加密。In addition, the encrypting the data item involved in the encryption operation includes: after the encryption operation changes the content of the data item, encrypting the data part of the data item involved in the content change. For example, the encryption operation changes the content of the data item to add an independent data file. The independent data files are, for example, individual text files, database files, image files, audio files, video files and/or application configuration files related to account information, accounting information and privacy information. For this situation, the data encryption method 20 only encrypts the contents of newly added data items, that is, incremental encryption.
优选地,数据加密方法20还包括将对经过加密的数据项进行解密的密码经由通信网络发送给预先设定的网络位置。优选地,预先设定的网络位置可以是用户的邮箱。Preferably, the data encryption method 20 further includes sending a password for decrypting the encrypted data item to a preset network location via a communication network. Preferably, the preset network location may be the user's mailbox.
已经通过参考少量实施方式描述了本发明。然而,本领域技术人员所公知的,正如附带的专利权利要求所限定的,除了本发明以上公开的其他的实施例等同地落在本发明的范围内。The invention has been described with reference to a small number of embodiments. However, it is clear to a person skilled in the art that other embodiments than the invention disclosed above are equally within the scope of the invention, as defined by the appended patent claims.
通常地,在权利要求中使用的所有术语都根据他们在技术领域的通常含义被解释,除非在其中被另外明确地定义。所有的参考“一个/所述/该[装置、组件等]”都被开放地解释为所述装置、组件等中的至少一个实例,除非另外明确地说明。这里公开的任何方法的步骤都没必要以公开的准确的顺序运行,除非明确地说明。Generally, all terms used in the claims are to be interpreted according to their ordinary meaning in the technical field, unless explicitly defined otherwise therein. All references to "a/the/the [means, component, etc.]" are openly construed to mean at least one instance of said means, component, etc., unless expressly stated otherwise. The steps of any method disclosed herein do not have to be performed in the exact order disclosed, unless explicitly stated.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611032223.1ACN106453398B (en) | 2016-11-22 | 2016-11-22 | A kind of data encryption system and method |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611032223.1ACN106453398B (en) | 2016-11-22 | 2016-11-22 | A kind of data encryption system and method |
| Publication Number | Publication Date |
|---|---|
| CN106453398Atrue CN106453398A (en) | 2017-02-22 |
| CN106453398B CN106453398B (en) | 2019-07-09 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611032223.1AActiveCN106453398B (en) | 2016-11-22 | 2016-11-22 | A kind of data encryption system and method |
| Country | Link |
|---|---|
| CN (1) | CN106453398B (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108874604A (en)* | 2018-06-28 | 2018-11-23 | 郑州云海信息技术有限公司 | A kind of method and system of verifying encryption equipment encryption data authenticity |
| CN109033850A (en)* | 2018-06-29 | 2018-12-18 | 深信服科技股份有限公司 | A kind of processing method of screenshot picture, device, terminal and computer storage medium |
| CN113395245A (en)* | 2020-03-13 | 2021-09-14 | 昆山恒禾隆智能化系统有限公司 | Internet of things safety system and method based on information encryption |
| CN115632829A (en)* | 2022-09-29 | 2023-01-20 | 中国人民银行清算总中心 | Data encryption method and system based on virtual route forwarding technology |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1764908A (en)* | 2003-03-26 | 2006-04-26 | 松下电器产业株式会社 | storage device |
| US20080091604A1 (en)* | 2006-10-05 | 2008-04-17 | Societe Francaise Du Radiotelephone | Method for the Compartmented Provisioning of an Electronic Service |
| CN104392188A (en)* | 2014-11-06 | 2015-03-04 | 三星电子(中国)研发中心 | Security data storage method and system |
| CN104683336A (en)* | 2015-02-12 | 2015-06-03 | 中国科学院信息工程研究所 | A security domain-based Android privacy data protection method and system |
| CN105574440A (en)* | 2014-10-31 | 2016-05-11 | 惠普发展公司,有限责任合伙企业 | Hardware-protective data processing systems and methods using an application executing in a secure domain |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1764908A (en)* | 2003-03-26 | 2006-04-26 | 松下电器产业株式会社 | storage device |
| US20080091604A1 (en)* | 2006-10-05 | 2008-04-17 | Societe Francaise Du Radiotelephone | Method for the Compartmented Provisioning of an Electronic Service |
| CN105574440A (en)* | 2014-10-31 | 2016-05-11 | 惠普发展公司,有限责任合伙企业 | Hardware-protective data processing systems and methods using an application executing in a secure domain |
| CN104392188A (en)* | 2014-11-06 | 2015-03-04 | 三星电子(中国)研发中心 | Security data storage method and system |
| CN104683336A (en)* | 2015-02-12 | 2015-06-03 | 中国科学院信息工程研究所 | A security domain-based Android privacy data protection method and system |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108874604A (en)* | 2018-06-28 | 2018-11-23 | 郑州云海信息技术有限公司 | A kind of method and system of verifying encryption equipment encryption data authenticity |
| CN108874604B (en)* | 2018-06-28 | 2021-07-06 | 郑州云海信息技术有限公司 | A method and system for verifying the authenticity of encrypted data of an encryption device |
| CN109033850A (en)* | 2018-06-29 | 2018-12-18 | 深信服科技股份有限公司 | A kind of processing method of screenshot picture, device, terminal and computer storage medium |
| CN113395245A (en)* | 2020-03-13 | 2021-09-14 | 昆山恒禾隆智能化系统有限公司 | Internet of things safety system and method based on information encryption |
| CN115632829A (en)* | 2022-09-29 | 2023-01-20 | 中国人民银行清算总中心 | Data encryption method and system based on virtual route forwarding technology |
| Publication number | Publication date |
|---|---|
| CN106453398B (en) | 2019-07-09 |
| Publication | Publication Date | Title |
|---|---|---|
| US9906513B2 (en) | Network authorization system | |
| US9202076B1 (en) | Systems and methods for sharing data stored on secure third-party storage platforms | |
| CN103647784B (en) | A kind of method and apparatus of public and private isolation | |
| US9203815B1 (en) | Systems and methods for secure third-party data storage | |
| US9954834B2 (en) | Method of operating a computing device, computing device and computer program | |
| CN109409045B (en) | Safety protection method and device for automatic login account of browser | |
| US8181028B1 (en) | Method for secure system shutdown | |
| CN110636043A (en) | A blockchain-based file authorization access method, device and system | |
| JP2011507414A (en) | System and method for protecting data safety | |
| US10635826B2 (en) | System and method for securing data in a storage medium | |
| US20180053018A1 (en) | Methods and systems for facilitating secured access to storage devices | |
| CN106355100A (en) | Safety protection system and method | |
| CN106453398B (en) | A kind of data encryption system and method | |
| KR101680536B1 (en) | Method for Service Security of Mobile Business Data for Enterprise and System thereof | |
| CN113647051A (en) | System and method for secure electronic data transfer | |
| CN111831978B (en) | A method and device for protecting configuration files | |
| CN106529338A (en) | Safe processing method and equipment of data file | |
| Wang et al. | MobileGuardian: A security policy enforcement framework for mobile devices | |
| Darwish et al. | Privacy and security of cloud computing: a comprehensive review of techniques and challenges | |
| CN116155528A (en) | Cloud key management for system management | |
| CN106789893A (en) | A kind of system and method for carrying out safe handling to item of information | |
| CN106789900A (en) | A kind of system and method that safeguard protection is carried out based on isolated area | |
| KR20160102915A (en) | Security platform management device for smart work based on mobile virtualization | |
| KR102005534B1 (en) | Smart device based remote access control and multi factor authentication system | |
| Park et al. | Cyber threats to mobile messenger apps from identity cloning |
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | Effective date of registration:20170803 Address after:100102, 18 floor, building 2, Wangjing street, Beijing, Chaoyang District, 1801 Applicant after:BEIJING ANYUN SHIJI SCIENCE AND TECHNOLOGY CO., LTD. Address before:100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park) Applicant before:Beijing Qihu Technology Co., Ltd. | |
| TA01 | Transfer of patent application right | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |