CN-121997368-A - Document security management method and system based on intelligent password key

Abstract

The invention discloses a document security management method and system based on an intelligent password key, and belongs to the technical field of document security. The method aims to solve the problems of cross-language performance barrier of Java and C password hardware, compatibility of multi-manufacturer intelligent password keys, difficult adaptation of heterogeneous platforms and performance bottleneck of independent encryption of large files by the intelligent password keys. The technical scheme comprises double-factor identity authentication, a cross-language cross-platform interaction architecture based on JNI, soft-hard collaborative hybrid encryption and signed log audit, wherein the system adopts a layered decoupling architecture of a display layer, an application service layer, a basic service layer, a data layer and an infrastructure layer. The invention realizes the efficient coordination of software and hardware and multi-environment adaptation, breaks through the bottleneck of encryption performance, ensures the safety of the whole life cycle of the document, and is suitable for safety and severity scenes such as a secret evaluation mechanism.

Inventors

• CHEN RUJUN
• ZHANG JINNAN
• HUANG LANQIAO
• WEI SHAOYU
• WANG PEIPEI

Assignees

• 江苏金屹城科技发展有限公司

Dates

Publication Date

20260508

Application Date

20251230

Claims (13)

1. 1. The document security management method based on the intelligent password key is characterized by comprising the following steps of: S1, authenticating the identity, namely authenticating the identity of a user by adopting a double-factor authentication mechanism combining a digital certificate with an intelligent password key, distributing operation authorities according to user roles, and recording a login operation log with a digital signature; S2, file full life cycle safety processing, which comprises file archiving, file outgoing, file decryption and file integrity checking processes, wherein: S2.1, constructing a cross-language cross-platform interaction architecture, namely realizing low-time delay data interaction between a Java service module and a C language password processing module through a JNI technology, wherein the C language password processing module is in butt joint with an intelligent password key library file according to a national password standard, and the intelligent password key library file is in interaction with multi-manufacturer intelligent password key equipment according to the national password standard; S2.2, adopting a soft-hard collaborative hybrid encryption mode, namely completing random number generation by an intelligent cipher key hardware layer and SM2 public key encryption packaging of SM4-ECB session keys, carrying out high-speed encryption on a large file by a software layer by adopting an SM4-CBC symmetric encryption algorithm to generate a file ciphertext and a digital envelope secure data packet, and breaking through the performance bottleneck of hardware encryption; s3, log audit, namely generating a tamper-proof log record with an operator digital signature for all operations, and realizing traceability and non-repudiation of operation behaviors.
2. 2. The method for document security management based on intelligent cipher key according to claim 1, wherein the specific data link of the cross-platform interaction architecture in step S2.1 is that the PC terminal establishes a communication connection with the Java service module, the Java service module forwards the cipher operation request and the service data to the C language cipher processing module through the JNI interface, the C language cipher processing module completes data interaction with the intelligent cipher key library file according to the national cipher standard, and the intelligent cipher key library file completes key invoking and random number generating operations according to the national cipher standard and the intelligent cipher key device.
3. 3. The intelligent cipher key-based document security management method according to claim 2, wherein cross-platform compiling of the C language cipher processing module adopts conditional compiling instructions, respectively adapting to an MSVC compiler of Windows and a GCC compiler of a kylin operating system, to realize indifferent operation of the same set of C language codes under heterogeneous platforms.
4. 4. The document security management method based on the intelligent cipher key according to claim 1, wherein the specific flow of the soft-hard cooperative hybrid encryption mode in step S2.2 is as follows: i) The hardware layer of the intelligent cipher key generates a 16-byte random number and outputs associated key metadata to the digital envelope; ii) the SM2 public key encrypts the SM4-ECB session key to obtain an encrypted SM4-ECB session key and writes the encrypted SM4-ECB session key into a digital envelope; iii) Encrypting the SM4-CBC key of the software layer by using the encryption state SM4-ECB session key, and fusing the random numbers to generate an available SM4-CBC key with high randomness; iv) the software layer carries out high-speed encryption on the large file through the SM4-CBC key to generate a file ciphertext; v) encapsulating the file ciphertext and a digital envelope containing the encrypted SM4-ECB session key into a secure data packet.
5. 5. The intelligent cipher key-based document security management method according to claim 4, wherein the SM4-CBC key is a one-time key, and each file corresponds to a unique SM4-CBC key, so as to implement a one-text-to-one key encryption policy.
6. 6. The smart key-based document security management method of claim 1, wherein the two-factor authentication mechanism in step S1 includes verifying the validity of smart key hardware held by the user and verifying a smart key PIN code entered by the user, the verification of the PIN code being completed inside the smart key and limiting the number of consecutive erroneous attempts to not more than 5.
7. 7. The method for document security management based on intelligent cryptographic key according to claim 1, wherein the file archiving process further comprises checking compliance of format and size of the uploaded file, generating a digital signature for SM3 hash value of the file by using SM2 signature private key of the archiver, encrypting the file by using SM4 algorithm, storing ciphertext, and safely deleting the original plaintext file.
8. 8. The method for document security management based on an intelligent cryptographic key of claim 1, wherein the file delivery process further comprises generating a delivery package by adding a time stamp, an upper limit of decryption times, a validity period, and digital watermark information to an encrypted file by using an SM2 public key of a borrower to encrypt the session key.
9. 9. The method for document security management based on intelligent cipher key according to claim 1, wherein the file decryption process further comprises the steps of completing decryption operation in a terminal memory, and safely clearing plaintext data and key information in the memory by means of random data overwriting after use, so as to avoid the plaintext from being stored in a floor.
10. 10. The method for document security management based on an intelligent cryptographic key according to claim 1, wherein the file integrity verification process comprises the steps of re-calculating an SM3 hash value of the file, comparing the SM3 hash value with an original hash value with a digital signature during archiving, verifying the digital signature by using a signature public key, triggering a security alarm immediately when the SM3 hash value is inconsistent with the original hash value, and recording exception information to an audit log.
11. 11. The document security management system based on the intelligent cipher key for implementing the method of claim 1, wherein the document security management system is divided into an infrastructure layer, a data layer, an infrastructure service layer, an application service layer and a display layer from bottom to top in sequence, each layer independently bears specific functions and cooperates through a standardized interface, and the document security management system specifically comprises: The infrastructure layer comprises a software platform, a hardware platform and a network environment, wherein the software platform covers a Windows operating system, a domestic kylin operating system and a database system, the hardware platform comprises a PC and an intelligent password key, all components are deployed in a safe internal network environment and used for providing basic software and hardware support required by system operation and ensuring the safety, stability and controllability of a bottom layer operation environment; The data layer is used for bearing management functions of system core data assets, comprises four types of persistent data carriers including log files, configuration files, file warehouses and database data, and is used for realizing storage and management of various data, supporting audit trails of operation behaviors by the log files, realizing unified configuration of system parameters by the configuration files, storing core service file assets by the file warehouses, and providing unified and reliable data access foundation for upper-layer services by managing structured service information by the database data; The basic service layer provides a cross-language calling interface for Java application of the application service layer through a JNI technology to realize hardware association and high-performance operation of password operation and intelligent password key interaction, and simultaneously supports general data interaction and operation record requirements of an upper layer through file reading and writing, log service and database reading and writing modules, so that language performance barriers of Java business and bottom C password hardware are solved; The application service layer comprises an access control module, a file archiving module, a file issuing module, a file decrypting module, a file encrypting module and a file verifying module, and is realized by Java language development, wherein the application service layer calls a cipher service constructed by a C language in a basic service layer to complete high-strength cipher operation, an intelligent cipher key middleware is used for realizing safe management of keys, an access control module is used for realizing operation authority management of users and roles, a soft and hard cooperative hybrid encrypting unit is arranged in the application service layer, an intelligent cipher key of the basic service layer is called to complete session key safe packaging, and meanwhile, a software SM4-CBC algorithm is used for completing high-speed encryption of a large file to generate a file ciphertext and a digital envelope safe data packet; the display layer comprises client application programs adapting to Windows and kylin operating systems, and provides consistent functional experience and operation interfaces for users in different operating system environments by calling a unified interface of an application service layer, so that non-differential use support under heterogeneous platforms is realized.
12. 12. The document security management system based on the intelligent password key of claim 11, wherein the intelligent password key middleware is a standardized interface, provides a unified key management and password service calling interface for an application service layer upwards, is compatible with intelligent password key devices of different manufacturers downwards, and can complete hardware adaptation without modifying upper business logic.
13. 13. The intelligent cipher key based document security management system of claim 11, wherein the business files stored in the file warehouse in the data layer are stored in ciphertext form, and the log files are digitally signed by an SM2 private key of an operator, so that the log records are ensured to be untrustworthy and non-repudiated, and legal and effective data support is provided for audit trails.

Description

Document security management method and system based on intelligent password key Technical Field The invention relates to the field of document security management, in particular to a document security management method and system based on an intelligent password key, which are particularly suitable for scenes of secret evaluation institutions and the like which need to strictly follow laws and regulations related to data security and passwords and realize security management and control of a full life cycle of a sensitive document. Background Along with the implementation of laws and regulations such as the data security laws of the people's republic of China, the password laws of the people's republic of China, and the like, the secret evaluation mechanism is used as a professional mechanism for undertaking the security evaluation of commercial password application, a sound flow data security management system needs to be established, and effective technical measures are adopted to ensure the security, confidentiality and traceability of sensitive electronic documents in the internal storage and interaction process with a customer unit. At present, the secret evaluation mechanism generally adopts a traditional mode to solve the problem of document security, and mainly comprises the steps of realizing the encryption storage and cross-terminal transmission of documents by adopting an encryption USB flash disk, processing the documents in a compressed package encryption mode, sending the documents to a client unit by means of channels such as mails, instant messaging tools and the like, transmitting decryption passwords synchronously in a plaintext mode, and protecting important documents internally by management means such as physical isolation, special care and the like. However, the above prior art has significant drawbacks: 1) The encryption U disk is hidden in safety, namely, the part of the encryption U disk does not adopt a real encryption technology, the encryption effect is realized only through simple password protection or hardware camouflage, the internal document can be obtained through cracking or replacing a storage chip by a professional tool, and the data safety cannot be effectively ensured; 2) The compressed packet encryption mode has the risks of transmission and cracking that decryption passwords need to be synchronously transmitted in a plaintext form and are easy to be stolen by middle people; 3) The internal management means has a tracing and control blind area, namely a mode of relying on physical isolation and special personnel to take care of cannot effectively control document operation behaviors of a reviewer, whether documents are illegally copied or tampered is difficult to perceive, and precise tracing responsibility cannot be realized after leakage. In order to improve the security protection level of the document, part of schemes attempt to introduce hardware security devices such as an intelligent password Key (USB Key), but two main technical difficulties are faced in practical application: The difficulty 1 is that language and performance barriers exist between the upper Java service and the bottom C password hardware, meanwhile, intelligent password keys of different manufacturers are required to be compatible, windows and kylin heterogeneous operating system platforms are adapted, and the technical integration complexity is high. The existing scheme mostly adopts a single language development or special hardware adaptation scheme, so that cross-language efficient coordination cannot be realized, and the hardware compatibility and the platform suitability are poor, so that the system deployment and popularization are limited; Difficulty 2. Encryption of large files by using SM4-CBC algorithm alone by intelligent cipher key has serious performance bottleneck, for example, encryption of 1MB file takes up to 10 minutes, which can not meet the requirement of quick processing of a large number of daily sensitive files of secret evaluation institutions, and severely restricts system practicability and user experience. The existing scheme is either to sacrifice security and encrypt with pure software or to tolerate low performance and encrypt with pure hardware, which is difficult to compromise security and efficiency. Therefore, a technical scheme is needed that can break through the technical difficulties, realize cross-language and cross-platform compatibility, achieve security and encryption performance, and cover the full life cycle security control of the document, so as to meet the compliance requirements and actual business requirements of scenes such as secret evaluation institutions. Disclosure of Invention The first technical purpose of the invention is to provide a document security management method based on an intelligent cipher key, which is used for solving the problems of language performance barrier of upper Java business and bottom C cipher hardware, compatib