CN115906196A - Mobile storage method, device, equipment and storage medium - Google Patents
Mobile storage method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN115906196A CN115906196A CN202211509987.0A CN202211509987A CN115906196A CN 115906196 A CN115906196 A CN 115906196A CN 202211509987 A CN202211509987 A CN 202211509987A CN 115906196 A CN115906196 A CN 115906196A
- Authority
- CN
- China
- Prior art keywords
- data
- user terminal
- partition
- encryption
- read
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The application discloses a mobile storage method, a device, equipment and a storage medium, which are applied to USB mobile storage equipment, relate to the technical field of safe storage and comprise the following steps: when an access command sent by target management application software is acquired, the identity of the user terminal is authenticated through the WIFI module; if the authentication is passed, analyzing the access command through the encryption chip, and sending the analyzed data to the encryption partition to judge whether the access authority exists; if the access authority exists and the data is write access, encrypting the data to be written according to the analyzed data and writing the encrypted data into the encryption partition; and if the user terminal has the access right and is in read access, acquiring a data packet to be read according to the analyzed data, decrypting the data packet, and sending the decrypted data packet to the user terminal. According to the USB mobile storage device, the WIFI module and the encryption partition are arranged in the USB mobile storage device, data transmission can be carried out without depending on a USB peripheral interface, and safety guarantee is provided for wireless transmission.
Description
Technical Field
The present application relates to the field of secure storage technologies, and in particular, to a mobile storage method, apparatus, device, and storage medium.
Background
In the modern era of technological change, almost all the development of the technology depends on storage, and the data, whether big data or personal data on the cloud, will be stored on the ground finally. USB (Universal Serial Bus) mobile storage devices (such as a USB disk, an SD Card (Secure Digital Memory Card), etc.) have been widely used in intelligent terminals such as computers, mobile phones, tablets, etc. due to their convenience and rapidity.
However, with the rapid development of smart phones and internet technologies, the single data storage function of the USB mobile storage device cannot fully meet the requirements of users at present, which specifically includes: firstly, data in the USB mobile storage equipment cannot be viewed and transmitted or data cannot be backed up in the storage equipment on a terminal without a USB peripheral interface; secondly, the traditional encryption storage technology generally comprises the steps of operating an encryption program after being connected with a computer, then typing in a password, finally entering a USB mobile storage device after encryption or decryption, and solving the risk of password leakage caused by trojans or keyboard recording software from the inside of the computer; thirdly, with the continuous development of information security, the safety awareness of people is continuously strengthened, and the sharing requirements of different security levels are also provided for data with different sensitivity degrees in the USB storage device; fourth, current USB storage devices or media do not have the concept of a user, and all users share the same rights and cannot be given different rights to accomplish different management.
Therefore, how to improve the security and convenience of the USB mobile storage device for data storage is still a problem to be further solved.
Disclosure of Invention
In view of the above, an object of the present application is to provide a mobile storage method, apparatus, device and storage medium, which can perform data transmission without relying on a USB peripheral interface and provide security for wireless transmission. The specific scheme is as follows:
in a first aspect, the present application discloses a mobile storage method, which is applied to a USB mobile storage device, wherein the USB mobile storage device includes a power supply, a USB module, a WIFI module, a public optical drive, an encryption partition, a plaintext partition, and an encryption chip, and includes:
when an access command for accessing the data in the encrypted partition, which is sent by target management application software located at the user terminal, is acquired, authenticating the identity of the user terminal through the WIFI module to obtain an authentication result;
if the authentication result is passed, analyzing the access command through a command analysis module in the firmware of the encryption chip to obtain analyzed data, and sending the analyzed data to the encryption partition;
judging whether the user terminal has access authority or not through the encryption partition;
if the user terminal has the access right and the access command is a write command, encrypting data to be written in the user terminal according to the analyzed data to obtain encrypted data, and writing the encrypted data into the encryption partition;
and if the user terminal has the access right and the access command is a read command, acquiring a data packet to be read from the encryption partition according to the analyzed data, decrypting the data packet to be read to obtain the data to be read, and sending the data to be read to the user terminal.
Optionally, the authenticating the identity of the user terminal by the WIFI module to obtain an authentication result includes:
acquiring a user name and a login password input by a user when the user logs in the target management application software through the WIFI module, and judging whether the user name is matched with the login password;
if the user name is matched with the login password, judging that the identity authentication result of the user terminal passes;
and if the user name is not matched with the login password, judging that the identity authentication result of the user terminal does not pass.
Optionally, before sending the analyzed data to the encryption partition, the method further includes:
and judging whether the analyzed data is correct according to a preset custom data transmission format, if so, executing the step of sending the analyzed data to the encryption partition, and if not, processing the access command in a USB peripheral mode.
Optionally, the encrypting the data to be written in the user terminal to obtain encrypted data includes:
acquiring a target symmetric key and a target asymmetric key randomly generated by the encryption chip from the encryption chip;
and decrypting the target symmetric key by using the target asymmetric key to obtain a decrypted key, verifying the decrypted key, and encrypting the data to be written in the user terminal by using the target symmetric key to obtain encrypted data if the verification is passed.
Optionally, the mobile storage method further includes:
when the situation that the data in the encryption subarea needs to be destroyed is monitored, determining the type of data destruction;
if the data destruction type is full-partition quick destruction, destroying the target symmetric key, the target asymmetric key and the FAT table information of the encrypted partition;
if the data destruction type is full-partition complete destruction, destroying the target symmetric key, the target asymmetric key and the FAT table information, and repeatedly erasing and writing all data in the encrypted partition;
and if the data destruction type is that the specified file is completely destroyed, repeatedly erasing and writing the area corresponding to the specified file or directory.
Optionally, the determining, by the encryption partition, whether the user terminal has an access right includes:
judging whether the current session exceeds a preset session time or not, and if not, judging whether the user name is in a preset blacklist or not;
if the user name is located in the preset blacklist, judging that the user terminal has no access authority, and if the user name is not located in the preset blacklist, judging whether the user name is located in a preset white list;
if the user name is not in a preset white list, judging whether the file or the directory to be accessed in the encryption partition meets a preset sensitivity level requirement, and if not, judging that the user terminal has no access authority;
if the user name is located in the preset white list or the file or the directory to be accessed in the encryption partition meets the sensitivity level requirement, judging whether the file or the directory to be accessed in the encryption partition meets the preset file attribute requirement, if so, judging that the user terminal has access authority, and if not, judging that the user terminal does not have access authority.
Optionally, the sending the data to be read to the user terminal includes:
decrypting a data packet containing the data to be read through the WIFI module to obtain the data to be read, encrypting the data to be read by using a preset session key to obtain encrypted data to be read, and sending the encrypted data to be read to the user terminal; the WIFI module supports an AP mode and a routing mode.
In a second aspect, the present application discloses a mobile storage device, which is applied to a USB mobile storage device, wherein the USB mobile storage device includes a power supply, a USB module, a WIFI module, a public optical drive, an encryption partition, a plaintext partition, and an encryption chip, and includes:
the identity authentication module is used for authenticating the identity of the user terminal through the WIFI module when an access command which is sent by target management application software located at the user terminal and used for accessing the data in the encryption partition is obtained, and an authentication result is obtained;
the access command analysis module is used for analyzing the access command through a command analysis module in the firmware of the encryption chip to obtain analyzed data if the authentication result is that the authentication result passes;
the analysis data sending module is used for sending the analyzed data to the encryption partition;
the access authority judging module is used for judging whether the user terminal has access authority or not through the encryption partition;
the data encryption module is used for encrypting the data to be written in the user terminal according to the analyzed data to obtain encrypted data if the access authority exists and the access command is a write command;
the encrypted data writing module is used for writing the encrypted data into the encrypted partition;
the data packet obtaining and decrypting module is used for obtaining a data packet to be read from the encryption partition according to the analyzed data and decrypting the data packet to be read to obtain the data to be read if the user terminal has the access right and the access command is a read command;
and the data to be read sending module is used for sending the data to be read to the user terminal.
In a third aspect, the present application discloses an electronic device comprising a processor and a memory; wherein the processor implements the aforementioned removable storage method when executing the computer program stored in the memory.
In a fourth aspect, the present application discloses a computer readable storage medium for storing a computer program; wherein the computer program when executed by a processor implements the aforementioned removable storage method.
The method is applied to the USB mobile storage device, wherein the USB mobile storage device comprises a power supply, a USB module, a WIFI module, a public optical drive, an encryption partition, a plaintext partition and an encryption chip, and when an access command for accessing data in the encryption partition, which is sent by target management application software located at a user terminal, is obtained, the identity of the user terminal is authenticated through the WIFI module, and an authentication result is obtained; if the authentication result is passed, analyzing the access command through a command analysis module in the firmware of the encryption chip to obtain analyzed data, and sending the analyzed data to the encryption partition; judging whether the user terminal has access authority or not through the encryption partition; if the user terminal has the access right and the access command is a write command, encrypting data to be written in the user terminal according to the analyzed data to obtain encrypted data, and writing the encrypted data into the encryption partition; and if the user terminal has the access right and the access command is a read command, acquiring a data packet to be read from the encryption partition according to the analyzed data, decrypting the data packet to be read to obtain the data to be read, and sending the data to be read to the user terminal. The WIFI module and the encryption partition are arranged in the USB mobile storage device, data transmission can be carried out without depending on a USB peripheral interface, and safety guarantee is provided for wireless transmission by using safety certification and a cryptographic technology.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
FIG. 1 is a flow chart of a mobile storage method disclosed herein;
fig. 2 is a structural diagram of a specific wireless USB mobile storage device disclosed in the present application;
FIG. 3 is a diagram of a specific custom data transmission format disclosed herein;
FIG. 4 is a specific command parsing flow chart disclosed herein;
FIG. 5 is a flow chart of a user authentication and negotiation session disclosed herein;
FIG. 6 is a flow chart of a specific mobile storage method disclosed herein;
FIG. 7 is a flow chart of a particular method of mobile storage as disclosed herein;
FIG. 8 is a schematic structural diagram of a mobile storage device disclosed in the present application;
fig. 9 is a block diagram of an electronic device disclosed in the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without making any creative effort belong to the protection scope of the present application.
The embodiment of the application discloses a mobile storage method, which is applied to USB mobile storage equipment, wherein the USB mobile storage equipment comprises a power supply, a USB module, a WIFI module, a public optical drive, an encryption partition, a plaintext partition and an encryption chip, and as shown in figure 1, the method comprises the following steps:
step S11: and when an access command for accessing the data in the encrypted partition, which is sent by target management application software positioned at the user terminal, is obtained, authenticating the identity of the user terminal through the WIFI module to obtain an authentication result.
It should be noted that the mobile storage solution provided in this embodiment is applied to a USB mobile storage device, where the USB mobile storage device includes a power supply, a USB module, a WIFI module, a public optical drive, an encryption partition, a plaintext partition, and an encryption chip. Specifically, referring to fig. 2, different from the conventional USB mobile storage device, the USB mobile storage device in this embodiment may access data through a USB peripheral interface, and in addition, a wireless WIFI module and an encryption chip are added to a hardware component, and the data storage module is divided into three independent partitions, which are a public optical drive, an encryption partition, and a plaintext partition, and each partition has its own functionality and privacy; the WIFI module is used for providing an interaction channel for data interaction between the USB mobile storage device and a host machine (namely a user terminal), so that the WIFI module does not depend on a USB peripheral interface any more, meanwhile, the WIFI module provides security guarantee for wireless transmission by using a security authentication and password technology, and the user terminal comprises but is not limited to a computer, a mobile phone, a tablet and the like; the encryption chip encrypts and decrypts the encrypted partition data through a hardware encryption technology, so that the security and the privacy of the encrypted partition data are guaranteed.
Further, after the USB mobile storage device is created, a management Application (APP, application) that is matched with the USB mobile storage device needs to be created, that is, the target management Application, the management Application is installed in the user terminal, can be wirelessly connected with the USB mobile storage device, and can directly perform operation management on the USB mobile storage device through a file browser in the management Application, where the operation management includes, but is not limited to, wireless WIFI management, user management, rights management, storage management, log management, and the like. It should be noted that the USB mobile storage device in the present application supports both USB peripheral and WIFI access, when accessing the USB mobile storage device through WIFI, the public optical drive and the plaintext partition in the USB mobile storage device may be directly operated and managed through a file browser in the management application software, and the encrypted partition may be accessed only after logging in the management application software, for example, a user logs in the management application software by inputting a user name and a password, and when the management application software monitors that the user name and the password input by the user match, it shows that the login is successful, and at this time, the user may operate and manage the public optical drive, the encrypted partition, and the plaintext partition; if the user name and the password are not matched, the user can only operate and manage the public optical drive and the plaintext subarea. In addition, when a user accesses the USB mobile storage device through the USB peripheral interface, the USB mobile storage device can be identified as a public optical drive and a plaintext partition, and the encryption partition is invisible.
In this embodiment, when the USB mobile storage device obtains an access command sent by target management application software on a user terminal to access data in the encrypted partition, the identity of the user terminal is authenticated by the WIFI module first, so as to obtain a corresponding authentication result. For example, the WIFI module authenticates according to a user name and a password input when the user logs in the target management application software, and if the user name and the password are matched, the authentication is successful, which indicates that the identity of the user is legal. It is understood that the user name and password input when the user logs in the target management application software are preset by an administrator managing the USB mobile storage device.
It should be noted that, the USB mobile storage device Only has a public optical drive and a plaintext partition by default when leaving a factory, and the encrypted partition needs to be used after being formatted by target management application software, where the public optical drive and the plaintext partition have the same functions and uses as CD ROM (Compact disc Read Only Memory) optical drive media and common USB storage media. Specifically, when the USB mobile storage device leaves the factory, initialization is required, such as allocating the capacities of the public optical drive and the plaintext partition, writing a specified ISO (Isolation) file in the public optical drive, formatting a file system of the plaintext partition, initializing the WIFI module to a routing mode, and the like; after the factory setting of the USB mobile storage device is finished, a user firstly inserts the USB mobile storage device into a USB socket or a USB interface in an actual using process, then opens corresponding target management application software to scan and connect a wireless USB hotspot, and then enters a configuration interface to set a wireless WIFI password, add an administrator, format a file system of an encryption partition and the like; if the user logs in with the identity of the administrator, a new user can be added, and if the user does not want to add the new user, the user can directly skip the new user; furthermore, if the user accesses the target management application software through a USB peripheral, the user may access the public optical drive and the plaintext partition in the file browser of the target management application software, and if the user needs to manage the USB mobile storage device or access the encrypted partition, the user needs to open the target management application software on a user terminal, such as a computer terminal or a mobile phone terminal, and perform configuration management in each function module in the target management application software; if accessed through WIFI, the target management application software must be used to scan for USB hotspots and manage them after successful connection.
Step S12: and if the authentication result is that the access command passes, analyzing the access command through a command analysis module in the firmware of the encryption chip to obtain analyzed data, and sending the analyzed data to the encryption partition.
In this embodiment, after the identity of the user terminal is authenticated by the WIFI module to obtain an authentication result, if the authentication result is a pass, the access command is further analyzed by a command analysis module located in the firmware of the encryption chip to obtain corresponding analyzed data, and then the analyzed data is sent to the encryption partition.
In this embodiment, before sending the analyzed data to the encryption partition, the method specifically further includes: and judging whether the analyzed data is correct or not according to a preset custom data transmission format, if so, executing the step of sending the analyzed data to the encryption partition, and if not, processing the access command according to a USB peripheral mode. It should be noted that, because the USB mobile storage device supports two access modes, namely, a USB peripheral and a wireless access mode, a command parsing module is added to the firmware of the USB mobile storage device, and a data transmission format is defined, as shown in fig. 3, the data transmission format may specifically include: command header, session information length, session information, data source, command category, operation command, command argument 1, command argument 2, send data length, send data, and expected return data command header. In a specific implementation manner, the command parsing module may first determine whether the command header is correct, if the command header is incorrect, the current access is treated as an access mode of a USB peripheral device, and is processed by an SCSI (Small Computer System Interface) module, so that the SCSI standard command sent by target management application software on the user terminal may be responded, and the target management application software may identify a public optical drive and a plaintext partition by sending a series of commands such as request device description and request configuration description and display the public optical drive and the plaintext partition in a file browser of the target management application software, so as to operate data in the public optical drive and the plaintext partition in the file browser; if the encrypted partition needs to be accessed, the target management application software must be opened on the user terminal, the data in the encrypted partition is accessed in a file browser built in the target management application software after login is successful and the access authority is judged, so that the USB peripheral access is completed. Further, if the command header is analyzed to be normal, the command analysis module will deliver the analyzed data to a corresponding management module in the firmware according to the command category in the data transmission format for processing, such as a storage management module, a user management module, a WIFI management module, and the like, and each management module executes different operations according to different operation commands, for example, as shown in fig. 4, the user management module supports operations of adding, deleting, changing, and the like of a user; if the USB mobile storage equipment needs to be accessed on the computer terminal or the mobile phone terminal in a wireless WIFI mode, the target management application software needs to be used, USB hotspot scanning is firstly carried out on the target management application software, then a USB hotspot is found and connected, so that data in the public optical drive and the plaintext partition can be seen in the target management application software, and if the encrypted partition data needs to be accessed, the target management application software needs to be logged in and has access authority.
Step S13: and judging whether the user terminal has the access right or not through the encryption partition.
In this embodiment, after the analyzed data sent by the analyzed data acquired by the encryption partition, whether the user terminal has the right to access the partition is determined. For example, whether a user name and a password input by a user on a user terminal are matched is judged according to the user name and the password, if so, whether the user name is in a preset blacklist is further judged, if not, whether the user name is in a preset white list is further judged, if not, whether a file or a directory to be accessed meets a preset sensitivity level requirement is further judged, and if not, no access authority is judged; if the user name is in the preset white list or the file or the directory to be accessed meets the sensitivity level requirement, further judging whether the file or the directory to be accessed meets the preset file attribute requirement, if so, judging that the user terminal has the access authority, otherwise, judging that the user terminal does not have the access authority.
Step S14: and if the user terminal has the access authority and the access command is a write command, encrypting the data to be written in the user terminal according to the analyzed data to obtain encrypted data, and writing the encrypted data into the encryption partition.
In this embodiment, if the user terminal has an access right and the access command is a write command for writing data in the user terminal into the encryption partition, the encryption partition may further determine, according to the analyzed data, data to be written from the user terminal, encrypt the data to be written to obtain encrypted data, and store the encrypted data in a local storage area, that is, write the encrypted data into the encryption partition.
Step S15: and if the user terminal has the access right and the access command is a read command, acquiring a data packet to be read from the encryption partition according to the analyzed data, decrypting the data packet to be read to obtain the data to be read, and sending the data to be read to the user terminal.
In this embodiment, if the user terminal has an access right and the access command is a read command for reading data in the encrypted partition to the user terminal, a data packet to be read may be obtained from the encrypted partition according to the parsed data, and then the data packet to be read may be decrypted to obtain data to be read, and then the data to be read may be sent to the user terminal.
Specifically, the sending the data to be read to the user terminal includes: decrypting a data packet containing the data to be read through the WIFI module to obtain the data to be read, encrypting the data to be read by using a preset session key to obtain encrypted data to be read, and sending the encrypted data to be read to the user terminal; the WIFI module supports an AP mode and a routing mode. In this embodiment, since all data in the encryption partition is stored after being encrypted, the asymmetric key is required to be used to decrypt the encrypted symmetric key, the encrypted data to be read is decrypted after the plaintext symmetric key is obtained, the decrypted plaintext data to be read is obtained, the pre-generated session key is used to encrypt the plaintext data to be read, and finally the encrypted data to be read is sent to the user terminal. It should be noted that the WIFI module in the USB mobile storage device supports an AP (Access Point) mode and a routing mode, where the AP mode can provide possibility for remote Access and social sharing, and the routing mode provides physical isolation to prevent the device from being attacked by an external malicious network. Meanwhile, the WIFI module can also provide management services such as security authentication management, session management, timeout management and the like for each user, so that the security of a wireless transmission link between the user terminal and the USB storage device is guaranteed, and user passwords, transmission data and the like are prevented from being intercepted in a network environment. In addition, the security of the wireless transmission link mainly depends on a session key negotiated during security authentication, and all transmission data in the link can be transmitted after being encrypted and protected by using the session key. Specifically, referring to fig. 5, fig. 5 shows a specific security authentication process, when it is detected that a user inputs a user name and a password in a login interface of target management application software, the target management application software performs HASH operation on the password, stores the user name and the password HASH value in a memory of the target management application software for subsequent use, then initiates a connection request to the USB mobile storage device, after receiving the request, the USB mobile storage device establishes a connection and responds to a random number, after receiving the random number, the target management application software immediately generates an ECC (Elliptic Curve Cryptography) key pair and signs the random number with the key pair, and calculates session key agreement data with the key pair, then sending the random number signature value, the session key negotiation data and the stored user name and password HASH value obtained by calculation to the USB mobile storage device, after the USB mobile storage device receives the data, verifying whether the user name, the password HASH value and the random number signature value are valid or not, if the verification is correct, generating an ECC key pair, calculating a session key by using the key pair and the session key negotiation data of the target management application software, then calculating the session key negotiation data of the USB mobile storage device end, storing the session key and the session information after the calculation is completed, then returning the negotiation data and the session information of the USB mobile storage device end to the target management application software, after the target management application software receives the response data, storing the session information and calculating the session key by using the negotiation data returned by the USB mobile storage device end, storing the session key after the calculation is completed and sending hello request by using the session key encryption, the USB mobile storage equipment decrypts the data and verifies the hello request by using the session key stored in the front after receiving the encrypted data, the encrypted hello response is returned after verification is correct, the target management application software decrypts the hello response and verifies whether the hello response data is the hello response data or not after receiving the encrypted hello response, the encrypted hello response confirmation is returned after verification is correct, and the USB mobile storage equipment verifies the hello response confirmation until the whole authentication process is finished. That is, the whole authentication process will complete the correctness verification of the user name and the password, and also complete the negotiation of the session key, and ensure the correctness of the negotiated session key through hello request, response and confirmation, and all the requests of the subsequent users and the responses of the devices will be encrypted and protected through the session key, thereby ensuring the security of the link.
The embodiment of the application is applied to the USB mobile storage device, wherein the USB mobile storage device comprises a power supply, a USB module, a WIFI module, a public optical drive, an encryption partition, a plaintext partition and an encryption chip, and when an access command for accessing data in the encryption partition, which is sent by target management application software located at a user terminal, is obtained, the identity of the user terminal is authenticated through the WIFI module, and an authentication result is obtained; if the authentication result is passed, analyzing the access command through a command analysis module in the firmware of the encryption chip to obtain analyzed data, and sending the analyzed data to the encryption partition; judging whether the user terminal has access authority or not through the encryption partition; if the user terminal has the access right and the access command is a write command, encrypting data to be written in the user terminal according to the analyzed data to obtain encrypted data, and writing the encrypted data into the encryption partition; and if the user terminal has the access right and the access command is a read command, acquiring a data packet to be read from the encryption partition according to the analyzed data, decrypting the data packet to be read to obtain the data to be read, and sending the data to be read to the user terminal. According to the embodiment of the application, the WIFI module and the encryption partition are arranged in the USB mobile storage device, data transmission can be carried out without depending on a USB peripheral interface, and safety guarantee is provided for wireless transmission by using safety certification and a cryptographic technology.
The embodiment of the application discloses a specific mobile storage method, which is applied to a USB mobile storage device, wherein the USB mobile storage device comprises a power supply, a USB module, a WIFI module, a public optical drive, an encryption partition, a plaintext partition and an encryption chip, and as shown in fig. 6, the method comprises the following steps:
step S21: and when an access command for accessing the data in the encryption partition, which is sent by target management application software located at a user terminal, is obtained, a user name and a login password, which are input when a user logs in the target management application software, are obtained through the WIFI module, and whether the user name is matched with the login password is judged.
In this embodiment, in order to ensure the security of accessing the USB mobile storage device wirelessly, when the target management application software of the user terminal sends an access command to the USB mobile storage device, the link may be encrypted in the process of transmitting the access command. Referring to fig. 7, fig. 7 shows a specific mobile storage process, when the USB mobile storage device obtains an access command for accessing data in the encrypted partition after the target management application software transmission link is encrypted, a user name and a login password input when a user logs in the target management application software may be obtained through the WIFI module, and then it is determined whether the user name and the login password are matched.
Step S22: and if the user name is not matched with the login password, the identity authentication result of the user terminal is judged to be failed.
In this embodiment, if the user name is matched with the login password, the identity authentication result of the user terminal is determined to be passed; and if the user name is not matched with the login password, judging that the identity authentication result of the user terminal does not pass.
In this embodiment, in the aspect of user management, users may be divided into an administrator and a general user, where the administrator may perform all operations on the USB mobile storage device, including management of a public optical drive, a plaintext partition, and an encryption partition, storage management, wireless management, user management, authority management, log management, and the like, and is responsible for all management operations of the USB mobile storage device, and the general user may only perform operations related to the storage management. For example, the firmware supports an administrator and a plurality of ordinary users, the ordinary users can only be created by the administrator, and the administrator specifies the user name, the password, the sensitivity level (default none) and the like of the new user, and in the default case, the ordinary users can only access the data in the public optical drive and the plaintext partition, have no access to the data in the encryption partition, and can only access the encryption partition after the administrator gives the permission of the sensitivity level. After the common user takes the user name and the secret key, the common user can complete own user data, modify the password, access a public optical drive/plaintext partition and the like after logging in the target management application software, and if the common user has a sensitive level authority, the common user can also manage data in the encrypted partition through a file browser in the target management application software.
Step S23: and if the authentication result is that the access command passes, analyzing the access command through a command analysis module in the firmware of the encryption chip to obtain analyzed data, and sending the analyzed data to the encryption partition.
In this embodiment, referring to fig. 7, if the authentication result is that the authentication result passes, the encrypted link is decrypted to obtain an access command, then the access command is analyzed by a command analysis module located in the firmware of the encryption chip to obtain analyzed data, and then the analyzed data is sent to the encryption partition.
Step S24: and judging whether the current session exceeds the preset session time, and if not, judging whether the user name is in a preset blacklist.
In this embodiment, after the encrypted partition obtains the analyzed data, it is determined whether the current session exceeds a preset session time, and if not, it is continuously determined whether the user name is in a preset blacklist.
Step S25: and if the user name is not in the preset blacklist, judging whether the user name is in a preset white list.
In this embodiment, if the user name is in the preset blacklist, it is determined that the user terminal has no access right, and if the user name is not in the preset blacklist, it is further determined whether the user name is in a preset white list.
Step S26: if the user name is not in a preset white list, judging whether the file or the directory to be accessed in the encryption partition meets the preset sensitivity level requirement, and if not, judging that the user terminal has no access authority.
In this embodiment, if the user name is not located in the preset white list, it is continuously determined whether the file or directory to be accessed in the encrypted partition meets a preset sensitivity level requirement, and if the file or directory does not meet the sensitivity level requirement, it is determined that the user terminal has no access right, and at this time, a prompt message without access right may be generated on the display page of the target management application software. It should be noted that, in this embodiment, a sensitivity level attribute is added to a file or directory attribute in a file system of the USB mobile storage device, where the sensitivity level is divided into three levels, i.e., a low level, a medium level, and a high level, and corresponding to the user management module, the user has access rights of the three sensitivity levels, i.e., the sensitivity level of the user is uniquely authorized by an administrator, and the user without the sensitivity level right does not have any right to perform any operation on data in the encrypted partition. Normally, a directory or file is visible and operational to a user only if the user's belonging sensitivity level is greater than or equal to the sensitivity level of the accessed directory or file. For specific requirements, the access of specific users can be allowed by adding a user access white list of the directory or the file, and the access of some specific users can be forbidden by adding a user access black list of the directory or the file. When the user is included in both the access white list and the access black list, the access black list is preferentially judged.
Step S27: if the user name is located in the preset white list or the file or the directory to be accessed in the encryption partition meets the sensitivity level requirement, judging whether the file or the directory to be accessed in the encryption partition meets the preset file attribute requirement, if so, judging that the user terminal has access authority, and if not, judging that the user terminal does not have access authority.
In this embodiment, referring to fig. 7, if the user name is located in the preset white list or the file or directory to be accessed in the encryption partition meets the sensitivity level requirement, it is further determined whether the file or directory to be accessed in the encryption partition meets the preset file attribute requirement, if yes, it is determined that the user terminal has an access right, and if not, it is determined that the user terminal does not have an access right. Further, after determining that the file or directory to be accessed in the encrypted partition meets the sensitivity level requirement, the method may further include: and decrypting the prestored symmetric key so as to perform encryption and decryption operations on the data in the encryption partition by using the symmetric key subsequently. It should be noted that the files and directories in the encrypted partition in this embodiment are different from the common attributes of reading, writing, and hiding, and if the files or directories are set as the hidden attributes in this embodiment, they are invisible to other users and cannot perform any operation, and only the creator itself or the administrator can perform operations such as checking, modifying, or deleting; if the file or the directory only has a read attribute, other users only have read access, and only the creator or the administrator can modify or delete the file or the directory.
Step S28: and if the user terminal has the access right and the access command is a write command, acquiring a target symmetric key and a target asymmetric key randomly generated by the encryption chip from the encryption chip.
In this embodiment, in order to increase the storage security of the data in the encryption chip, the encryption partition may automatically complete encryption and decryption of the data through the encryption chip in the process of reading and writing the data, where a storage key (e.g., a symmetric key) required for encryption and decryption is randomly generated by the encryption chip when the encryption partition is formatted, the randomly generated symmetric key is encrypted by a protection key, e.g., an asymmetric key (SM 2 or RSA key, etc.), and then stored in the FLASH of the USB mobile storage device, and the asymmetric key is randomly generated before the symmetric key is generated and stored in the FLASH. On the protection of the asymmetric key, three means can be adopted for protection: firstly, carrying out encryption protection on an asymmetric key through a self-defined rule; secondly, the FLASH file system realized by firmware stores the asymmetric key in segments, and the randomness of each segment in storage is guaranteed; and thirdly, the authority protection sets that only the user who encrypts the partition use authority can use the asymmetric key. The data protected by the symmetric key and the asymmetric key has to go through the following processes in one read/write operation process: firstly, judging user authority, if so, decrypting the symmetric key by using the asymmetric key, then verifying the symmetric key to ensure the validity of read/write operation, then decrypting/encrypting data by using the symmetric key, and finally reading/writing data.
Step S29: and decrypting the target symmetric key by using the target asymmetric key to obtain a decrypted key, verifying the decrypted key, encrypting data to be written in the user terminal by using the target symmetric key to obtain encrypted data if the verification is passed, and writing the encrypted data into the encryption partition.
In this embodiment, after a target symmetric key and a target asymmetric key randomly generated by the cryptographic chip are obtained from the cryptographic chip, the target symmetric key is decrypted by using the target asymmetric key to obtain a decrypted key, the decrypted key is verified, if the verification is passed, the target symmetric key is used to encrypt data to be written in the user terminal to obtain corresponding encrypted data, and the encrypted data is written in the encryption partition.
Step S210: and if the user terminal has the access right and the access command is a read command, acquiring a data packet to be read from the encryption partition according to the analyzed data, decrypting the data packet to be read to obtain the data to be read, and sending the data to be read to the user terminal.
In this embodiment, if the user terminal has an access right and the access command is a read command, the data packet to be read may be obtained from the encryption partition according to the analyzed data, and then the data packet to be read is decrypted to obtain data to be read, and then the data to be read is encrypted by a link and sent to the user terminal.
In this embodiment, in order to further enhance the data security of the encryption partition, a destruction function may be added to the firmware of the USB mobile storage device, so that a user may rapidly and effectively destroy the data in the encryption partition, and the possibility of recovering the destroyed data is minimized. The method specifically comprises the following steps: when the situation that the data in the encryption subarea needs to be destroyed is monitored, determining the type of data destruction; if the data destruction type is full-partition rapid destruction, destroying the target symmetric key, the target asymmetric key and the FAT table information of the encrypted partition; if the data destruction type is full-partition complete destruction, destroying the target symmetric key, the target asymmetric key and the FAT table information, and repeatedly erasing and writing all data in the encrypted partition; and if the data destruction type is that the specified file is completely destroyed, repeatedly erasing and writing the area corresponding to the specified file or directory. In this embodiment, the destruction function is specifically divided into three modes, which are respectively: the method comprises the steps of quick destruction of a full partition, the thorough destruction of the full partition and the thorough destruction of specified files, wherein the quick destruction of the full partition mainly destroys target symmetric keys, target asymmetric keys, file Allocation Table (FAT) Table information and the like in an encrypted partition, so that a File system of the encrypted partition cannot be normally accessed, and the mode has high destruction speed due to less erased data; the full partition completely destroys not only the target symmetric key, the target asymmetric key, the FAT table information and the like, but also the whole encrypted partition can be repeatedly erased and written, for example, the encrypted partition is filled with 0 or random numbers, the stored data is completely changed and covered to prevent the data from being recovered, and meanwhile, the user can also specify the repeated erasing times to reduce the possibility of being recovered, but because the full partition is erased and written, the data destruction speed in the mode is very low; the designated file is thoroughly destroyed, so that a user can freely select files or catalogues to be destroyed without destroying the files or catalogues in a full partition mode, the degree of freedom and the flexibility are high, the designated area can be erased repeatedly by using 0 or random numbers, then the files or catalogues to be erased are erased repeatedly according to the erasing times designated by the user, and the files or catalogues to be erased are deleted after the erasing is completed, so that the files or catalogues to be erased are thoroughly destroyed and deleted from the firmware file system.
Therefore, the embodiment of the application discloses a USB mobile storage device with wireless WIFI and matched management application software, a data storage module adopts three independent partitions, each partition has own functionality and privacy, a storage medium adopts an encryption chip hardware encryption technology to ensure the security and the privacy of data storage, wherein the wireless WIFI module can realize data interaction between the USB storage device and a host machine without depending on a USB peripheral interface, and simultaneously, the security authentication and the password technology are used for providing security guarantee for wireless transmission, so that a user terminal and the distance are not limited, and the privacy of a security chip is added for supporting, so that the USB mobile storage is faster and safer; in the aspect of authority priority, the authority priority of file attributes of access blacklist, access whitelist, sensitive level is adopted, so that the authority control is more possible, and the sharing and storage requirements of users with different security levels can be better met; by realizing the file system in the USB mobile storage device, the method can better meet the changing management and customization requirements of users and can also strengthen the safety attribute of the device; in addition, the validity and timeliness of the access of the USB mobile storage equipment can be ensured through user authentication, session management and the like.
Correspondingly, the embodiment of the present application further discloses a mobile storage device, which is applied to a USB mobile storage device, wherein the USB mobile storage device includes a power supply, a USB module, a WIFI module, a public optical drive, an encryption partition, a plaintext partition and an encryption chip, and as shown in fig. 8, the device includes:
the identity authentication module 11 is configured to authenticate the identity of the user terminal through the WIFI module to obtain an authentication result when an access command, sent by target management application software located in the user terminal, for accessing data in the encrypted partition is obtained;
the access command analysis module 12 is configured to analyze the access command through a command analysis module located in the firmware of the cryptographic chip to obtain analyzed data if the authentication result is that the authentication result passes;
an analysis data sending module 13, configured to send the analyzed data to the encryption partition;
an access right judging module 14, configured to judge whether the user terminal has an access right through the encryption partition;
the data encryption module 15 is configured to encrypt data to be written in the user terminal according to the analyzed data to obtain encrypted data if the access right exists and the access command is a write command;
an encrypted data writing module 16, configured to write the encrypted data into the encryption partition;
a data packet obtaining and decrypting module 17, configured to, if the user terminal has an access right and the access command is a read command, obtain a data packet to be read from the encryption partition according to the analyzed data, and decrypt the data packet to be read to obtain the data to be read;
and a to-be-read data sending module 18, configured to send the to-be-read data to the user terminal.
For the specific work flow of each module, reference may be made to corresponding content disclosed in the foregoing embodiments, and details are not repeated here.
The embodiment of the application is applied to the USB mobile storage device, wherein the USB mobile storage device comprises a power supply, a USB module, a WIFI module, a public optical drive, an encryption partition, a plaintext partition and an encryption chip, and when an access command for accessing data in the encryption partition, which is sent by target management application software located at a user terminal, is obtained, the identity of the user terminal is authenticated through the WIFI module, and an authentication result is obtained; if the authentication result is passed, analyzing the access command through a command analysis module in the firmware of the encryption chip to obtain analyzed data, and sending the analyzed data to the encryption partition; judging whether the user terminal has access authority or not through the encryption partition; if the user terminal has the access right and the access command is a write command, encrypting data to be written in the user terminal according to the analyzed data to obtain encrypted data, and writing the encrypted data into the encryption partition; and if the user terminal has the access right and the access command is a read command, acquiring a data packet to be read from the encryption partition according to the analyzed data, decrypting the data packet to be read to obtain the data to be read, and sending the data to be read to the user terminal. According to the embodiment of the application, the WIFI module and the encryption partition are arranged in the USB mobile storage device, data transmission can be carried out without depending on a USB peripheral interface, and safety guarantee is provided for wireless transmission by using safety certification and a cryptographic technology.
In some specific embodiments, the identity authentication module 11 may specifically include:
the login information acquisition unit is used for acquiring a user name and a login password input by a user when the user logs in the target management application software through the WIFI module;
the first judgment unit is used for judging whether the user name is matched with the login password;
a first determination unit, configured to determine that an identity authentication result of the user terminal passes if the user name matches the login password;
and the second judgment unit is used for judging that the identity authentication result of the user terminal does not pass if the user name is not matched with the login password.
In some specific embodiments, before the parsing data sending module 13, the method may further include:
the second judging unit is used for judging whether the analyzed data is correct or not according to a preset user-defined data transmission format;
an analyzed data sending unit, configured to execute the step of sending the analyzed data to the encryption partition if the analyzed data is correct;
and the processing unit is used for processing the access command in a USB peripheral mode if the analyzed data is incorrect.
In some specific embodiments, the data encryption module 15 may specifically include:
a key obtaining unit, configured to obtain, from the cryptographic chip, a target symmetric key and a target asymmetric key that are randomly generated by the cryptographic chip;
the key decryption unit is used for decrypting the target symmetric key by using the target asymmetric key to obtain a decrypted key;
the key verification unit is used for verifying the decrypted key;
and the first data encryption unit is used for encrypting the data to be written in the user terminal by using the target symmetric key to obtain encrypted data if the verification is passed.
In some specific embodiments, the mobile storage device may further include:
the data destruction type monitoring unit is used for determining the type of data destruction when the data in the encryption subarea needs to be destroyed;
the first information destruction unit is used for destroying the target symmetric key, the target asymmetric key and the FAT table information of the encrypted partition if the data destruction type is full-partition rapid destruction;
the second information destruction unit is used for destroying the target symmetric key, the target asymmetric key and the FAT table information if the data destruction type is complete partition destruction, and repeatedly erasing and writing all data in the encrypted partition;
and the third information destruction unit is used for repeatedly erasing and writing the area corresponding to the specified file or directory if the data destruction type is that the specified file is completely destroyed.
In some specific embodiments, the access right determining module 14 may specifically include:
the conversation time judging unit is used for judging whether the current conversation exceeds the preset conversation time or not;
the third judging unit is used for judging whether the user name is positioned in a preset blacklist or not if the current session does not exceed the preset session time;
a third determination unit, configured to determine that the user terminal has no access right if the user name is located in the preset blacklist;
a fourth judging unit, configured to judge whether the user name is in a preset white list if the user name is not in the preset black list;
a fifth judging unit, configured to judge whether a file or a directory to be accessed in the encrypted partition meets a preset sensitivity level requirement if the user name is not in a preset white list;
a fourth determination unit, configured to determine that the user terminal has no access right if the file or the directory to be accessed in the encrypted partition does not meet the sensitivity level requirement;
a sixth judging unit, configured to judge whether the file or the directory to be accessed in the encryption partition meets a preset file attribute requirement if the user name is located in the preset white list or the file or the directory to be accessed in the encryption partition meets the sensitivity level requirement;
and the fifth judging unit is used for judging that the user terminal has the access authority if the file or the directory to be accessed in the encryption partition meets the file attribute requirement, and judging that the user terminal does not have the access authority if the file or the directory to be accessed in the encryption partition does not meet the file attribute requirement.
In some specific embodiments, the to-be-read data sending module 18 may specifically include:
the data decryption unit is used for decrypting a data packet containing the data to be read through the WIFI module to obtain the data to be read;
the second data encryption unit is used for encrypting the data to be read by using a preset session key to obtain encrypted data to be read;
a to-be-read data sending unit, configured to send the encrypted to-be-read data to the user terminal; the WIFI module supports an AP mode and a routing mode.
Further, an electronic device is disclosed in the embodiments of the present application, and fig. 9 is a block diagram of an electronic device 20 according to an exemplary embodiment, which should not be construed as limiting the scope of the application.
Fig. 9 is a schematic structural diagram of an electronic device 20 according to an embodiment of the present disclosure. The electronic device 20 may specifically include: at least one processor 21, at least one memory 22, a power supply 23, a communication interface 24, an input output interface 25, and a communication bus 26. Wherein, the memory 22 is used for storing a computer program, and the computer program is loaded and executed by the processor 21 to implement the relevant steps in the mobile storage method disclosed in any of the foregoing embodiments. In addition, the electronic device 20 in the present embodiment may be specifically an electronic computer.
In this embodiment, the power supply 23 is configured to provide a working voltage for each hardware device on the electronic device 20; the communication interface 24 can create a data transmission channel between the electronic device 20 and an external device, and a communication protocol followed by the communication interface is any communication protocol applicable to the technical solution of the present application, and is not specifically limited herein; the input/output interface 25 is configured to obtain external input data or output data to the outside, and a specific interface type thereof may be selected according to specific application requirements, which is not specifically limited herein.
In addition, the storage 22 is used as a carrier for resource storage, and may be a read-only memory, a random access memory, a magnetic disk or an optical disk, etc., and the resources stored thereon may include an operating system 221, a computer program 222, etc., and the storage manner may be a transient storage or a permanent storage.
The operating system 221 is used for managing and controlling each hardware device on the electronic device 20 and the computer program 222, and may be Windows Server, netware, unix, linux, or the like. The computer program 222 may further include a computer program that can be used to perform other specific tasks in addition to the computer program that can be used to perform the removable storage method performed by the electronic device 20 disclosed in any of the foregoing embodiments.
Further, the present application also discloses a computer readable storage medium for storing a computer program; wherein the computer program when executed by a processor implements the mobile storage method disclosed above. For the specific steps of the method, reference may be made to the corresponding contents disclosed in the foregoing embodiments, which are not described herein again.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the technical solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising one of 8230; \8230;" 8230; "does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises the element.
The foregoing detailed description is directed to a mobile storage method, an apparatus, a device, and a storage medium provided by the present application, and specific examples are applied in the present application to explain the principles and embodiments of the present application, and the descriptions of the foregoing examples are only used to help understand the method and the core ideas of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.
Claims (10)
1. The utility model provides a mobile storage method, its characterized in that is applied to USB mobile storage equipment, wherein, USB mobile storage equipment includes power, USB module, WIFI module, public optical drive, encryption subregion, plaintext subregion and encryption chip, includes:
when an access command for accessing the data in the encryption partition, which is sent by target management application software located at a user terminal, is acquired, authenticating the identity of the user terminal through the WIFI module to obtain an authentication result;
if the authentication result is passed, analyzing the access command through a command analysis module in the firmware of the encryption chip to obtain analyzed data, and sending the analyzed data to the encryption partition;
judging whether the user terminal has access authority or not through the encryption partition;
if the user terminal has the access right and the access command is a write command, encrypting data to be written in the user terminal according to the analyzed data to obtain encrypted data, and writing the encrypted data into the encryption partition;
and if the user terminal has the access right and the access command is a read command, acquiring a data packet to be read from the encryption partition according to the analyzed data, decrypting the data packet to be read to obtain the data to be read, and sending the data to be read to the user terminal.
2. The mobile storage method of claim 1, wherein the authenticating the identity of the user terminal through the WIFI module to obtain an authentication result comprises:
acquiring a user name and a login password input by a user when the user logs in the target management application software through the WIFI module, and judging whether the user name is matched with the login password;
if the user name is matched with the login password, judging that the identity authentication result of the user terminal passes;
and if the user name is not matched with the login password, judging that the identity authentication result of the user terminal does not pass.
3. The method according to claim 1, wherein before sending the parsed data to the encryption partition, the method further comprises:
and judging whether the analyzed data is correct according to a preset custom data transmission format, if so, executing the step of sending the analyzed data to the encryption partition, and if not, processing the access command in a USB peripheral mode.
4. The mobile storage method according to claim 1, wherein the encrypting the data to be written in the user terminal to obtain encrypted data comprises:
acquiring a target symmetric key and a target asymmetric key randomly generated by the encryption chip from the encryption chip;
and decrypting the target symmetric key by using the target asymmetric key to obtain a decrypted key, verifying the decrypted key, and encrypting the data to be written in the user terminal by using the target symmetric key to obtain encrypted data if the verification is passed.
5. The mobile storage method according to claim 4, further comprising:
when it is monitored that the data in the encryption partition needs to be destroyed, determining the type of data destruction;
if the data destruction type is full-partition rapid destruction, destroying the target symmetric key, the target asymmetric key and the FAT table information of the encrypted partition;
if the data destruction type is complete partition destruction, destroying the target symmetric key, the target asymmetric key and the FAT table information, and repeatedly erasing and writing all data in the encrypted partition;
and if the data destruction type is that the specified file is completely destroyed, repeatedly erasing and writing the area corresponding to the specified file or directory.
6. The mobile storage method according to claim 2, wherein the determining whether the user terminal has the access right through the encryption partition comprises:
judging whether the current session exceeds a preset session time or not, and if not, judging whether the user name is in a preset blacklist or not;
if the user name is located in the preset blacklist, judging that the user terminal has no access authority, and if the user name is not located in the preset blacklist, judging whether the user name is located in a preset white list;
if the user name is not in a preset white list, judging whether the file or the directory to be accessed in the encryption partition meets a preset sensitivity level requirement, and if not, judging that the user terminal has no access authority;
if the user name is located in the preset white list or the file or the directory to be accessed in the encryption partition meets the sensitivity level requirement, judging whether the file or the directory to be accessed in the encryption partition meets the preset file attribute requirement, if so, judging that the user terminal has access authority, and if not, judging that the user terminal does not have access authority.
7. The mobile storage method according to any one of claims 1 to 6, wherein the sending the data to be read to the user terminal includes:
decrypting a data packet containing the data to be read through the WIFI module to obtain the data to be read, encrypting the data to be read by using a preset session key to obtain encrypted data to be read, and sending the encrypted data to be read to the user terminal; the WIFI module supports an AP mode and a routing mode.
8. The utility model provides a mobile storage device which characterized in that is applied to USB mobile storage equipment, wherein, USB mobile storage equipment includes power, USB module, WIFI module, public optical drive, encrypts subregion, plaintext subregion and encryption chip, includes:
the identity authentication module is used for authenticating the identity of the user terminal through the WIFI module to obtain an authentication result when an access command which is sent by target management application software of the user terminal and used for accessing the data in the encryption partition is obtained;
the access command analysis module is used for analyzing the access command through a command analysis module in the firmware of the encryption chip to obtain analyzed data if the authentication result is that the authentication result passes;
the analysis data sending module is used for sending the analyzed data to the encryption partition;
the access authority judging module is used for judging whether the user terminal has access authority or not through the encryption partition;
the data encryption module is used for encrypting the data to be written in the user terminal according to the analyzed data to obtain encrypted data if the access authority exists and the access command is a write command;
the encrypted data writing module is used for writing the encrypted data into the encryption partition;
the data packet obtaining and decrypting module is used for obtaining a data packet to be read from the encryption partition according to the analyzed data and decrypting the data packet to be read to obtain the data to be read if the user terminal has the access right and the access command is a read command;
and the data to be read sending module is used for sending the data to be read to the user terminal.
9. An electronic device comprising a processor and a memory; wherein the processor, when executing the computer program stored in the memory, implements the method of mobile storage according to any of claims 1 to 7.
10. A computer-readable storage medium for storing a computer program; wherein the computer program, when executed by a processor, implements the method of mobile storage of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211509987.0A CN115906196A (en) | 2022-11-29 | 2022-11-29 | Mobile storage method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211509987.0A CN115906196A (en) | 2022-11-29 | 2022-11-29 | Mobile storage method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115906196A true CN115906196A (en) | 2023-04-04 |
Family
ID=86470670
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211509987.0A Pending CN115906196A (en) | 2022-11-29 | 2022-11-29 | Mobile storage method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115906196A (en) |
-
2022
- 2022-11-29 CN CN202211509987.0A patent/CN115906196A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11658993B2 (en) | Systems and methods for traffic inspection via an embedded browser | |
| US20220292180A1 (en) | Systems and methods for offline usage of saas applications | |
| US11704427B2 (en) | Systems and methods for providing data loss prevention via an embedded browser | |
| US11895096B2 (en) | Systems and methods for transparent SaaS data encryption and tokenization | |
| JP6335280B2 (en) | User and device authentication in enterprise systems | |
| US20140282978A1 (en) | Method and apparatus for secure interaction with a computer service provider | |
| CN108763917B (en) | Data encryption and decryption method and device | |
| US11159552B2 (en) | Systems and methods for an embedded browser | |
| EP3661154B1 (en) | Authentication based on unique encoded codes | |
| CN109960935B (en) | Method, device and storage medium for determining trusted state of TPM (trusted platform Module) | |
| CN113127844A (en) | Variable access method, device, system, equipment and medium | |
| EP3651051A1 (en) | Systems and methods for a saas lens to view obfuscated content | |
| US20230079795A1 (en) | Device to device migration in a unified endpoint management system | |
| US10756899B2 (en) | Access to software applications | |
| CN115906196A (en) | Mobile storage method, device, equipment and storage medium | |
| CN111079109A (en) | Local security authorization login method and system compatible with multiple browsers | |
| US11831632B2 (en) | Secure endpoint authentication credential control | |
| KR101357367B1 (en) | Method and system for managing authentication information using SE | |
| Eleftherios | FIDO2 Overview, Use Cases, and Security Considerations | |
| CN115952543A (en) | PCIE encryption card, management application system, hard disk read-write method, device and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |