CN116781354A - Data anti-searching method and device based on network storage unidirectional transmission isolation - Google Patents
Data anti-searching method and device based on network storage unidirectional transmission isolation Download PDFInfo
- Publication number
- CN116781354A CN116781354A CN202310753136.9A CN202310753136A CN116781354A CN 116781354 A CN116781354 A CN 116781354A CN 202310753136 A CN202310753136 A CN 202310753136A CN 116781354 A CN116781354 A CN 116781354A
- Authority
- CN
- China
- Prior art keywords
- data
- network
- access
- unidirectional transmission
- isolation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000005540 biological transmission Effects 0.000 title claims abstract description 95
- 238000002955 isolation Methods 0.000 title claims abstract description 84
- 238000000034 method Methods 0.000 title claims abstract description 33
- 238000013475 authorization Methods 0.000 claims description 21
- 238000013500 data storage Methods 0.000 claims description 8
- 239000013307 optical fiber Substances 0.000 claims description 2
- 241000700605 Viruses Species 0.000 description 3
- 238000012790 confirmation Methods 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 238000012795 verification Methods 0.000 description 3
- 238000011217 control strategy Methods 0.000 description 2
- 238000013523 data management Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000015556 catabolic process Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/74—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Mathematical Physics (AREA)
- Virology (AREA)
- Bioethics (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a data anti-lux method and a device based on network storage unidirectional transmission isolation, wherein the method comprises the following steps: 1) A unidirectional transmission isolation device is arranged between the network storage and an external network, and comprises unidirectional transmission equipment and isolation equipment; 2) Encrypting the data stored in the network, so as to ensure confidentiality of the data; 3) Transmitting the encrypted data to the isolation device through the unidirectional transmission device; 4) The isolation equipment decrypts the transmitted data to ensure the readability information of the data; 5) The access rights of the network store are controlled to ensure that only authorized users can access the data in the network store. According to the invention, the unidirectional transmission isolation device is arranged between the network storage and the external network, so that the external network cannot directly access the data stored in the network storage, and only authorized users can access the data stored in the network storage, thereby effectively preventing the attack of the luxury software and improving the safety of the data.
Description
Technical Field
The invention relates to the field of computer security in information security technology, in particular to a data anti-luxury method and device based on network storage unidirectional transmission isolation.
Background
Luxury software has been rampant in recent years, which is a type of malware that threatens and forces users to pay redemption to restore access rights to data by encrypting or locking the user's data. In recent years, luxury software attack events frequently occur, and huge threats and losses are caused to data security of enterprises and personal users. The lux software attack means is continuously updated, so that the traditional data security protection means are difficult to effectively cope with.
Existing data security protection means comprise data encryption, data backup, network security protection and the like, and although the means can improve the security of data, certain limitations still exist. For example, data encryption may protect confidentiality of data, but cannot prevent the luxury software from directly hacking into the data in the network store and doing so; data backup can ensure the restorability of data, but backup data can also be irrecoverable due to a luxury software attack.
The invention provides a data anti-investigation method and device based on unidirectional transmission isolation of network storage, which prevent investigation software from invading the network storage and attacking by arranging a unidirectional transmission isolation device between the network storage and an external network and controlling access rights of the network storage, thereby improving data protection capability of the network storage. The solution of the invention can effectively avoid the limitation of the existing data security protection means, and has higher practicability and operability.
Disclosure of Invention
The invention discloses a data anti-lux method and a device based on network storage unidirectional transmission isolation, wherein the method comprises the following steps: 1) A unidirectional transmission isolation device is arranged between the network storage and an external network, and comprises unidirectional transmission equipment and isolation equipment; 2) Encrypting the data stored in the network, so as to ensure confidentiality of the data; 3) Transmitting the encrypted data to the isolation device through the unidirectional transmission device; 4) The isolation equipment decrypts the transmitted data to ensure the readability information of the data; 5) The access rights of the network store are controlled to ensure that only authorized users can access the data in the network store.
The technical scheme of the invention is as follows: a data anti-luxury method based on network storage unidirectional transmission isolation comprises the following steps:
1) A unidirectional transmission isolation device is arranged between the network storage and an external network, and comprises unidirectional transmission equipment and isolation equipment;
2) Encrypting the data stored in the network, so as to ensure confidentiality of the data;
3) Transmitting the encrypted data to the isolation device through the unidirectional transmission device;
4) The isolation equipment decrypts the transmitted data, so that the readability of the data is ensured;
5) The access rights of the network store are controlled to ensure that only authorized users can access the data in the network store.
Further, the method is characterized in that in step 1), the network storage refers to a device or system for storing data, and the device or system can access and manage through a network; the network storage may be a server, a group of servers, a storage array, a network attached storage device, etc.; network storage may be accessed through various network protocols, such as NFS, CIFS, iSCSI, etc.
Further, in the method, in step 1), the external network refers to a network storage connected to other networks except the internal network, including public internet, private internet, local area network, etc.; the external network may be connected to the network storage in various ways, such as by a router, a switch, a firewall, etc., or may be connected by a VPN, etc.
Furthermore, in the step 1), the unidirectional transmission isolation device adopts a physical isolation mode to ensure that an external network cannot directly access data stored in the network, wherein the unidirectional transmission device and the isolation device are realized in a physical isolation mode, and the unidirectional transmission device can only transmit the data from the network storage to the isolation device and cannot transmit the data from the isolation device back to the network storage or the external network.
Furthermore, the method is characterized in that in the step 2), the encryption processing is performed in a symmetrical encryption or asymmetrical encryption mode; the symmetric encryption algorithm can adopt common algorithms such as AES, DES and the like, and the asymmetric encryption algorithm can adopt common algorithms such as RSA, ECC and the like; the encryption key may be generated by the authentication authorization module or set by the user himself and stored in a secure manner in the network store.
Further, the method is characterized in that in step 3), the unidirectional transmission is based on the principle of physical isolation, that is, the data is prevented from being transmitted from the isolation device back to the network storage device or the external network by means of physical isolation; in order to realize physical isolation, the unidirectional transmission equipment generally adopts special physical equipment such as unidirectional transmission optical fibers, unidirectional transmission network cards and the like, so that data can be ensured to be transmitted in one direction only; in the data transmission process, the unidirectional transmission equipment can check and verify the transmitted data so as to ensure the integrity and reliability of the data.
Further, the method is characterized in that in the step 4), the decryption processing is performed by adopting a corresponding decryption algorithm; the decryption algorithm corresponds to the encryption algorithm, and the same symmetric encryption algorithm or asymmetric encryption algorithm can be adopted for decryption; the decryption key may be generated by the authentication authorization module or set by the user himself and stored in a secure manner in the quarantine device.
Furthermore, in the step 5), the authorized user refers to a user who is approved and authorized by the authentication and authorization module, and can access the data in the network storage device; the authorized user needs to authenticate through the identity authentication module and then performs corresponding access authorization to access the data in the network storage device.
Furthermore, the method is characterized in that in step 5), the access authority of the control network storage includes approval and authorization of the access request of the user, so that only the approved user can access the data in the network storage; the identity authentication module can authenticate the identity of the user by adopting a user name password, a digital certificate, biological characteristics and other modes; the authorization module can authorize the user according to the user identity and the access requirement, and the authorization mode can comprise operations such as reading, writing, deleting and the like; the access approval module can approve the access request of the user, so that only the approved user can access the data in the network storage; the approval mode can comprise manual approval and automatic approval, and the automatic approval can automatically approve the access request according to preset rules.
The invention also discloses a data anti-halving device based on network storage unidirectional transmission isolation, which is characterized in that a unidirectional transmission isolation device is arranged between the network storage and an external network, so that the external network can not directly access the data stored in the network, thereby effectively preventing the attack of halving software; wherein the core module comprises: the system comprises a unidirectional transmission isolation module, a data encryption module, a data decryption module, an authentication and authorization module, an access approval module and a data storage module; wherein,,
the unidirectional transmission isolation module is used for realizing unidirectional transmission isolation between network storage and an external network, comprises unidirectional transmission equipment and isolation equipment, and comprises two parts: a transmitting end and a receiving end; the sending end is responsible for transmitting the data from the network storage device to the receiving end, and the receiving end is responsible for receiving the data and storing the data in the isolation device;
the data encryption module is used for encrypting the data in the network storage according to a symmetrical encryption or asymmetrical encryption mode, so that the confidentiality of the data is ensured;
the data decryption module is used for decrypting the transmitted data, a decryption algorithm adopted in the decryption process corresponds to the encryption algorithm, and the same symmetric or asymmetric encryption algorithm can be adopted for decryption so as to ensure the readability of the data;
the authentication and authorization module is used for authenticating the identity of the user and authorizing the authority of the user and comprises an identity authentication module and an authority authorization module; the authentication and authorization module can ensure that only authenticated and authorized users can access the data in the network storage device, so that the safety and confidentiality of the data are ensured;
the access approval module is used for approving the access request of the user; the method can examine and approve the access request of the user according to the authority and the access requirement of the user, and ensure that only the authorized user can access the user;
the data storage module is used for storing data in the network storage device; it includes two parts of data storage equipment and data storage management software.
Advantageous effects
Compared with the prior art, the invention has the beneficial effects that:
(1) According to the invention, the unidirectional transmission isolation device and the access authority for controlling the network storage are arranged between the network storage and the external network, so that the investigation software is prevented from invading the network storage and attacking, and the data protection capability of the network storage is improved;
(2) The invention adopts the unidirectional transmission isolation device to isolate the network storage from the external network, thereby avoiding the direct access and attack of the external network to the data, improving the stability of the system and reducing the risk of system breakdown and data loss to a certain extent;
(3) The invention ensures that only authorized users can access the data in the network storage by controlling the access authority of the network storage and approving the access request of the users, thereby improving the control capability of data access and preventing unauthorized users from accessing the data in the network storage.
Description of the embodiments
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The invention comprises the following steps: selecting proper unidirectional transmission equipment and isolation equipment, and reasonably designing a unidirectional transmission isolation device according to actual requirements; a unidirectional transmission isolation device is arranged between the network storage and an external network, so that all data can be transmitted in one direction, and an attacker is prevented from illegally accessing or falsifying the network storage; selecting a proper data encryption algorithm and key size, and ensuring the intensity and reliability of data encryption; encrypting the data in the network storage to ensure the confidentiality of the data; selecting proper unidirectional transmission equipment, ensuring that data can be transmitted in one direction only, and avoiding being influenced by attacks or application program errors; parameters such as transmission speed, data packet size and the like are adjusted, so that performance problems caused by overlarge data transmission quantity are avoided; proper decryption algorithm and decryption key are selected to ensure the intensity and reliability of decryption capability; decrypting the transmitted data to ensure the readability of the data; establishing an access control strategy to ensure that only authorized users can access data in the network storage; performing identity verification on all users accessing the network storage to ensure that the users are authorized to access specific data; and the access request is approved, so that only a user who obtains corresponding access rights can access the data in the network storage.
Fig. 1 shows a flowchart of an embodiment of a data anti-theft method based on unidirectional transmission isolation of network storage according to the present invention, which mainly includes the following steps:
s101, selecting proper unidirectional transmission equipment and isolation equipment, and reasonably designing a unidirectional transmission isolation device according to actual requirements;
s102, a unidirectional transmission isolation device is arranged between the network storage and an external network, so that an attacker is prevented from illegally accessing or falsifying the network storage;
s201, selecting a proper data encryption algorithm and key size;
s202, encrypting data in network storage;
s301, selecting proper unidirectional transmission equipment, ensuring that data can be transmitted in one direction only, and avoiding being influenced by attacks or application program errors;
s302, parameters such as transmission speed, data packet size and the like are adjusted;
s401, selecting a proper decryption algorithm and a decryption key;
s402, decrypting the transmitted data;
s501, establishing an access control strategy, wherein only an authorized user can access data in a network storage;
s502, carrying out identity verification on all users accessing the network storage to ensure that the users are authorized to access specific data;
s503, the access request is approved, and only the user who obtains the corresponding access right can access the data in the network storage.
In particular, the invention in step S101, the selection of the appropriate unidirectional transmission device and isolation device is very important, as this directly relates to the performance and reliability of the unidirectional transmission isolation apparatus. Unidirectional transmission devices typically include unidirectional transmitters, unidirectional gateways, unidirectional transmission cards, etc., while isolation devices include isolators, isolation gateways, isolation cards, etc. Which device is selected depends on the actual requirements such as data transmission speed, network size, security level, etc.
In step S102, a unidirectional transmission isolation device is provided between the network storage and the external network, so as to ensure that all data can be transmitted in one direction, and avoid an attacker from illegally accessing or falsifying the network storage. This is to prevent an attacker from invading or maliciously modifying data through the network storage. The unidirectional transmission isolation device can ensure that data can only be transmitted outwards from the network storage, but cannot enter the network storage from an external network. Thus, the data security in the network storage can be effectively protected. Meanwhile, the unidirectional transmission isolation device can also prevent viruses or other malicious software from entering the network storage, so that the safety of the whole network is protected.
In step S201, it is important to select an appropriate data encryption algorithm and key size, because this directly relates to the strength and reliability of data encryption. When the data encryption algorithm and the key size are selected, the data encryption algorithm and the key size need to be selected according to actual requirements, and security, reliability and performance are considered through the disc. For example, for data with high security requirements, the AES encryption algorithm and 256-bit key size may be selected.
In step S202, encryption processing is performed on data in the network storage, ensuring confidentiality of the data. Encryption can effectively protect data from theft or tampering by an attacker. Before encrypting data, it is necessary to determine the encryption algorithm and key size and ensure that all users accessing the network store have the corresponding decryption key. The encrypted data can be decrypted only through the correct key, so that the confidentiality of the data is ensured. Meanwhile, encryption can also prevent viruses or other malicious software from attacking data, so that the safety of the whole network is protected.
In step S301, it is important to select an appropriate unidirectional transmission device, since it can ensure that data can be transmitted only in one direction, avoiding the influence of an attack or an application error. The unidirectional transmission device can prevent data from being tampered or stolen by an attacker in the transmission process, thereby ensuring the safety of the data. Meanwhile, the unidirectional transmission equipment can also prevent data leakage or data damage caused by application program errors, so that the reliability of the data is ensured.
In step S302, parameters such as a transmission speed and a packet size are adjusted to avoid performance problems caused by an excessively large data transmission amount. If the transmission speed is too slow or the data packet size is too large, problems such as delay or packet loss in the data transmission process may occur, so that the efficiency and reliability of data transmission are affected. Therefore, parameters such as a transmission speed and a data packet size need to be adjusted according to actual situations so as to ensure efficiency and reliability of data transmission. Meanwhile, network bandwidth, load and other factors in the transmission process need to be monitored and managed so as to ensure that performance problems cannot occur in the data transmission process.
In step S401, selecting an appropriate decryption algorithm may ensure the security and reliability of the decryption process, while selecting an appropriate decryption key may ensure that the data can be correctly decrypted. In selecting the decryption algorithm and decryption key, the following factors need to be considered: security, reliability and performance.
In step S402, the transmitted data is decrypted, and before decrypting the data, it is necessary to ensure that all users accessing the data have the corresponding decryption keys. The decrypted data can be read and used, thereby ensuring the readability of the data. Meanwhile, decryption can also prevent viruses or other malicious software from attacking data, so that the safety of the whole system is protected.
In step S501, it is important to establish an access control policy, as it can ensure that only authorized users can access data in the network store. Establishing access control policies may limit access to network storage, preventing unauthorized users from accessing and misusing sensitive data, thereby ensuring data security.
In step S502, all users accessing the network store are authenticated to ensure they are authorized to access specific data. This ensures that the identity of the user is confirmed and that only authorized users can access the data in the network store. In the process of identity verification, a secure identity confirmation mode, such as password-based identity confirmation, two-factor identity confirmation and the like, needs to be used to ensure the safety of the identity of the user.
In step S503, the access request is approved, it may be ensured that the access control policy is executed, and that only the user who obtains the corresponding access right can access the data. When access approval is performed, approval is required according to the access control policy, so as to ensure that all access requests meet the requirements of the access control policy. Only after passing the approved access request can the rights to access the data in the network storage be obtained.
For example, a financial institution's transaction system. The transaction system contains a large amount of transaction data and customer information, and confidentiality and security of the data need to be ensured. In the internal network of the financial institution, a unidirectional transmission isolation device is arranged to ensure that the data stored in the network can only be transmitted to the isolation equipment in one direction and cannot be accessed by an external network. The unidirectional transmission device can provide higher security level for financial institutions, so that the security of data is guaranteed, and the data transmission is guaranteed.
In a data management system of a financial institution, data stored in a network storage is encrypted using a strong encryption algorithm, ensuring confidentiality of the data. The encrypted data may not be illegally acquired in transmission. The strong encryption algorithm can ensure the security and confidentiality of the financial data and prevent the confidential data from being stolen and leaked. And transmitting the encrypted data to the isolation equipment through the unidirectional transmission equipment, so that the unidirectional transmission of the data is ensured, and the data leakage is avoided. The unidirectional transmission can prevent the attack and threat to the data from the external network, thereby ensuring the security of the data stored in the network. After the data is transmitted to the isolation device, the isolation device decrypts the data and restores the data readability. The isolation device can ensure that data can only be transmitted in one direction, and can only be stored from a network to the isolation device, so that the safety and the readability of the data are ensured.
In a data management system of a financial institution, access control is performed on a network storage through an access control policy, so that only authorized users can access data in the network storage. For example, only authenticated authorized traders can access the transaction data and customer information in the transaction system. By controlling the access authority of the network storage, the data security in the network storage is ensured, and illegal access is prevented.
The above examples are provided for the purpose of describing the present invention only and are not intended to limit the scope of the present invention. The scope of the invention is defined by the appended claims. Various equivalents and modifications that do not depart from the spirit and principles of the invention are intended to be included within the scope of the invention.
Claims (10)
1. A data anti-luxury method based on network storage unidirectional transmission isolation comprises the following steps:
a unidirectional transmission isolation device is arranged between the network storage and an external network, and comprises unidirectional transmission equipment and isolation equipment;
encrypting the data stored in the network, so as to ensure confidentiality of the data;
transmitting the encrypted data to the isolation device through the unidirectional transmission device;
the isolation equipment decrypts the transmitted data, so that the readability of the data is ensured;
the access rights of the network store are controlled to ensure that only authorized users can access the data in the network store.
2. The method according to claim 1, wherein in step 1), the network storage means a device or system for storing data, which can be accessed and managed through a network; the network storage may be a server, a group of servers, a storage array, a network attached storage device, etc.; network storage may be accessed through various network protocols, such as NFS, CIFS, iSCSI, etc.
3. The method according to claim 1, wherein in step 1), the external network refers to a network storage connected to other networks than the internal network, including public internet, private internet, local area network, etc.; the external network may be connected to the network storage in various ways, such as by a router, a switch, a firewall, etc., or may be connected by a VPN, etc.
4. The method according to claim 1, wherein in step 1), the unidirectional transmission isolation device adopts a physical isolation manner to ensure that an external network cannot directly access data stored in the network, wherein the unidirectional transmission device and the isolation device are implemented by adopting a physical isolation manner, and the unidirectional transmission device can only transmit data from the network storage to the isolation device, but cannot transmit data from the isolation device back to the network storage or the external network.
5. The method according to claim 1, wherein in step 2), the encryption process is performed by means of symmetric encryption or asymmetric encryption; the symmetric encryption algorithm can adopt common algorithms such as AES, DES and the like, and the asymmetric encryption algorithm can adopt common algorithms such as RSA, ECC and the like; the encryption key may be generated by the authentication authorization module or set by the user himself and stored in a secure manner in the network store.
6. The method according to claim 1, wherein in step 3), the unidirectional transmission is based on the principle of physical isolation, i.e. the transmission of data from the isolation device back to the network storage device or the external network is prevented by means of physical isolation; in order to realize physical isolation, the unidirectional transmission equipment generally adopts special physical equipment such as unidirectional transmission optical fibers, unidirectional transmission network cards and the like, so that data can be ensured to be transmitted in one direction only; in the data transmission process, the unidirectional transmission equipment can check and verify the transmitted data so as to ensure the integrity and reliability of the data.
7. The method according to claim 1, wherein in step 4), the decryption process is performed using a corresponding decryption algorithm; the decryption algorithm corresponds to the encryption algorithm, and the same symmetric encryption algorithm or asymmetric encryption algorithm can be adopted for decryption; the decryption key may be generated by the authentication authorization module or set by the user himself and stored in a secure manner in the quarantine device.
8. The method according to claim 1, wherein in step 5), the authorized user is a user who is authorized and authorized by the authentication and authorization module and can access the data in the network storage device; the authorized user needs to authenticate through the identity authentication module and then performs corresponding access authorization to access the data in the network storage device.
9. The method of claim 1, wherein in step 5), the controlling the access rights of the network store includes approving and authorizing the access request of the user to ensure that only the approved user can access the data in the network store; the identity authentication module can authenticate the identity of the user by adopting a user name password, a digital certificate, biological characteristics and other modes; the authorization module can authorize the user according to the user identity and the access requirement, and the authorization mode can comprise operations such as reading, writing, deleting and the like; the access approval module can approve the access request of the user, so that only the approved user can access the data in the network storage; the approval mode can comprise manual approval and automatic approval, and the automatic approval can automatically approve the access request according to preset rules.
10. The data anti-lux device based on network storage unidirectional transmission isolation is characterized in that a unidirectional transmission isolation device is arranged between network storage and an external network, so that the external network cannot directly access data stored in the network, and attacks of lux software are effectively prevented; wherein the core module comprises: the system comprises a unidirectional transmission isolation module, a data encryption module, a data decryption module, an authentication and authorization module, an access approval module and a data storage module; wherein,,
the unidirectional transmission isolation module is used for realizing unidirectional transmission isolation between network storage and an external network, comprises unidirectional transmission equipment and isolation equipment, and comprises two parts: a transmitting end and a receiving end; the sending end is responsible for transmitting the data from the network storage device to the receiving end, and the receiving end is responsible for receiving the data and storing the data in the isolation device;
the data encryption module is used for encrypting the data in the network storage according to a symmetrical encryption or asymmetrical encryption mode, so that the confidentiality of the data is ensured;
the data decryption module is used for decrypting the transmitted data, a decryption algorithm adopted in the decryption process corresponds to the encryption algorithm, and the same symmetric or asymmetric encryption algorithm can be adopted for decryption so as to ensure the readability of the data;
the authentication and authorization module is used for authenticating the identity of the user and authorizing the authority of the user and comprises an identity authentication module and an authority authorization module; the authentication and authorization module can ensure that only authenticated and authorized users can access the data in the network storage device, so that the safety and confidentiality of the data are ensured;
the access approval module is used for approving the access request of the user; the method can examine and approve the access request of the user according to the authority and the access requirement of the user, and ensure that only the authorized user can access the user;
the data storage module is used for storing data in the network storage device; it includes two parts of data storage equipment and data storage management software.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310753136.9A CN116781354A (en) | 2023-06-26 | 2023-06-26 | Data anti-searching method and device based on network storage unidirectional transmission isolation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310753136.9A CN116781354A (en) | 2023-06-26 | 2023-06-26 | Data anti-searching method and device based on network storage unidirectional transmission isolation |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116781354A true CN116781354A (en) | 2023-09-19 |
Family
ID=88011144
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310753136.9A Pending CN116781354A (en) | 2023-06-26 | 2023-06-26 | Data anti-searching method and device based on network storage unidirectional transmission isolation |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116781354A (en) |
-
2023
- 2023-06-26 CN CN202310753136.9A patent/CN116781354A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109361668B (en) | Trusted data transmission method | |
| CN106888084B (en) | Quantum fort machine system and authentication method thereof | |
| US20100275265A1 (en) | System for securing transactions across insecure networks | |
| US10594479B2 (en) | Method for managing smart home environment, method for joining smart home environment and method for connecting communication session with smart device | |
| US20020046350A1 (en) | Method and system for establishing an audit trail to protect objects distributed over a network | |
| CN109412812B (en) | Data security processing system, method, device and storage medium | |
| CN107908574B (en) | Safety protection method for solid-state disk data storage | |
| US20020032873A1 (en) | Method and system for protecting objects distributed over a network | |
| CN113541935B (en) | Encryption cloud storage method, system, equipment and terminal supporting key escrow | |
| CN106603487A (en) | Method for safe improvement of TLS protocol processing based on CPU space-time isolation mechanism | |
| CN114584343A (en) | Data protection method and system for cloud computing center and readable storage medium | |
| CN112329050A (en) | File security management terminal and system | |
| WO2008053279A1 (en) | Logging on a user device to a server | |
| CN117040741A (en) | Method and device for safely transmitting data based on FTTR networking mode | |
| CN108900595B (en) | Method, device and equipment for accessing data of cloud storage server and computing medium | |
| CN105933117A (en) | Data encryption and decryption device and method based on TPM (Trusted Platform Module) key security storage | |
| Sadavarte et al. | Data security and integrity in cloud computing: Threats and Solutions | |
| CN116781354A (en) | Data anti-searching method and device based on network storage unidirectional transmission isolation | |
| CN114024682A (en) | Cross-domain single sign-on method, service equipment and authentication equipment | |
| JP2002247021A (en) | Method and device for displaying access limited contents | |
| Wilusz et al. | Secure protocols for smart contract based insurance services | |
| KR20080042582A (en) | System and method for protecting a user device using a token device | |
| Liu | Application Of Data Encryption Technology in Computer Network Security | |
| CN212727070U (en) | Cross-network data safety exchange equipment | |
| Ramesh | Research Paper on Crytography and Network Security |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |