TWI237178B - A encryption system and method of securing internal business data - Google Patents

Abstract

This invention relates to an encryption system and method of securing internal business data. The invention is composed of a server end and user ends enabling output data to be entirely recorded by the server end and allowing written files to be encrypted at the user ends. Therefore, the invention prevents business information from being revealed through any external storage device, so as to achieve the objective of data security ensuring internal data files to be used within an enterprise only.

Description

1237178 V. Description of the invention (1) [Technical field to which the invention belongs] 'Especially an encryption system used to protect the law. This is an encryption method that protects the outflow of data in the enterprise and its methods [Previous technology ] In today's fast-moving technology, technology has become increasingly popular, and the functions of broadcast processing equipment have become more and more era. All enterprises have strengthened their requirements to meet the current trend. For example, the security control problem is caused by the company's internal intranet (intrane and a server), which makes management difficult. However, the outflow of the Internet provides, for example, firewalls, antivirus programs, Infringement or enterprise employees use the external storage device of the Internet to keep data out. However, for the above problems, it is known that there is a long-term solution to track the situation of information outflow. The invention strategy implements different data protection 'information processing. Devices and communications are widely used in every field, so multiple sources of information The information explosion of the peripheral equipment of the information processing device to enhance the competitiveness of enterprises; however, when the peripheral equipment of the enterprise is also relatively relevant, the decentralized systems used are mostly connected through ΐ) and used by multiple The flow of data between each other is quite amazing. In recent years, in order to avoid some internal data of the enterprise to solve the above problems, information security systems, to prevent hackers from letting the data leak out. At this time, there is no special protection for Lee. method. Profit Announcement No. 34330 1, Case of Information Preservation System and Method of Invention Name 'The purpose of the case is to follow different preservation methods.

Page 5 1237178 V. Description of the invention (2) The internal data must be authorized before the fake data department is networked on a huge resource. Many employees will have similar sentiments as above, and it is feasible to encrypt. When it goes out, it will be released, and it will be transmitted back to the time when there will be a lot of business, occupation, and time. As described above, if it is generally one or ϋ Ϊ end, you must use the server to perform a large negative Γ encryption with the server side, but this way will be the same as i :, and even reduce the number of times on the network. The connection of the pen is transmitted one by one by Beixun. For the current technical aspect, how to let the company's data flow out, the user can also individually target the practical thinking direction. End communication, take action and then the speed of the enterprise, because at this time the system will also be wasted. It should not be a case of confidential outflow of work. Device-side asset model and file content of the device] In view of the damage of this system and the file, the data security method, the new data of the database and the server are transferred to the method of the present invention to prevent the enterprise The purpose of the disclosure is to include at least its maintenance function to connect materials and external storage. Provide a file with its main purpose and industry information to be owned by the outside. To protect the company's following steps: Yes, next line, and then make stand-alone operation. The storage of the device's life to protect the outflow of data in the enterprise is a separate outflow through the user-side add-on storage device, so that the company can only use the industry's data out of the company's internal encryption. The server establishes the server's client through the server. Select the user side to obtain and confirm that the server user side determines whether there is a write order, and then the user side uses the

1237178 L 、 Invention ~ --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The file data is controlled to be written. The file is encrypted through the full setting 剌 f to obtain the security settings. After the acquisition is completed, the user terminal should control whether to write the file data according to the security side. The file data is encrypted to the external The storage device is also a safe slot. Finally, the slot case will be written and stored in the temple server database. The details and technology of the present invention are described below with reference to the drawings. [Embodiment] ^ The invention is a method for protecting an internal data outflow of an enterprise. 'Please refer to FIG. 1. FIG. 1 is a system architecture of an encryption system used to protect an enterprise ’s outflow. The figure illustrates the basic architecture of the present invention, which is described as follows: The system architecture of Yamamoto's invention is composed of a server end 100 and at least one using eight j2 00, and a user end 2 00 and a server end 1 ο 0 is connected through an == intranet, through the server side 2 σ has recorded all the actions and encrypted files written by the user side ^ Avoid the outflow of corporate data The server-side server 100 is used to receive the data and manage the internal data of the enterprise. It stores the usage record of the security user 200 and updates the security device and data functions in the user server 200. (1) management interface module no, (2) servo Is-side database 丨 20, (3) dynamic directory module 丨 30, and (4) server-side transmission and reception interface 140, further explained as follows: (1 ) Management Interface Module 110 A management interface, so that the operating system can directly give instructions and manage server-side 1〇〇. (2) The server-side database 1220 provides a space for storing the server-side 1237178 V. Description of the invention (4) 100 and other externally input data, and make the data directly accessible. (3) Active Directory module i30 (Active Directory), which can obtain the data of enterprise employees and department groups through Lightweight Directory Access Protocol (LDAP) and save it to the server-side database 1 2 0. (4) The server-side transmission and reception interface 丨 4 〇, which is to receive the data from the user-side 〇 200 and return it to the server-side database 丨 2 〇 and the server-side data 丨 〇 〇 want to send data. The user terminal 200 is used for receiving and transmitting data, and performing single-machine operations to write out general files and security files through security settings to achieve the function of data encryption and includes (丨) core function modules. 2 丨 〇, (2) the user database 220, (3) the user interface module 230, and (4) the user transmitting and receiving interface 2 4 0, further explained as follows: (1) Core function module 2 10 is a protection mechanism to prevent users from outflowing data. Through the security settings, the difference between the general building and the security file is discriminated. The general file refers to an unencrypted file and is presented in plain text. 0 ( 21) The user-side database 22 is a space for storing the data of the client M 0 and other external input data, and can directly access the secure script. The full-text slot refers to the encrypted file and Presented in cipher text. ^ (3) The user interface module 2 3 0 ′ is a user interface, which can encrypt a write file after taking all settings: 泫 2, and send the write file to an external storage device. At 3:00, the core function module 2 is required to be released

Page 8 1237178

= User-side send and receive interface 24. Department • Feeding device end 〇〇〇

To: Ϊ U data from the database 22 0 and send the data from the client 200. Same as user name and on computer. The above security settings are based on unspecified machine signals. The encryption method used by the client 2GG can be asymmetric encryption and symmetric encryption, and asymmetric encryption can be one of public key (PKI), RSA algorithm, and elliptic curve cryptography; and Symmetric encryption can be one of Blowfish, Triple DES, DES, IDEA, RC5, CAST-128 and RC2. The above-mentioned external storage device 300 can be connected from the floppy disk drive, optical disk drive, ζιρ, M0, recorder, universal serial bus (Universai "" M Bus; USB) connection cable to the universal serial bus Any one of a combination of a connection cable, a parallel port connection cable (Parallel Port), a serial port connection cable (Serial port), and a mobile information storage device. The server 100 described above stores a log file of the written file. This log file contains at least the following stops: the time when the file was written, the computer identification code, the user name, the file name written, and the file thumb. Pattern data structure) and random fragment content. Next, see the second figure, which is a schematic diagram of the user terminal of the present invention writing data to an external storage device. The user end 20 can communicate with the server end 100 through the user end sending and receiving interface 24 to keep the information in the user end database 220 up to date 1237178. V. State of the invention description (6) When you want to move the file to the external storage device 300, it will encrypt this file through the aforementioned encryption method to create an encrypted security file 3 50. If other people want to open the encrypted security file 3 500, It will be presented in cipher text, making it impossible for anyone to read. '' Please refer to the figure, Figure 3 is the relationship between the server end of the present invention and a plurality of user end connections. This figure is mainly to explain that a server end in the enterprise 1 0 0 transmits and receives the interface through the server end. 4 〇 and a plurality of user-side transmitting and receiving interfaces 24a ~ 24n of 20a ~ 200n respectively, so as to make data transmission and reception more rapid. # Please refer to Figure 4-a and Figure 4 ^, Figure 4 _a is a flowchart (a) of the method for encrypting data out of the enterprise in accordance with the present invention, and Figure 4 a and b is a method for protecting the enterprise in accordance with the present invention The internal data flow chart (2) is described as follows: ^ First, a maintenance function (step 40) is established through a server end 100. At this time, please see the beef and shellfish storehouse 120 and FIG. 5 for the feed of the present invention. Server-side construction V: server diagram; after step A, first establish a detailed process of the manager's shell database server-side database 1 2 0 to perform the access function ^ fruit group 11 0 so that it can enter the dynamic directory module 130 Get the enterprise employee step 402), then go through one, and finally save the data to the server? Group data (step 404) and then return to Figure 4-a to continue the steps (step paste). The terminal 200 selects the m-user 41 (0) after the server according to different modes. The connection mode can be divided into the connection to the main H100 (step passive connection mode (step 42)), and the split line mode (step 415). ), Or ~ Enter step B and step C, the two 1237178, invention description (7) The connection mode is to be completed. Figures 4_a and 4 ~ b are completed. The user terminal 2000 obtains and Validator, = New data and stand-alone operation (step 43) 柒 100 The most judgement is whether there is a case file written to one > Bu ^ 200 on the user side 丨 Wang external storage device ^ n n + a command (step 440) 'If no write file data is received :: prepare for 3 00's command, the user's terminal 200 will continue to monitor (command at 3'00, then the user 踹 H / Connected storage device corpse / enter Λ ΐ ΐ User database 220 fetch: a queen s again 步骤 (step 460) 'This security setting contains different users / names and specific machines on the computer Signal. Then the user terminal 2 judges whether it is necessary to control the writing of the file data according to the female all settings (4J0) ' If it is judged that it is not necessary to control the writing of the file data, the file data is directly written to the external storage device 300 as a normal file (step 49), and the user saves a recorded file of the written file to the user terminal. Database 22 (step 4 95), if it is judged that it is necessary to control the writing of the file data, the broadcast data is written to the external storage-security file (step) by a plus method, and finally a Write out the dish record of the case; sub-enter the user-side database 220 (step 495), and end this process. Next, to explain the process after step B, please see Figure 6 aa and β ~ b Figure 6-a is a detailed flowchart (1) of the active connection mode of the user terminal of the invention and Figure 6-b is a detailed flowchart (2) of the active connection mode of the user terminal of the invention, which is described as follows. · After step B, first obtain a feature of the client 200 (step 50 0) through a client database 22o. This feature refers to the identification of the computer machine.

Page 11 1237178 V. Description of the invention (8) Identification code and user name, and then send a command for synchronizing data through the user-side transmission and receiving interface 240 (step 502), and send a server-side transmission and reception interface U0 receives the order of the synchronization data // and entered the server database 12 (step 504), and whether the ratio of entering the database 12 is correct (step _6). ; < 1 Report error flooding to the client 200 (step 52 0), at this time the client 200 sets a limit to flow to the client database 22 (step 522); if If the feature is correct, it is judged whether the client database 22 needs to be synchronized through the shell-free external database 120 (step 510) 'If the client database 22 does not need to be synchronized For comparison, the log file of the written file is stored in the server end of the server ^ 40); ^ The user database 22 needs to be synchronized = 20 (step by step pulling the server benefit end database 12) The updated data is received and stored in the user database 22 (step wz) through the 1 ′, and the process ends. 20 0 The timing of triggering the connection mode is required to retrieve the data from the user terminal to the server 100 or the first time network after booting. It can be set freely through the user terminal. Any one of a time period will then explain the detailed process after step C. Step C can be divided into AH device m to notify the change of settings (step ⑴ and directly through the feed ^^ (step c2), as shown in Figure 7-a and Figure Figure 7 ~ b, Figure a is the passive connection mode of the user terminal of the present invention and through the word server 1237178 V. Description of the invention (9) Detailed flow chart of the notification change setting of the terminal and Figure 7b is the user terminal of the present invention The detailed flow chart of the passive connection mode and changing the settings directly through the server is explained as follows:

After step C1, the server side 1 determines whether a management interface module 1 has changed the security setting (step 600). If the security setting is not changed, the server end 1 0 0 continuously monitors (step 6) 1 〇), and return to step 6 〇 〇; if there is a change in security settings, the server side 〇 00 through the server-side transmission and receiving interface 140 to notify each user side 200 need to change the security settings (step 620), then each user terminal 200 receives the notification signal through the user terminal transmission and receiving interface 240 and sends the receiving interface 14 to the server terminal to request to retrieve the new security settings (step 6 3 0), and finally , The server 100 returns the new security setting to the user 200 through the management interface module 110, and the user 200 is stored in the user database 220 (step 640), and end the process of C1. After step C 2, the server end 100 determines whether a management interface module 1 110 has changed the security setting (step 6 50). If the security setting has not been changed, the server side continuously monitors; if there is a change in security Settings, the server-side transmitting and receiving interface 140 directly transmits the new security settings to the user-side transmitting and receiving interface 240 (step 670), and finally, the user-side transmitting and receiving interface 240 stores the new security settings into the The client database 220 (step 680). Although the present invention is disclosed in the preferred embodiment as above, it is not intended to limit the present invention. Any person skilled in the art can make some changes and decorations without departing from the spirit and scope of the present invention. protection

1237178 V. Scope of Invention (ίο) Scope shall be determined by the scope of the appended patent application. IBii Page 14 1237178 Schematic Illustration [Schematic Illustration] Figure 1 is used to protect the outflow of data in the enterprise. Figure 2 is a system architecture diagram of the encryption system; Figure 2 is a schematic diagram of the user terminal of the present invention writing data to an external storage device; and Figure 3 is a relationship between the server end of the present invention and a plurality of user terminals Figure 4a is a flowchart (a) of the method for protecting data outflow encryption in an enterprise according to the present invention; Figure 4 -b is a flowchart (b) of the method for protecting the data outflow encryption in an enterprise according to the present invention (2); Fig. 5 is a detailed flowchart of establishing a server-side database on the server side of the present invention; Fig. 6-a is a detailed flow of the active connection mode of the user side of the present invention (-); ° Figs. 6 ~ b are as follows The detailed flow of the user-side active connection mode of the invention (2); The L King charter overserving the 7th ~ ^ Figure 1 * is 4 the detailed flow of the user-side passive connection mode of the invention and the setting through the dj text change Figure; * Service ¥ Invention user end Passive connection mode and direct it [Detailed flow chart for changing the settings of the symbol Λ 1 for bluffing instructions] ^ 100 110 Server-side management interface module

Page 12 1237178

Server-side database dynamic directory module diagram brief description 120 130 140 Server-side sending and receiving interface 2 0 0 User-side 200a ~ 20 0η Client-side 210 Core function module 220 User-side database 230 User-interface Module 240 User-side transmission and reception interface 240a ~ 240η User-side transmission and reception interface 3 0 0 External storage device 3 50 0 Encryption security file step 400 Establish a maintenance function server-side database and steps through a server side 402 step 404 step 406 step 410 step 415 step 420 step 430 ρ Λ® 偎 殂 so that it can push the λ database to perform the access function into the server to obtain enterprise data through a dynamic directory module Vegetables and departments: the Data is stored in the feeder database. A client chooses to connect according to different modes. ^ Far word server Active connection mode Passive connection mode The client obtains and confirms the server's new resources

1237178

Step 440 Step 450 Step 460 Data and stand-alone operation The user terminal determines whether there is an order for an external storage device

The client continuously monitors the client to obtain a setting from a client database. Step 470 The client determines whether to write out the file data according to the security setting. Step 480 The file data is written in an encrypted manner. Step 490 export the file data to the external storage device and write it to the external storage device.

For ... --- General W Step 495 Save a log file of the written file to the server-side database Step 50 0 Get a characteristic of the client through a client database Step 5 0 2 Step 5 04 Step 5 〇 step 51 〇 step 5 2 〇 less step 5 2 2 send a command of synchronization data through a user-end transmission and reception interface stomach receive a command of synchronization data through a server-side transmission and reception interface and enter the server side Database The server-side database compares whether the feature is correct. Use the server-side database to determine whether the client-side database needs to be compared. ≫ Report an error message to the client. Limits on this client database

Page 17 1237178 Step 610 Step 620 Step 630 Step 640 Step 650 Step 骅 66. To avoid data outflow, the updated data on the f-end database is transmitted through the server. The receiving interface is used to transmit =; The ^ should write the record of the slot case, and store the data of the feeder side. The ff side judges whether a management interface module has changed the security setting. The server side continuously monitors the server and sends and receives it through the terminal. The interface notifies each user terminal that the security settings need to be changed. Each user terminal receives the notification signal through the user terminal's transmitting and receiving surface and sends a receiving interface to the server terminal to request the retrieval of new security settings. The server terminal passes the management The interface module returns a new security client, and the client is stored in the database of the user to determine whether the management interface module has been changed. The server end is continuously monitored through the feeding wall. $ i & a γ + 々 八 # to send the new King of text directly to the receiving interface = ί the client sends and receives the interface and the client sends and receives the interface to save the new security settings 18 1237178 Schema simple instructions on page 19 of the user end database into the country round

Claims (1)

1237178 Scope of six patent applications. A kind of file used to complete the server end and the internal record of the server industry. It can be used to obtain the information and information of a temple service. A manager can directly store a dynamic volume of the protocol. Deposit to the servo server and return the issued funds, the use settings should be made to achieve data, use space for storing the user terminal The encryption system that protects the outflow of data in the company on page 20 is composed of-and at least one user terminal. With this shrine, all actions written are recorded and passed through the user terminal ^ $ case to avoid corporate data Outflow, the system further includes: a server side, which is used to receive and transmit data, integrate management company data, store a security setting and the client's use, and update the security setting data in the client. The functions include: The server-side database provides a space for storing the externally input data of the temple server, and stores its data directly in the interface module. It provides a management interface for system operations to issue instructions and manage the server. End; Active Directory, which can obtain enterprise employee and department group data through Lightweight Directory Access (LDAP), and return to the server-side database; User-end data to the server-side database and send the server-side expectations; f-side is used to receive the transmitted data, and transparently This security, the operation of writing a general file and a security file, the function of π 'includes at least:' the client database, which is 1237178 VI. Patent application data and other externally input data, travel agents Its capital gains; a core function module, which is a protection mechanism, which uses the user-side data to flow out, and discriminates the full file difference through the security settings; a user interface module, which is a security setting for a user interface Then write a file to encrypt and request the core line when the building file is connected to an external storage device; and ο, the user's sending and receiving interface is to receive the feed and return it to the user database and Send the information sent by the messenger. 2 · Encryption system for protecting business flow as described in item 1 of the scope of patent application, wherein the client is connected to the server-intranet of an enterprise 3 · As stated in item f of the scope of patent application Describes the encryption system used to protect corporate traffic, where the security settings include the name of the person and specific machine signals on the computer. 4 • The encryption system used to protect corporate flows as described in item 3 of the scope of patent application, wherein the encryption method can be an encryption and a symmetric encryption. 5. The encryption system used to protect business flows as described in item 4 of the scope of the patent application, wherein the asymmetric encryption algorithm (PKI) algorithm and the combination of elliptic curve passwords can be directly stored to prevent the use of files and files. The security can be obtained by the user who sends the write-out function module server end to the industry data. The external device end is through different types of industry data and external photos. Data can be arbitrarily selected from the public key 1237178 VI. Patent Application Scope 6 · The encryption system used to protect the outflow of data in the enterprise as described in item 4 of the patent application scope, where the symmetric encryption can be obtained from Blow fish, Choose from Triple DES, DES, IDEA, RC5, CAST-128 and RC2. 7 • The encryption system used to protect the outflow of data in the enterprise as described in item 1 of the scope of the patent application, where the general file refers to an unencrypted broadcast and is presented in clear text. 8 To protect data inside and outside the enterprise as described in item 1 of the scope of patent application Stream encryption system, where the security file refers to an encrypted file and is presented in cipher text. 9 · The encryption system used to protect the outflow of data in the enterprise as described in item 1 of the scope of the patent application, where the external storage device can be from floppy disk drive, optical disk drive, Z IP, M0, burner, universal string Universal Serial Bus (USB) cable to universal serial bus cable, parallel port cable (paral lel ρ〇 "), serial port cable (Serial Port) and mobile information storage Choose any combination of devices. 1 0 · The encryption system used to protect the outflow of data in the enterprise as described in item 丄 of the scope of the patent application, wherein the server stores a record broadcast 'The record file contains at least the following fields: = name: computer Machine identification code, a user name, an "of = industry title", a file thumbprint (MD5 data structure) and a random piece Page 22 1237178 VI. Scope of patent application 1 1 · A step to protect the server from writing out the complete file steps The server user-side user-side operation; the user-side command the user-side user-end material; the case data servo Encryption included in the device; transmission line; the transmission line; the storage line; the storage line; the storage line; the storage file; the maintenance file; and the write-out file for a secure file. The database of the square device and the establishment of a Wangli executive access function. Through a dynamic, industry-wide data outflow encryption method, record all the written actions through a user terminal to avoid the outflow of corporate data. , The method at least establishes a server-side database on the server side and chooses to connect with the server side according to different modes to obtain and confirm the latest data of the server and to determine whether a file data has been written to an external order ; I obtain from a user-end database—the security machine judges according to the security setting whether it is equal to '' 疋 goods and the official system writes the file to the file through an encryption method; Storage case-fit set of log files stored in the BU end database server. The method described in Section 1 1 $ is used to protect the internal law of the enterprise, where a server interface module will be established through the server to make it accessible; ::: t-step: • times 1 j server database 9 directory Module to obtain corporate employee and long-term door group data Page 23 I237l78 Scope of applying for a patent and the 3. If you apply for an outflow with the active company 14: If you apply for an outflow: Through the order; Through the order; The order is merged with the server; you need to send and receive the messenger information 1 5. If you apply The method of encrypting the outflow and storing the data into the server-side patented item 11 of the encryption method, wherein the line mode for connecting the server-side and the passively-connected method of the encrypted item 13 of the patent range, Wherein, the main client database is obtained from the client transmitting and receiving database. It is described to protect the user end according to the steps, different modes. It is described to protect the dynamic connection mode. The user interface can send the data in the enterprise together. The different mode options can be divided into an enterprise data including one of the following steps. The order of the data should be entered into the 4 server. The server-side synchronization of the server is more user-side than the server interface. Patent Fan Encryption User name server-side server-side database server-side data pair; end-of-line data transfer transmission method 1 method, which is called 0 send-receive interface to receive the synchronization data database; compare the data Whether the database judges the characteristics correctly to update the user-side database: and the specific data in the 4 items of the receiving interface are received and described through it. The purpose of protection is to refer to whether a computer database has been transmitted to the user by the server. Enterprise Data Machine ID I237178 6. Scope of patent application 1 6 · If applying for exodus or a messenger 1 7. If applying for exodus, he should be taken out of the net for one time 18 · If applying for exodus through servo change 19 · If applying for exodus' includes this Servo; each of the users of the server sets the notification signal to set the first encryption method of the patent range, and its user name. For the first encryption method in the patent scope, the user side needs to communicate to ^ Connect and the user. The first encryption method in the patent scope needs to be notified by the server. The first encryption method in the scope of patent includes the following steps: The server end judges the δH feature described in item 4 to refer to a computer to protect the active connection mode in the item to trigger the The server side retrieves the data, the user side is free to set a time described in 3 items to protect the passive connection mode in the enterprise, and changes the settings and a direct pass through to serve the 8 items described in the enterprise to protect the communication. The server side informs the industry data server ID when the industry data can be turned on. The group of industry data can be divided into one server side and the industry data is changed. The server side needs to be changed. The user side needs to change the security settings. And to the server; and the server side, through the user side, whether to break a management interface module has been changed to set the server-side transmission and reception interface settings; the user-side transmission and reception interface side sends and receives the interface request to obtain The management interface module returns a new user side and stores it in the use notification to enable the user side to receive the new security settings. Page 25 1237178 VI. Patent application scope library 0 to protect the data server in the enterprise to transmit changes to the server whether there are changes to the security settings 2 0. The outbound encryption method as described in item 18 of the patent application scope, which is directly transmitted through The setting includes the following steps; the server determines a management interface module; sends a new security setting directly to a user sending and receiving interface through a server sending and receiving interface; and the user sending and receiving interface will New security settings are stored in the client database. 〇1. As described in item 11 of the scope of the patent application, the method of adding μ to protect the internal data of the enterprise, the method 'wherein the external storage device can be from a floppy disk drive, optical disk drive, Z IP, M0, burning Recorder, universal serial bus (Universal Serial Bus; USB) cable to universal serial bus cable, parallel bee cable (Para 1 1 e 1 Ρ 〇rt), serial cable ( Serial Port) and mobile information storage device. 2 2 · The encryption method used to protect the outflow of data in the enterprise as described in item 11 of the scope of the patent application, where the security settings include different user names and specific machine signals on the computer. 2 3 · The encryption method used to protect the outflow of data in the enterprise as described in item 11 of the scope of patent application, wherein the encryption method can be an asymmetric encryption and a symmetric encryption. 2 4 · Used to protect enterprise data as described in item 23 of the scope of patent application 1237178 VI. Out-of-patent encryption method, in which the asymmetric encryption can be arbitrarily selected from the combination of public key (PKI), RSA algorithm, and elliptic curve password. CAST-128 enterprise data file , The record, a computer name, and a file. The data server end of the enterprise is fully connected. 2 5. The encryption method for protecting outflow as described in item 23 of the scope of patent application, wherein the symmetric encryption can be selected from any combination of Blowfish, Triple DES, DES, IDEA, RC5 and RC2. 2 6. The encryption method used to protect the outflow as described in item 11 of the scope of the patent application, wherein the record file of the write-out file includes at least the following stops: a timer identifier for writing the file, a user name 1. A file with a thumbprint (MD5 data structure) and a random fragment within the file. 7. The encryption method used to protect the outflow as described in item 11 of the patent application scope, where the client and server have A corporate intranet Page 27