CN101051292A - Reliable U disc, method for realizing reliable U disc safety and its data communication with computer - Google Patents
Reliable U disc, method for realizing reliable U disc safety and its data communication with computer Download PDFInfo
- Publication number
- CN101051292A CN101051292A CNA2007100003300A CN200710000330A CN101051292A CN 101051292 A CN101051292 A CN 101051292A CN A2007100003300 A CNA2007100003300 A CN A2007100003300A CN 200710000330 A CN200710000330 A CN 200710000330A CN 101051292 A CN101051292 A CN 101051292A
- Authority
- CN
- China
- Prior art keywords
- usb flash
- flash disk
- data
- credible usb
- host side
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
A credible U disc is featured as properly solving safety problem of credible U Disc and data communication problem between computer and U disc by utilizing self-destroyed program, certificate certifying program, Applet certification program and SCSI command operated on operation system of intelligent card to carry command of intelligent card.
Description
Technical field
The present invention relates to credible, USB memory technology, field of information security technology, particularly credible USB flash disk technical field.
Background technology
At present, USB interface has become the standard configuration port of computing machine, and the USB movable storage device, and especially credible USB flash disk is because characteristics such as it is fast to have a storage speed, and capacity is big, and easy to use, volume is little obtain application more and more widely in routine duties.
Common U disk is a transparent mobile memory medium equipment,, can unhinderedly use as long as have the access side of USB interface without any access control the visit of data.Therefore, USB flash disk has also brought two major issues: the implantation of information-leakage and Malware when offering convenience to people.
USB flash disk causes the reason of information-leakage to have two:
1. cause the leakage of Intranet confidential information owing to user's random copies data between intranet and extranet, information-leakage one of the main reasons Internet era that this mode of divulging a secret having become, and make the inside and outside network physical isolation perform practically no function.
2. because the USB flash disk volume is little, lose easily, therefore, losing of USB flash disk also is one of major reason of information-leakage.
Certainly, between intranet and extranet arbitrarily copies data also can cause the implantation of Malware.
The method of solution USB flash disk safety problem commonly used has at present:
1, in order to prevent the user in the random copies data of asking of intranet and extranet, solution of taking or safe U disc product have:
1) adopt the mobile memory medium management system to control the use of USB flash disk.The special sector of those sensitive datas that need protection has formulated USB movable storage device management system safe in utilization mostly; brought the increase greatly of handling cost thus, simultaneously, because the inconvenience on using; the system of a lot of departments performs practically no function, and brings bigger potential safety hazard for anti-divulging a secret.
2) employing password authentication technology is controlled the use to USB flash disk.
Use the safe U disc of password authentication technology, only realized the unilateral authentication of main frame, USB flash disk itself and USB flash disk environment for use of living in are not authenticated external unit.That is to say this technology can't prove whether USB flash disk is really credible, for example, if unauthorized user has obtained the USB flash disk password, then this USB flash disk has just had no with regard to credible.
3) the employing fingerprint identification technology is controlled the use to USB flash disk.
Those use the safe U disc of fingerprint identification technology, have only realized the unilateral authentication of main frame to external unit, USB flash disk itself and USB flash disk environment for use of living in are not authenticated, and just USB flash disk and user identity are bound.This technology just is based on the trust to the people, and the people causes the principal element of divulging a secret and introducing Malware often.That is to say that the user may copy sensitive information to outer net by fingerprint U disk is intentional or involuntary, and system is uncontrollable and audit, and user's copied files between intranet and extranet, Malware may unintentionally be introduced.So this authentication mode is not strict, can not satisfy the security requirement that special sector's equipment uses, whether the equipment of can't really answering credible, whether equipment allows is used in system, whether equipment itself approves environment for use, the user be who etc. problem.
4) adopt Terminal Security Management software (for example: the water [proof product) USB port of intranet host is forbidden.
Adopt Terminal Security Management software to forbid the USB port of intranet host, can prevent that all facilities from conducting interviews to main frame by USB port, still, can't realize rights management flexibly.
2, for prevent USB flash disk lose after the leakage of its information, main solution has dual mode at present:
1) adopts the software cryptography mode, promptly the data of USB flash disk storage are encrypted by the encryption software of installing on the main frame;
Use the safe U disc of software cryptography mode, finish by main frame owing to encrypt, compare hardware encipher, because Cipher Strength is not enough, encryption key is deposited uneasy congruent problem, have big potential safety hazard, and the encrypt file of storing on the USB flash disk or data are transferred out and analyze for a long time and crack easily.
2) adopt the hardware encipher mode: promptly realize encrypting on the sheet by the chip that has encryption function in increase on the USB flash disk.
Adopt the safe U disc of hardware encipher mode, relative software cryptography mode, Cipher Strength is higher, and because encryption key is stored on the tamper resistant hardware, therefore, security is higher for the software cryptography mode, but, still can't solve the problem that data on the USB flash disk are transferred analysis.
3, the mode of depositing identifier in the file system of USB flash disk provides rights management, but this mode depends on the Windows file system format, is easy to be cracked.
In sum, above-mentioned these methods all can only solve the subproblem in the USB flash disk safe handling, and the security that perhaps improves USB flash disk to a certain extent can not solve all safety problems in the USB flash disk use fully, that is to say that all these USB flash disks all are incredible.
Summary of the invention
The objective of the invention is to: a kind of credible USB flash disk that satisfies credible tissue requirement, high safety performance is provided, has the above-mentioned safety problem that exists in the credible USB flash disk use now, and the communication means of credible USB flash disk and computing machine is provided to solve.
Technical scheme of the present invention is as follows: a kind of credible USB flash disk device, comprise: host side 1, described host side 1 exist 1-4 usb 11, CA center 3, internal memory 20, IO controller 30 and flash memory 40, also comprise: support the cryptographic coprocessor 50 of RSA, DH, ElGamal, ECC public key algorithm and DES, 3DES, AES symmetric cryptographic algorithm and third party's cryptographic algorithm, the smart card operating system of working out according to Java Card technical manual 203 and the Z32UF safety governor 60 of finishing the encryption and decryption computing by described cryptographic coprocessor 50; Described cryptographic coprocessor 50 is integrated on described Z32UF safety governor 60 chips; Described internal memory 20, IO controller 30, flash memory 40, cryptographic coprocessor 50, Z32UF safety governor 60 constitute credible USB flash disk 2, described credible USB flash disk 2 is connected to host side 1 by inserting described usb 11, described host side 1 is connected with described CA center 3 by network mode, and can obtain the certificate request and the service for checking credentials that described CA center 3 provides; Can realize two-way authentication between described host side 1 and the described credible USB flash disk 2, interrelate by two kinds of SCSI instruction transmission data between described host side 1 and the described credible USB flash disk 2.
Smart card operating system 203 according to Java Card technical manual establishment is installed on the described Z32UF security chip controller 60 of described credible USB flash disk 2, and operation has the application program 301 of credible USB flash disk control program 201, control flash reading and writing to finish the unauthorized access number of times to surpass the logic determines of threshold value and realize from the program 111 of destroying, be used to finish the application program 112 and the Applet authentication procedure 113 of certificate verification on described smart card operating system 203; Described smart card operating system 203 is finished the encryption and decryption computing by described cryptographic coprocessor 50, simultaneously, 1. in described smart card and USB flash disk equipment complex 2, preserve an associated digital device certificate, represent its identity, also preserve a digital certificate of representing its incoming end identity at its incoming end, 2. described host side 1 possesses the certificate request mode of standard; Realize credible USB flash disk security and realize that the method for computing machine and credible USB flash disk data communication is as follows:
1. credible USB flash disk is finished the method that the unauthorized access number of times surpasses the logic determines of threshold value and realizes destroying certainly,
2. based on the bidirectional authentication mechanism of digital certificate improving the method for credible USB flash disk access security,
3. control the method for credible USB flash disk visit by the Applet authentication procedure,
4. realize the method for computing machine and credible USB flash disk data communication by second kind of SCSI instruction of definition.
On the operating system 203 of described credible USB flash disk 2, the logic determines that the unauthorized access number of times surpasses threshold value be controlled, be finished to the described of installation can to the USB interface visit from destruction program 111, and realize destroying action;
Should be as follows from the step of destroying method:
(1), determining step 1., after described smart card and USB flash disk equipment complex 1 are received the instruction of " visit attempt ", judge its whether be " Lawful access " 1., as then entering audit steps 3., as then entering " end " step for "Yes" 2. for "No";
(2), audit steps 3., be used for the number of times of accumulative total " unauthorized access trials " signal, n is added 1, enter next step " whether 4. above the step of threshold value " m ";
(3), determining step 4., the step of after " n+1 " inferior operation, signal being sent into " whether surpassing threshold value m " 5., as then entering " format manipulation " step for "Yes" 5., as then entering " end " step for "No" 2.;
(4) " format manipulation " step 5., system receives more than or equal to after " m " inferior " unauthorized access trial ", describedly carries out formative from destroying operation to smart card and USB flash disk equipment complex 1 memory contents.
Described n is the number of times that the unauthorized access of system audit is attempted, and described m is the threshold value of the permission unauthorized access number of times of default.
Bidirectional authentication mechanism based on digital certificate is as follows with the method that improves credible USB flash disk access security:
1. described credible USB flash disk device certificate generates, loads,
2. described host side 1 certificate generates
3. described host side 1 and described credible USB flash disk 2 are realized two-way authentication.
The step that described credible USB flash disk 2 device certificate generate, load is as follows
1. the request that described host side 1 is set up passage to described credible USB flash disk 2 initiations,
2. described credible USB flash disk 2 responses are also set up passage,
3. it is right that the described credible USB flash disk 2 of described host side 1 request generates RSA key,
4. described credible USB flash disk 2 responses, and, return to described host side 1 with the PKI derivation,
The PKI of the described credible USB flash disk 2 of 5. described host side 1 usefulness proposes to make certificate request to described CA center 3,
6. described CA center 3 generates the certificate of described credible USB flash disk 2 and returns to described host side 1,
7. described host side 1 is written to described credible USB flash disk 2 certificates in the described credible USB flash disk 2, and the root certificate at described CA center 3 also is written in the described credible USB flash disk 2 stores simultaneously,
8. described credible USB flash disk 2 successful execution are returned.
The step that the certificate of described host side 1 generates is as follows:
1. described host side 1 certificate generates, and applies for certificate in the certificate request mode of standard to described CA center (3),
2. described host side 1 certificate that described CA center 3 will generate returns to described host side 1.
Described host side 1 and described credible USB flash disk 2 realize that the step of two-way authentication is as follows:
1. described host side 1 is initiated authentication request,
2. described credible USB flash disk 2 is made the response of authentication request, if described credible USB flash disk 2 refusal authentication request, the two-way authentication failure,
3. described host side 1 is by obtaining the device certificate of described credible USB flash disk (2) alternately with described credible USB flash disk 2
4. described credible USB flash disk 2 returns to described host side 1 with the digital certificate of self,
5. described host side 1 is initiated the certification authentication requests to described CA center 3, with the validity of the device certificate of verifying described credible USB flash disk 2,
6. described CA center 3 will verify that the result returns to described host side 1, if described CA center 3 thinks that the certificate of described credible USB flash disk 2 is invalid, and the two-way authentication failure,
7. described host side 1 generates the challenge data of host side, and these data and described host side 1 certificate are sent to described credible USB flash disk 2 together,
8. described smart card and USB flash disk equipment complex use the certificate at the described CA center 3 of preserving that described host side 1 certificate is verified, use the private key of the certificate correspondence in the described credible USB flash disk 2 that main frame is sent signing of challenge data by the back, obtain " signature result "; Generate the challenge data of described credible USB flash disk 2 simultaneously, with " signature result " and send it back described host side 1, if described credible USB flash disk 2 thinks that the certificate of described host side 1 is invalid, the two-way authentication failure,
9. " the signature result " that the described credible USB flash disk 2 of described host side 1 checking calculates, the challenge data that described credible USB flash disk 2 is produced carries out digital signature simultaneously, deliver in the described credible USB flash disk 2,
10. " signature result " that 2 pairs of described host side 1 of described credible USB flash disk produce verifies that success back two-way authentication is finished; If the signature verification failure that in the described credible USB flash disk 2 described host side 1 is produced, then two-way authentication failure.
The step of controlling credible USB flash disk access method by the Applet authentication procedure is as follows:
1., pending data 101, described host side 1 sends data to described credible USB flash disk 2, these data are divided into three kinds:
Verify data a,
Write/read the request msg b of flash memory,
Other data c,
Three kinds of data are accepted by the control program 201 of described credible USB flash disk, enter next step,
2., the control program of described credible USB flash disk 201 detects the type 201 of described pending data 101,
3. if described verify data a sends to described Applet authentication procedure 113 and handles,
4., 113 couples of described verify data a of described Applet authentication procedure carry out authentication and handle,
5., judge that authentication success is not? if the authentication success, described Applet authentication procedure 113 activates described flash memory access flag 202 by described smart card operating system 203, enters authentication success 213,
6. otherwise, enter authentification failure 214,
If 7. be non-verify data, but be said write/read the request msg b of flash memory, then enter and check flash memory access flag 215,
8., judge to check whether flash memory access flag 215 is activated 216, if un-activation enters 103, abandons this data,
If 9. activate, these data are written in the described flash memory 40 preserve data, otherwise enter pending data 101, return corresponding error information,
10. if described other data c then directly enters 103 and throws away, externally do not return any information.
2 of described host side 1 and described credible USB flash disks realize that first kind of instruction of data communication is standard SCSI instruction 101, the credible USB flash disk control program 201 of operation is used to handle this standard SCSI instruction 101 of storage on described smart card operating system 203,2 of described host side 1 and described credible USB flash disks realize that second kind of instruction of data communication is SCSI instruction 102, and described host side 1 with method and the step that described credible USB flash disk 2 carries out data communication is:
1. at first described credible USB flash disk 2 is defined the data layout of second kind of SCSI instruction 102,
2. utilize this second kind of SCSI instruction 102 simultaneously, realize the data communication between host side 1 and the described credible USB flash disk 2.
Define described second kind of SCSI and instruct the process of 102 data layouts as follows,
1., the form of described standard SCSI instruction 101 is as follows:
| The scsi command head | Data | Operating result |
Wherein " scsi command head " is the extraneous order data that transmits to equipment, and " data " part can be the extraneous data that send, and also can be the data that equipment returns to the external world,
2., the form of described smart card instruction 103 is as follows:
| ?CLA | INS | P1 | P2 | Lc | Data | Le |
Wherein, " CLA " represented the order class, and " INS " represented instruction, and " P1 and P2 " represented parameter, " Lc " is " Data " numeric field data length, and " Data " is the data of " Lc " indication, and " Le " is the data length that the expectation smart card returns.
3., the form of described second kind of SCSI instruction 102 is as follows:
| The | 103=102 second kinds of SCSI instructions of mark 104+ smart card instruction | Operating result |
Wherein " mark 104 " is smart card cue mark (104), and it is as follows to define its form:
| The mark title | Mark | Data |
| Order | { mark 1} | The command instruction data of smart card |
| Response | { mark 2} | The response instruction data of smart card |
| Status word | { mark 3} | The status word data of smart card |
Utilize this second kind of SCSI instruction 102, realize that the step of data communication between described host side 1 and the described credible USB flash disk 2 is as follows:
1. described host side 1 sends the data that are labeled as " order ",
2. described host side 1 sends the data that are labeled as " response ", fetches response results,
3. described host side 1 sends the data that are labeled as " status word ", fetches status word.
1), described host side 1 sends the data that are labeled as " order ", and described smartcard command instruction 103 is packaged into the data of described SCSI instruction 102, according to " order " mark processing in the smart card cue mark 104, sends to described credible USB flash disk 2 then,
2), described host side 1 sends the data that are labeled as " response " to described credible USB flash disk 2, the processing of described credible USB flash disk 2 response results by 60 processing of the described Z 32UF safety governor on the described credible USB flash disk 2, the steps include:
1. the mark response data is handled according to " response " mark in the smart card cue mark 104,
2. the flag state word is handled according to " status word " mark in the smart card cue mark 104,
3), described host side 1 sends the data that are labeled as " status word " to described credible USB flash disk 2, described host side 1 obtains response data by described second kind of SCSI instruction 102, up to having got, the steps include:
If 1. exist, promptly obtain response data
2. obtain status word.
The data layout of described second kind of SCSI instruction 102 is promptly to the communication protocol of described credible USB flash disk 2.
Described encryption and decryption computing is used for checking and signature.
Owing to adopt above technical scheme, the invention solves the multiple unsafe problems that exists in the common U disk use, distinguishing feature of the present invention is: except the characteristics (using the movable storage device of USB interface) with common U disk, also considered safe various aspects comprehensively:
1, security domain differentiated control (intranet and extranet isolation) function: be supported under the multiple different level of security environment and use
1. two-way authentication technology: credible USB flash disk private key generates on hardware, supports the PK1 authentication.
But 2. many certificate technology: extendability, compatibility.
2, the anti-function of divulging a secret of losing: under the situation that memory device is lost, information can not leaked
1. storage encryption technology: adopt the hardware chip encryption technology, support RSA, ECC, DH, ElGamal public key algorithm, DES, 3DES, AES symmetric cryptographic algorithm and third party's cryptographic algorithm and multiple special purpose system algorithm.
2. from the destruction technology: the unauthorized access attempt is audited, surpass threshold value and carry out format manipulation automatically.
After adopting technique scheme, this credible USB flash disk is supported the functional definition about trusted storage device that the TCG tissue proposes fully.
The functional definition that the TCG tissue proposes about trusted storage device:
1., support login and be connected (enrollment﹠amp; Connection)
2., provide protected storage (protected storage)
3., locking and encryption (10cking﹠amp; Encryption)
4. security is higher for the software cryptography mode, still, still can't solve the problem that is transferred analysis.
5., cryptographic service (cryptographic service)
6., the memory device feature (authorizing SD featuresets to Hosts) of some main frame approvals
7., the secure download of embedded software (secure download of firmware)
The remarkable difference of the present invention and existing several safe U discs also can be by shown in the following table:
| The security function contrast | Credible USB flash disk | The fingerprint recognition safe U disc | Encryption safe USB flash disk based on file identification |
| Anti-lost divulging a secret | Hardware encipher is destroyed certainly | Hardware encipher | Software cryptography |
| Manage based on security domain (classification) | Support (two-way authentication) | Do not support | Support |
| Physical isolation | Support (two-way authentication) | Do not support | Do not support |
| Extensibility and compatibility (many certificates) | Support | Do not support | Do not support |
| Identity binding | Support | Support | Do not support |
Description of drawings
The physical arrangement synoptic diagram of Fig. 1--common U disk
The physical arrangement synoptic diagram of Fig. 2--credible USB flash disk
Software layer hierarchical structure chart in Fig. 3--the credible USB flash disk
Fig. 4--credible USB flash disk is from destroying the technical operation schematic flow sheet
Fig. 5--the access of host side of the present invention and credible USB flash disk concerns synoptic diagram
The device certificate of Fig. 6--the credible USB flash disk of the present invention generates, loads synoptic diagram
Fig. 7--host side certificate of the present invention generates synoptic diagram
Fig. 8--host side of the present invention and credible USB flash disk are realized the mutual authentication process synoptic diagram
The synoptic diagram of USB flash disk visit that 113 controls of Fig. 9--Applet authentication procedure are credible
Figure 10--Applet authentication procedure is controlled the workflow diagram of credible USB flash disk visit
Figure 11--host side 1 block diagram of communicating by letter with common U disk
Figure 12--host side 1 and smart card communications block diagram
Figure 13--host side 1 block diagram of communicating by letter with credible USB flash disk 2
Figure 14--host side 1 is by two kinds of SCSI instructions and credible USB flash disk 2 communication scheme
Three kinds of schematic diagram datas that Figure 15--host side 1 sends to credible USB flash disk 2
Wherein, the 1--host side, the credible USB flash disk of 2--, 20--internal memory, 30--IO controller, the 40--flash memory, the 50--cryptographic coprocessor, 60--Z32UF60 safety governor, 3--CA center, to certificate request, checking provides the power of service to become mechanism, 111--is from the destruction program, and 112--is used to finish the application program of certificate verification, the 113--Applet authentication procedure, 201--is credible USB flash disk control program, 202--flash memory access flag, 203--smart card operating system, the application program of 301--control flash reading and writing, the number of times of " the unauthorized access trial " of n--default, the threshold value of the permission unauthorized access number of times of m--default.
Embodiment
The Trusted Computing tissue has proposed its indispensable attribute, function and characteristics to credible equipment:
1, Trusted Computing tissue (TCG, Trusted Computing Group) is defined as " credible ": credible is a kind of expectation, and equipment turns round in a particular manner according to specific purpose under this expectation.
According to the credible calculating platform standard implementation standard of Trusted Computing tissue, Trusted Computing should comprise following three attributes and function:
1., guarantee the uniqueness of user identity, integrality that the user job sky is asked and private ownership.
2., guarantee the integrality of hardware environment configuration, OS kernel, service and application program.
3., guarantee to store, the confidentiality/integrality of processing, information transmitted.
2, the Trusted Computing harpoon has worked up a series of complete standards to different terminal types and platform form, for example PC, server, mobile phone, communication network, software or the like, (TrustedPlatform Module, TPM) common form with hardware is embedded in various computing terminals to be used to provide more believable computing basis to the defined credible platform module of these standards.
3, credible calculating platform writes hardware chip with basic security functions such as encryption, deciphering, authentications, and guarantees that the information in the chip can not externally arbitrarily obtain by software.
Except the characteristics with common U disk (using the movable storage device of USB interface), credible USB flash disk has also been considered safe various aspects comprehensively:
3.1, security domain differentiated control (intranet and extranet isolation) function: be supported under the multiple different level of security environment and use
1. two-way authentication technology: credible USB flash disk private key generates on hardware, supports the PK1 authentication
2. many certificates technology: extensibility, compatibility
3.2, the anti-function of divulging a secret (under the situation that memory device is lost, information can not leaked) of losing:
1. storage encryption technology: adopt the hardware chip encryption technology, support public key algorithm (RSA, ECC etc.), symmetry algorithm (DES, 3DES etc.) and multiple special purpose system algorithm.
2. from the destruction technology: the unauthorized access attempt is audited, surpass threshold value and carry out format manipulation automatically.
Among the present invention, the hardware of credible USB flash disk 2 is different with common U disk, and common U disk mainly is made of four physical locations: Flash controller 10, internal memory 20, IO controller 30 and flash memory 40.
Similar with common U disk, the physical composition of credible USB flash disk mainly is made of four essential elements: Z32UF controller, internal memory 20, IO controller 30 and flash memory 40.Flash controller 10 is replaced by Z32UF controller (comprising smart card controller and USB controller) 60, in addition also increases the cryptographic coprocessor 50 that can support RSA, DH, ElGamal, ECC public key algorithm and DES, 3DES, AES symmetric cryptographic algorithm and third party's cryptographic algorithm; Smart card operating system 203 according to the establishment of Java Card technical manual is installed on Z32UF safety governor 60, operation thereon has control program 201, application program 301 is destroyed program 111 certainly, is used to finish the application program 112 and the Applet authentication procedure 113 of certificate verification.
By operating in the said procedure 111--113 on this smart card operating system 203 and passing through second kind of SCSI instruction, realized the data communication of the technology of destroying certainly, two-way authentication, control flash reading and writing technology and the credible USB flash disk and the computing machine of credible USB flash disk.Make the credible USB flash disk of the present invention support above-mentioned function about trusted storage device, communication, definition and characteristics that the Trusted Computing tissue proposes fully, division is as follows:
1, destroy technology certainly: adopting the operating system 203 based on Java Virtual Machine that carries on credible USB flash disk 2, on it there is from destruction program 111 operation, therefore, can realize from destroying function.
It is so-called that " " function refers to: operating system is audited to access attempts in white destruction, when the access attempts that does not become merit surpasses certain upper limit threshold, system formats the USB flash disk storage space automatically, read or copy by useless the mandate with the confidential data that prevents to store on the credible USB flash disk, be applicable to confidentiality is required to compare condition with higher.
Credible USB flash disk is attempted auditing to visit, if unauthorized access number of attempt n surpasses threshold value m continuously, then credible USB flash disk is carried out format manipulation, and the concrete operations flow process as shown in Figure 3.
Should be as follows from the step of destroying method:
(1), determining step 1., after credible USB flash disk 2 is received " visit attempt " instruction, judge its whether be " Lawful access " 1., as then entering audit steps 3. for "No", as then entering " end " step for "Yes" 2.,
(2), audit steps 3., be used for the number of times of accumulative total " unauthorized access trials " signal, n is added 1 ", step 4. to enter next step " whether above threshold value m ";
(3), determining step 4.,, signal is sent into " whether surpassing threshold value m " step through after the judgement of " n+1 " 5., as then entering " format manipulation " step for "Yes" 5., as then entering " end " step for "No" 2.,
(4) " format manipulation " step 5., system receives more than or equal to after " m " inferior " unauthorized access trial ", credible USB flash disk memory contents is carried out formative from destroying operation.
Wherein n is the number of times of the unauthorized access trial of system audit, and m is the threshold values of the permission unauthorized access number of times of default.
Wherein the span of threshold values m is: the positive integer less than 1000
2, based on the bidirectional authentication mechanism of digital certificate to improve the method for credible USB flash disk access security
As previously mentioned, common U disk is a kind of movable storage device with usb mode, but it also is a transparent equipment, does not promptly have access control and authentication, is not suitable for using the higher user of security requirement.By adding bidirectional authentication mechanism based on digital certificate, realize security control to the USB flash disk visit, can solve special sector to the USB flash disk security requirement.
The introducing of digital certificate is for the IT architecture in conjunction with existing system, makes USB flash disk equipment to be incorporated in the using system safely and effectively.
Digital certificate is the digital identity ID of a kind of authoritative institution (CA) approval, is widely used in authentication.The digital certificate correspondence a pair of unsymmetrical key, and generally the key of Shi Yonging is that the RSA key of 1024 of length is right.
Two-way authentication is both also authentication mode of certificate server end identity of Authentication Client.For USB flash disk, the incoming end of USB flash disk as PC, can be considered as server end, and USB flash disk itself can be considered client.
For reaching the purpose of two-way authentication, operation has the application program 112 that can carry out two-way authentication on the operating system 203 of credible USB flash disk, preserves an associated digital device certificate in the credible USB flash disk 2, represents its identity.Also will preserve a digital certificate of representing the incoming end identity at its incoming end.Host side 1 authenticates credible USB flash disk 2 by device certificate, and credible USB flash disk 2 authenticates host side 1 by host credentials.
For the validity of authentication certificate, need a CA center, for certification authentication provides service.But because access side's IT environment is changeable, as multi-level CA framework.Only embody a CA center among the present invention, its inner complicacy is not considered.
As shown in Figure 5, there is a usb 11 at least in host side 1, and credible USB flash disk 2 is connected to host side 1 by inserting usb 11.Host side 1 is connected with CA center 3 by network mode, and can obtain the cert services that CA center 3 provides, as certificate request and checking etc.
Accompanying drawing 6 shows credible USB flash disk device certificate and generates and loading procedure, and its step is as follows:
1. the request that described host side 1 is set up passage to described credible USB flash disk 2 initiations,
2. described credible USB flash disk 2 responses are also set up passage,
3. the described credible USB flash disk 2 of described host side 1 request generates public private key pair,
4. described credible USB flash disk 2 responses, and, return to described host side 1 with the PKI derivation,
The PKI of the described credible USB flash disk 2 of 5. described host side 1 usefulness proposes to make certificate request to described CA center 3,
6. described CA center 3 generates the certificate of described credible USB flash disk 2 and returns to described host side 1,
7. described host side 1 is written to described credible USB flash disk 2 certificates in the described credible USB flash disk 2, and the root certificate at described CA center 3 also is written in the described credible USB flash disk 2 stores simultaneously,
8. described credible USB flash disk 2 successful execution are returned.
Accompanying drawing 7 explanation host side certificate generative processes, host side certificate generate can reference standard the certificate request mode carry out, the steps include:
1. host side 1 certificate generates, and applies for certificates in the certificate request mode of standard to described CA center 3,
2. host side 1 is returned host side 1 certificate that generates to, be kept in CA center 3, comprises that RSA key is right.
The mutual authentication process of accompanying drawing 8 explanation host side and credible USB flash disk the steps include:
1. described host side 1 is initiated authentication request,
2. described credible USB flash disk 2 is made the response of authentication request, if described credible USB flash disk 2 refusal authentication request, the two-way authentication failure,
3. described host side 1 is by obtaining the device certificate of described credible USB flash disk 2 alternately with described credible USB flash disk 2
4. described credible USB flash disk 2 returns to described host side 1 with the digital certificate of self,
5. described host side 1 is initiated the certification authentication requests to described CA center 3, with the validity of the device certificate of verifying described credible USB flash disk 2,
6. described CA center 3 will verify that the result returns to described host side 1, if described CA center 3 thinks that the certificate of described credible USB flash disk 2 is invalid, and the two-way authentication failure,
7. host side 1 generates the challenge data of host side, and these data and host side 1 certificate are sent to credible USB flash disk 2 together,
8. credible USB flash disk 2 uses the certificate at the CA center 3 of preserving that host side 1 certificate is verified, uses the private key of the certificate correspondence in the credible USB flash disk 2 that main frame is sent signing of challenge data by the back, obtains " signature result "; Generate the challenge data of credible USB flash disk 2 simultaneously, with " signature result " and send it back described host side 1, if credible USB flash disk 2 thinks that the certificate of host side 1 is invalid, the two-way authentication failure,
9. host side 1 is verified " the signature result " that credible USB flash disk 2 calculates, and the challenge data that credible USB flash disk 2 is produced carries out digital signature simultaneously, deliver in the credible USB flash disk 2,
10. " signature result " that 2 pairs of host side of credible USB flash disk 1 produce verifies, success back two-way authentication is finished; If the signature verification failure that in the credible USB flash disk 2 host side 1 is produced, then two-way authentication failure.
2 of above-mentioned host side 1 and smart card and USB flash disk equipment complexes are finished in 10 key steps based on the two-way authentication of certificate, all can relate to three command procedures alternately, promptly send " XXX order ", send " response command " and transmission " status word order ".The former is the concrete order of host side 1 to smart card and 2 transmissions of USB flash disk equipment complex, and as authentication request, " response " and " status word " order then is the result to specific instructions that host side 1 obtains smart card and USB flash disk equipment complex 2.Usually, represent that result is expection, otherwise think and occurred wrong or warning if the result that obtains of " status word " order is 0x9000.
For the enforcement of the key step of mutual authentication process among outstanding the present invention, following introduction will not describe needed three command procedures of each step.In addition, below the digital certificate that relates in the step be the X.509 certificate format of standard, wherein CERT (1) represents the digital certificate of host side 1, CERT (2) represents the digital certificate of smart card and USB flash disk equipment complex 2, CERT (3) represents the digital certificate at CA center 3.
Step 1: host side 1 sends the authentication request order to smart card and USB flash disk equipment complex 2: " AUTH REQ ".
Step 2: host side 1 obtains the response and the status word of smart card and 2 pairs of authentication request orders of USB flash disk equipment complex.If status word is 0x9000, expression smart card and USB flash disk equipment complex 2 have been accepted the authentication request of host side 1.If non-0x9000, expression smart card and USB flash disk equipment complex 2 have been refused authentication request, and this moment, the two-way authentication failure returned 0.
Step 3: host side 1 is obtained the certificate order to smart card and 2 transmissions of USB flash disk equipment complex: " GET CERT ".
Step 4: host side 1 obtains smart card and 2 pairs of response and status words that obtain the certificate verification request command of USB flash disk equipment complex.If status word is 0x9000, what expression smart card and USB flash disk equipment complex 2 had been accepted host side 1 obtains the certificate order, obtains the digital certificate CERT (2) of smart card and 2 preservations of USB flash disk equipment complex this moment in " response command "; If status word is non-0x9000, expression " GET CERT " order failure, the two-way authentication failure returns 0.
Step 5: host side 1 is initiated the request of authentication certificates to CA center 3: " CERTVERI ", the certificate CERT (2) that requires checking to obtain from smart card and USB flash disk equipment complex 2.
Step 6: host side 1 receives the rreturn value at CA center 3.If rreturn value is 1, expression certification authentication success; If rreturn value is 0, expression certification authentication failure, this moment, the two-way authentication failure returned 0.
Step 7: host side 1 calling system function rand () generates the random number RA ND (1) of 16 bytes, and after certificate CERT (1) connection with host side 1, by " HOST VERI ", order sends to smart card and USB flash disk equipment complex 2.Smart card and USB flash disk equipment complex 2 will be preserved the certificate CERT (1) of host side 1 temporarily.
Step 8: smart card and USB flash disk equipment complex 2 use the CERT (3) that has preserved, and CERT (1) is carried out certification authentication.If authentication failed will be told to host side 1 by status word, show authentication failed, this moment, the two-way authentication failure returned 0; If the verification passes, smart card and USB flash disk equipment complex 2 will carry out digital signature SIG (2) to RAND (1), and the inner random number RA ND (2) that generates one 16 byte, and SIG (2) is connected with RAND (2).Host side 1 obtains final result by " response " and " status word " order.If status word is 0x9000, then the checking of host side is passed through, otherwise the bi-directional verification failure returns 0.
Step 9: host side 1 obtains RAND (2), with the private key of the certificate correspondence of host side 1 SIG (1) that signs, and SIG (1) is sent to smart card and USB flash disk equipment complex 2 according to " UD VERI " instruction, to verify smart card and USB flash disk equipment complex 2.
After step 10:2 obtains SIG (1), verify with the interim CERT (1) that preserves.If the verification passes, status word is made as 0x9000; If authentication failed, status word are made as the value of a non-0x9000, show the two-way authentication failure.After host side 1 obtained status word, if 0x9000, this moment, the two-way authentication based on digital certificate finished, and returned host side 1, otherwise returned 0, expression two-way authentication failure.
3, control the method for credible USB flash disk visit by the Applet authentication procedure
USB flash disk is the movable storage device that widely uses, and is used for the exchanges data purpose more.But USB flash disk self lacks safety protecting mechanism, for the use of USB flash disk has brought potential safety hazard.
Increasing access control scheme on USB flash disk has: password, fingerprint etc.But security is relatively poor.
Smart card techniques also is a kind of access control technology, in authentication, the widespread use of device authentication field.Be divided into file system card and smart card according to SOC (system on a chip) (SoC) realization mechanism in the card.Multi-application smart card is a kind of smart card techniques based on virtual machine technique.
At present, smart card techniques adopts the Java card technology more, and the level of security that can reach according to the smart card of Java card technological development is EAL4+.
Smart card techniques has replaced the file system card technique and has been widely used in every field, as finance, telecommunications, government, army etc.
Among the present invention, smart card techniques (Java card) and credible USB flash disk control technology are combined, and utilize Applet authentication procedure 113 on the smart card,, finally make USB flash disk become credible USB flash disk to realize the control visit of credible USB flash disk resource.
Because Applet authentication procedure 113 is application programs that operate on the smart card operating system 203, can be according to some logic realization access control.And Applet authentication procedure 113 can download and delete, as long as satisfy certain safety condition, can make the secure and trusted USB flash disk with smartcard features use more safety and flexibly.
Fig. 9 is based on the synoptic diagram of the credible USB flash disk visit of Applet authentication procedure 113 controls on the smart card.Credible USB flash disk external system is represented on the left side of dotted line cut-off rule among the figure, as PC, and dotted line the right representative credible USB flash disk as herein described.Wherein,
Host side 1: the main frame that credible USB flash disk 2 is depended on, as PC.
In credible USB flash disk 2, except credible USB flash disk control program 201, also there is a smart card operating system 203 of realizing according to the Java card technical manual.Operation Applet authentication procedure 113 thereon, has realized flash memory resource access steering logic its inside.
Smart card operating system 203 is provided with the mark 202 of a credible USB flash disk flash reading and writing of control in inside, this mark is kept in the zone that is subjected to the smart card operating system protection.That is, except that smart card operating system 203, other control program can not be visited.But Applet authentication procedure 113 can be controlled this mark: will activate this mark when the Applet authentication procedure allows (by the inter access control back of its realization) credible USB flash disk of extraneous read-write, otherwise this mark was lost efficacy.
When credible USB flash disk control program 201 receives the data that are directed to smart card operating system 203 1., to give Applet authentication procedure 113 2. handle, the data of handling comprise authentication request, under the support of smart card operating system 203, finish authentication work.
Behind the authentication success, will activate flash memory access flag 202 3. by Applet authentication procedure 113, otherwise make it invalid.Applet authentication procedure 113 is also handled the extraneous invalid instruction of flash memory access flag 202 that makes, and will make marked invalid this moment.That is, flash memory 40 does not allow read-write operation, by when being directed to the instruction of flash memory 40, at first detects flash memory access flag 202 4., if state of activation just allows to enter flash memory 40 5.; Otherwise directly throw away, credible USB flash disk control program 201 is read-only to this mark, can not revise.
Accompanying drawing 10 shows the workflow of the credible USB flash disk of the present invention (verification process and write/read two processes), and concrete implementation step is as follows:
External system-the host side 1 of credible USB flash disk sends pending data 101 to credible USB flash disk 2, and these data are accepted by credible USB flash disk control program 201.This control program 201 will detect the type of this packet, if verify data a will send to Applet authentication procedure 113 and handle.Applet authentication procedure 113 is carried out authentication according to its built-in logic and is handled 211, if authentication 211 successes, Applet authentication procedure 113 activates flash memory access flag 202 by the help of smart card operating system 203, enter authentication success 213, otherwise enter authentification failure 214.
If be non-verify data, but be the request msg b that writes/read flash memory, need this moment to check whether 215 flash memory access flag 202 are activated 216, if activate, then write data in the flash memory 40, otherwise abandon data to 103, and return corresponding error information.If promptly be not other data c that verify data a neither write/read flash memory request msg b, then enter 103 and directly throw away, externally do not return any information.
Be the implementation process that example explanation Applet authentication procedure is controlled credible USB flash disk access method below with the verify data:
As sending verify data to smart card and USB flash disk equipment complex 2 with host side 1, i.e. " authentication " order, and the response results and the state outcome of acquisition smart card and USB flash disk equipment complex 2, need three instruction interactions: send " authentication " order, " response " order and " status word " order.
If smart card and USB flash disk equipment complex 2 receive " authentication " order, 113 pairs of verify datas of Applet authentication procedure verify that if the verification passes, it is 1 that flash memory access flag 202 will be set, and expression activates successfully 213; If checking is not passed through, flash memory access flag 202 then is set is 0 and enter 214, expression can not save the data in the flash memory 40.If smart card and USB flash disk equipment complex 2 receive " response " order, return sky.If smart card and USB flash disk equipment complex 2 receive " status word " order, authentication result is returned to host side 1.Concrete enforcement is as follows:
" authentication " order
The authentication command content is 0x0180120000083131313131313131, and host side 1 sends to smart card and USB flash disk equipment complex 2, request authentication with these data by SCSI Passthrough mode.
" response " order
Do not have.
" status word " order
The status word command context is 0x03, and host side 1 sends to status word after smart card and USB flash disk equipment complex 2 obtains the response of smart cards and USB flash disk equipment complex 2 with these data by the SCSIPassthrough mode.If obtain 0x9000, the expression authentication success, this moment, smart card and USB flash disk equipment complex 2 were made as 1 with flash memory access flag 202; If obtain non-0x9000, authentification failure then is described, and the flash memory access flag in smart card and the USB flash disk equipment complex 2 202 is 0.
Above-mentioned bidirectional authentication mechanism based on digital certificate is that the implementation process that example explanation Applet authentication procedure is controlled credible USB flash disk access method is that credible USB flash disk and computing machine are finished the communication protocol of credible USB flash disk based on following second kind of SCSI instruction all with the method that improves credible USB flash disk access security with the verify data.
SCSI is the abbreviation of English Small Computer System Interface.In computer memory technical, SCSI is used for connection device, as external disk, scanner etc.When computing machine and these equipment carry out communication, generally can adopt the protocol mode of SCSI normalized definition to carry out packaged data.For mobile memory medium, as USB flash disk, also be to carry out according to standard SCSI order format 101, the form of this SCSI instruction is as follows:
| The scsi command head | Data | Operating result |
Wherein " scsi command head " is the extraneous data that transmit to equipment, and data division can be the extraneous data that send, and also can be the data that equipment returns to the external world.
The instruction of intelligent card in processing is according to ISO 7816 normalized definitions, and instruction need be organized according to set form, otherwise can not be accepted by smart card.Smart card order format is as follows:
| ?CLA | INS | P1 | P2 | Lc | Data | Le |
Wherein, CLA has represented the order class, and INS has represented instruction, and P1 and P2 have represented parameter, and Lc is a Data numeric field data length, and Data is the data of Lc indication, and Le is the data length that the expectation smart card returns.
When credible USB flash disk when realizing communicating with computing machine, need the operation of smart card techniques control to the USB flash disk resource, open the USB flash disk read-write channel as being undertaken again after the authentication by smart card techniques.
Realize communicating, need to solve the problem that how in the scsi data bag, to comprise the smart card instruction with credible USB flash disk.
In the PC system, the communication of main frame and USB flash disk is carried out according to standard SCSI instruction, and accompanying drawing 11 is host side 1 block diagram of communicating by letter with common U disk.
But credible USB flash disk also receives other steering orders that application program sends except the instruction that receives operating system.These instructions are that (Application Protocol Data Unit: (Application Protocol DataUnit) encapsulates the form APDU that reports with intelligent card data.Accompanying drawing 12 is host side 1 and smart card communications block diagram, and accompanying drawing 13 is host side 1 block diagram of communicating by letter with credible USB flash disk 2.
As mentioned above, the Z32UF safety governor 60 that is arranged in the credible USB flash disk 2 also is a kind of smart card controller, so when main frame and Z32UF safety governor 60 communicate, smart card communication protocol need be packaged into scsi data newspaper form, could realize that like this external system control Z32UF safety governor 60 is the purpose of credible USB flash disk 2.
Smart card operating system 203 according to the establishment of JavaCard technical manual is installed on the Z32UF of credible USB flash disk 2 safety governor 60, operation has control program 201 on it, this program 201 is used to handle the standard SCSI instruction 101 of storage, 2 of host side 1 and credible USB flash disks realize that first kind of instruction of data communication is standard SCSI instruction 101, and 2 of host side 1 and credible USB flash disks realize that second kind of instruction of data communication is the SCSI instruction 102 of having carried the smart card instruction.By defining the data layout of second kind of SCSI instruction 102, promptly formulate communication protocol to credible USB flash disk, can solve the problem that computing machine and credible USB flash disk communicate.
1. at first credible USB flash disk 2 is defined the data layout of second kind of SCSI instruction 102,
2. utilize this second kind of SCSI instruction 102 simultaneously, realize the data communication between host side 1 and the credible USB flash disk 2.
Define second kind of SCSI and instruct the process of 102 data layouts as follows,
1., the form of standard SCSI instruction 101 is:
| The scsi command head | Data | Operating result |
Wherein " scsi command head " is the extraneous order data that transmits to equipment, and " data " part can be the extraneous data that send, and also can be the data that equipment returns to the external world,
2., the form of smart card instruction 103 is:
| ?CLA | INS | P1 | P2 | Lc | Data | Le |
Wherein, " CLA " represented the order class, and " INS " represented instruction, and " P1 and P2 " represented parameter, " Lc " is " Data " numeric field data length, and " Data " is the data of " Lc " indication, and " Le " is the data length that the expectation smart card returns.
3., the form of second kind of SCSI instruction 102 is as follows:
| The | 103=102 second kinds of SCSI instructions of mark 104+ smart card instruction | Operating result |
Wherein " mark 104 " is smart card cue mark (104), and it is as follows to define its form:
| The mark title | Mark | Data |
| Order | { mark 1} | The command instruction data of smart card |
| Response | { mark 2} | The response instruction data of smart card |
| Status word | { mark 3} | The status word data of smart card |
Utilize this second kind of SCSI instruction 102, realize that the step of data communication between host side 1 and the credible USB flash disk 2 is as follows:
1. host side 1 sends the data that are labeled as " order ",
2. host side 1 sends the data that are labeled as " response ", fetches response results,
3. host side 1 sends the data that are labeled as " status word ", fetches status word.
1), host side 1 sends the data that are labeled as " order ", and smartcard command instruction 103 is packaged into the data of second kind of SCSI instruction 102, according to " order " mark processing in the smart card cue mark 104, sends to credible USB flash disk 2 then,
2), host side 1 sends the data that are labeled as " response " to credible USB flash disk 2, the processing of credible USB flash disk 2 response results by 60 processing of the Z32UF safety governor on the credible USB flash disk 2, the steps include:
1. the mark response data is handled according to " response " mark in the smart card cue mark 104,
2. the flag state word is handled according to " status word " mark in the smart card cue mark 104,
3), host side 1 sends the data that are labeled as " status word " to credible USB flash disk 2, host side 1 obtains response data by second kind of SCSI instruction 102, up to having got, the steps include:
If 1. exist, promptly obtain response data
2. obtain status word.
The data layout of second kind of SCSI instruction 102 is promptly to the communication protocol of credible USB flash disk 2.
Credible USB flash disk is passive equipment, promptly can not return response results to main frame on one's own initiative.Can only send the instruction fetching result who is labeled as " response " and " status word " on one's own initiative by main frame.
Figure 14 is that host side 1 is instructed and credible USB flash disk 2 communication scheme by two kinds of SCSI, and accompanying drawing 15 is three kinds of schematic diagram datas that host side 1 sends to credible USB flash disk 2.
Send one " select File " order with host side 1 to smart card and USB flash disk equipment complex 2 below, and send " response ", " status word " and identify and obtain the response data of smart card and USB flash disk equipment complex 2 and the process of status word is an example, implementation process of the present invention is described:
Define three marks, respectively corresponding " order ", " response " and " status word " three marks, they are:
Command Flags 0x01
Response flag 0x02
Status word mark 0x03
Correspondence markings is that the APDU103 of " select File " instructs as follows for the data of " order ":
| CLA | INS | P1 | P2 | Lc | Data | Le |
| 0x00 | 0xa4 | 0x04 | 0x00 | 0x02 | 0x3f01 | Do not have |
Wherein Data partly represents an existing file identification (0x3f01) in smart card and the USB flash disk equipment complex.
Data content according to described second kind of SCSI order format definition transmission: 0x0100a40400023f01 sends to 2 with these data by SCSI Passthrough mode then.
Explanation of nouns:
(1) host side 1: the main frame that credible USB flash disk depended on, and as PC
(2) credible USB flash disk control program 201: the interpretive routine of resolution data bag content in the credible USB flash disk, mainly resolve the request msg that verify data, credible USB flash disk read and write
(3) smart card operating system 203: according to the smart card operating system based on virtual machine technique that the Java card technical manual realizes, be responsible for the maintenance of operation authentication procedure and flash memory access flag
(4) destroy program 111 certainly: operating system is audited to access attempts, and when the access attempts that does not become merit surpassed certain threshold value, system was automatically with the formative program of USB flash disk storage space.
(5) certificate verification program 112: operating in being used on the smart card operating system 203 finishes the application program of certificate verification.
(6) the Applet authentication procedure 113: be an application program that operates on the smart card operating system 203, can generally write with Java language according to some logic realization access control.Represented certain identification logic.
(7) storage chip of 40: one NAND types of flash memory is used to preserve data.
(8) the flash memory access flag 202: preserve mark in certain register of credible USB flash disk or EEPROM, this mark can only activate or make it to lose efficacy by authentication procedure.
The present invention preferably resolves the data communication problem of credible USB flash disk safety issue and computing machine and credible USB flash disk by adopting the method from destruction program, certificate verification program, Applet authentication procedure and the instruction of SCSI instruction carrying smart card.
Confidentiality of the present invention is extremely strong, is applicable to the occasion of the various special requirements that confidentiality is had relatively high expectations.
Hardware product among the present invention is homemade commercially available prod, and smart card operating system and various application program are known technology.
With the same or analogous technical scheme of content of the present invention, should be within the protection domain of this patent.
Claims (15)
1, a kind of credible USB flash disk device, comprise: host side (1), there be 1-4 USB interface (11) in described host side (1), CA center (3), internal memory (20), IO controller (30) and flash memory (40) is characterized in that: also comprise: support RSA, DH, ElGamal, ECC public key algorithm and DES, 3DES, the cryptographic coprocessor of AES symmetric cryptographic algorithm and third party's cryptographic algorithm (50), according to the smart card operating system (203) of Java Card technical manual establishment and finish the Z32UF safety governor (60) of encryption and decryption computing by described cryptographic coprocessor (50); Described cryptographic coprocessor (50) is integrated on described Z32UF safety governor (60) chip; Described internal memory (20), IO controller (30), flash memory (40), cryptographic coprocessor (50), Z32UF safety governor (60) constitute credible USB flash disk (2), described credible USB flash disk (2) is connected to host side (1) by inserting described USB interface (11), described host side (1) is connected with described CA center (3) by network mode, and can obtain the certificate request and the service for checking credentials that described CA center (3) provides; Can realize two-way authentication between described host side 1 and the described credible USB flash disk 2, interrelate by two kinds of SCSI instruction transmission data between described host side (1) and the described credible USB flash disk (2).
2, a kind of method of credible USB flash disk security and communication protocol of credible USB flash disk and computing machine of realizing, it is characterized in that: the smart card operating system (203) according to the establishment of Java Card technical manual is installed on the described Z32UF security chip controller (60) of described credible USB flash disk (2), and going up operation at described smart card operating system (203) has credible USB flash disk control program (201), the application program (301) of control flash reading and writing is finished the program (111) that the unauthorized access number of times surpasses the logic determines of threshold value and realizes destroying certainly, be used to finish the application program (112) and the Applet authentication procedure (113) of certificate verification; Described smart card operating system (203) is finished the encryption and decryption computing by described cryptographic coprocessor (50), simultaneously, 1. in described smart card and USB flash disk equipment complex (2), preserve an associated digital device certificate, represent its identity, also preserve a digital certificate of representing its incoming end identity at its incoming end, 2. described host side (1) possesses the certificate request mode of standard; Realize credible USB flash disk security and realize that the method for computing machine and credible USB flash disk data communication is as follows:
1. credible USB flash disk is finished the method that the unauthorized access number of times surpasses the logic determines of threshold value and realizes destroying certainly,
2. based on the bidirectional authentication mechanism of digital certificate improving the method for credible USB flash disk access security,
3. control the method for credible USB flash disk visit by the Applet authentication procedure,
4. realize the method for computing machine and credible USB flash disk data communication by second kind of SCSI instruction of definition.
3, a kind of method of credible USB flash disk security and communication protocol of credible USB flash disk and computing machine of realizing as claimed in claim 2 is characterized in that:
On the operating system (203) of described credible USB flash disk (2), the logic determines that the unauthorized access number of times surpasses threshold value be controlled, be finished to the described of installation can to the USB interface visit from destruction program (111), and realize destroying action;
Should be as follows from the step of destroying method:
(1), determining step 1., after described credible USB flash disk (2) is received the instruction of " visit attempt ", judge its whether be " Lawful access " 1., as then entering audit steps 3., as then entering " end " step for "Yes" 2. for "No";
(2), audit steps 3., be used for the number of times of accumulative total " unauthorized access trials " signal, n is added 1, the step that then enters next step " whether above threshold values m " is 4.;
(3), determining step 4., the step of, signal being sent into " whether surpassing threshold values m " through after the operation of " n+1 " 5., as then entering " format manipulation " step for "Yes" 5., as then entering " end " step for "No" 2.;
(4) " format manipulation " step 5., system receives more than or equal to after " m " inferior " unauthorized access trial ", described credible USB flash disk (2) memory contents is carried out formative from destroying operation.
4, a kind of method of credible USB flash disk security and communication protocol of credible USB flash disk and computing machine of realizing as claimed in claim 3, it is characterized in that: described (n) is the number of times of the accessed trial of system audit, the threshold values of the permission unauthorized access number of times that described (m) is default.
5, a kind of method of credible USB flash disk security and communication protocol of credible USB flash disk and computing machine of realizing as claimed in claim 2, it is characterized in that: the bidirectional authentication mechanism based on digital certificate is as follows with the method that improves credible USB flash disk access security:
1. described credible USB flash disk device certificate generates, loads,
2. described host side 1 certificate generates
3. described host side 1 and described credible USB flash disk 2 are realized two-way authentication.
6, a kind of method of credible USB flash disk security and communication protocol of credible USB flash disk and computing machine of realizing as claimed in claim 5 is characterized in that: the step that described credible USB flash disk (2) device certificate generates, loads is as follows
1. the request that described host side (1) is set up passage to described credible USB flash disk (2) initiation,
2. described credible USB flash disk (2) responds and sets up passage,
3. it is right that described host side (1) the described credible USB flash disk of request (2) generates RSA key,
4. described credible USB flash disk (2) response, and, return to described host side (1) with the PKI derivation,
5. described host side (1) proposes to make certificate request with the PKI of described credible USB flash disk (2) to described CA center (3),
6. described CA center (3) generates the certificate of described credible USB flash disk (2) and returns to described host side (1),
7. described host side (1) is written to described credible USB flash disk (2) certificate in the described credible USB flash disk (2), and the root certificate at described CA center (3) also is written in the described credible USB flash disk (2) stores simultaneously,
8. described credible USB flash disk (2) successful execution is returned.
7, a kind of method of credible USB flash disk security and communication protocol of credible USB flash disk and computing machine of realizing as claimed in claim 5 is characterized in that: the step that the certificate of described host side (1) generates is as follows:
1. described host side (1) certificate generates, and applies for certificate in the certificate request mode of standard to described CA center (3),
2. described host side (1) certificate that described CA center (3) will generate returns to described host side (1).
8, a kind of method of credible USB flash disk security and communication protocol of credible USB flash disk and computing machine of realizing as claimed in claim 5 is characterized in that: described host side 1 and described credible USB flash disk 2 realize that the step of two-way authentication is as follows:
1. described host side (1) is initiated authentication request,
2. described credible USB flash disk (2) is made the response of authentication request, if described credible USB flash disk (2) refusal authentication request, the two-way authentication failure,
3. described host side (1) is by obtaining the device certificate of described credible USB flash disk (2) alternately with described credible USB flash disk (2)
4. described credible USB flash disk (2) returns to described host side (1) with the digital certificate of self,
5. described host side (1) is initiated the certification authentication request to described CA center (3), with the validity of the device certificate of verifying described credible USB flash disk (2),
6. described CA center (3) will verify that the result returns to described host side (1), if described CA center (3) thinks that the certificate of described credible USB flash disk (2) is invalid, and the two-way authentication failure,
7. described host side (1) generates the challenge data of host side, and these data and described host side (1) certificate are sent to described credible USB flash disk (2) together,
8. described smart card and USB flash disk equipment complex use the certificate at the described CA center (3) of preserving that described host side (1) certificate is verified, use the private key of the certificate correspondence in the described credible USB flash disk (2) that main frame is sent signing of challenge data by the back, obtain " signature result "; Generate the challenge data of described credible USB flash disk (2) simultaneously, with " signature result " and send it back described host side (1), if described credible USB flash disk (2) thinks that the certificate of described host side (1) is invalid, the two-way authentication failure,
9. " the signature result " that described host side (1) the described credible USB flash disk of checking (2) calculates, the challenge data that described credible USB flash disk (2) is produced carries out digital signature simultaneously, deliver in the described credible USB flash disk (2),
10. described credible USB flash disk (2) verifies that to " the signature result " that described host side (1) produces success back two-way authentication is finished; If the signature verification that in the described credible USB flash disk (2) described host side (1) is produced failure, then two-way authentication failure.
9, a kind of method of credible USB flash disk security and communication protocol of credible USB flash disk and computing machine of realizing as claimed in claim 2, the step of controlling credible USB flash disk access method by the Applet authentication procedure is as follows:
1., pending data (101), described host side (1) sends data to described credible USB flash disk (2), these data are divided into three kinds:
Verify data (a),
Write/read the request msg (b) of flash memory,
Other data (c),
Three kinds of data are accepted by the control program of described credible USB flash disk (201), enter next step,
2., the control program (201) of described credible USB flash disk detects the type (201) of described pending data (101),
3. if described verify data (a) sends to described Applet authentication procedure (113) and handles,
4., described Applet authentication procedure (113) carries out authentication to described verify data (a) and handles,
5., judge that authentication success is not? if the authentication success, described Applet authentication procedure (113) activates described flash memory access flag (202) by described smart card operating system (203), enters authentication success (213),
6. otherwise, enter authentification failure (214),
If 7. be non-verify data, but be said write/read the request msg (b) of flash memory, then enter and check flash memory access flag (215),
8., judge to check whether flash memory access flag (215) is activated (216), if un-activation enters (103), abandons this data,
If 9. activate, these data are written to preservation data in the described flash memory (40), otherwise enter pending data (101), return corresponding error information,
10. if described other data (c) then directly enter (103) and throw away, externally do not return any information.
10, a kind of method of credible USB flash disk security and communication protocol of credible USB flash disk and computing machine of realizing as claimed in claim 2, the first kind of instruction that realizes data communication between described host side (1) and described credible USB flash disk (2) is standard SCSI instruction (101), go up this standard SCSI instruction (101) that the credible USB flash disk control program (201) that moves is used to handle storage at described smart card operating system (203), it is characterized in that: the second kind of instruction that realizes data communication between described host side (1) and described credible USB flash disk (2) is SCSI instruction (102), and described host side (1) with method and step that described credible USB flash disk (2) carries out data communication is:
1. at first described credible USB flash disk (2) is defined the data layout of second kind of SCSI instruction (102),
2. utilize this second kind of SCSI instruction (102) simultaneously, realize the data communication between host side (1) and the described credible USB flash disk (2).
11, a kind of method of credible USB flash disk security and communication protocol of credible USB flash disk and computing machine of realizing as claimed in claim 10 is characterized in that: the process that defines described second kind of SCSI instruction (102) data layout is as follows,
1., the form of described standard SCSI instruction (101) is as follows:
The scsi command head Data Operating result
Wherein " scsi command head " is the extraneous order data that transmits to equipment, and " data " part can be the extraneous data that send, and also can be the data that equipment returns to the external world,
2., the form of described smart card instruction (103) is as follows:
CLA ?INS ?P1 ?P2 ?Lc ?Data ?Le
Wherein, " CLA " represented the order class, and " INS " represented instruction, and " P1 and P2 " represented parameter, " Lc " is " Data " numeric field data length, and " Data " is the data of " Lc " indication, and " Le " is the data length that the expectation smart card returns.
3., the form of described second kind of SCSI instruction (102) is as follows:
Wherein " mark 104 " is smart card cue mark (104), and it is as follows to define its form:
The mark title Mark Data
Order { mark 1} The command instruction data of smart card
Response { mark 2} The response instruction data of smart card
Status word { mark 3} The status word data of smart card
12, a kind of method of credible USB flash disk security and communication protocol of credible USB flash disk and computing machine of realizing as claimed in claim 11, it is characterized in that: utilize this second kind of SCSI instruction (102), realize that the step of data communication between described host side (1) and the described credible USB flash disk (2) is as follows:
1. described host side (1) sends the data that are labeled as " order ",
2. described host side (1) sends the data that are labeled as " response ", fetches response results,
3. described host side (1) sends the data that are labeled as " status word ", fetches status word.
13, a kind of method of credible USB flash disk security and communication protocol of credible USB flash disk and computing machine of realizing as claimed in claim 12 is characterized in that:
1), described host side (1) sends the data that are labeled as " order ", described smartcard command instruction (103) is packaged into the data of described SCSI instruction (102), handle according to " order " mark in the smart card cue mark (104), send to described credible USB flash disk (2) then
2), described host side (1) sends the data be labeled as " response " to described credible USB flash disk (2), the processing of described credible USB flash disk (2) response results by the processing of the described Z32UF safety governor (60) on the described credible USB flash disk (2), the steps include:
1. the mark response data is handled according to " response " mark in the smart card cue mark (104),
2. the flag state word is handled according to " status word " mark in the smart card cue mark (104),
3), described host side (1) sends the data be labeled as " status word " to described credible USB flash disk (2), described host side (1) instructs (102) to obtain response data by described second kind of SCSI, up to having got, the steps include:
If 1. exist, promptly obtain response data
2. obtain status word.
14, a kind of method of credible USB flash disk security and communication protocol of credible USB flash disk and computing machine of realizing as claimed in claim 2 is characterized in that: the data layout of described second kind of SCSI instruction (102), and promptly to the communication protocol of described credible USB flash disk (2).
15, as any one claim in the communication protocol of the described a kind of method that realizes credible USB flash disk security of claim 1-14 and credible USB flash disk and computing machine, it is characterized in that: described encryption and decryption computing is used for checking and signature.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2007100003300A CN100498742C (en) | 2007-01-08 | 2007-01-08 | Reliable U disc, method for realizing reliable U disc safety and its data communication with computer |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2007100003300A CN100498742C (en) | 2007-01-08 | 2007-01-08 | Reliable U disc, method for realizing reliable U disc safety and its data communication with computer |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101051292A true CN101051292A (en) | 2007-10-10 |
| CN100498742C CN100498742C (en) | 2009-06-10 |
Family
ID=38782713
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2007100003300A Expired - Fee Related CN100498742C (en) | 2007-01-08 | 2007-01-08 | Reliable U disc, method for realizing reliable U disc safety and its data communication with computer |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100498742C (en) |
Cited By (40)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009062373A1 (en) * | 2007-10-15 | 2009-05-22 | Beijing Jinaobo Digital Information Technology Co., Ltd. | Method of implementing network genuine identification |
| CN101500138A (en) * | 2008-12-26 | 2009-08-05 | 深圳市同洲电子股份有限公司 | Digital television receiving terminal and data secret keeping method and system thereof |
| CN101593261A (en) * | 2008-05-27 | 2009-12-02 | 慧国(上海)软件科技有限公司 | Computer system and data guard method thereof and machine-readable media |
| WO2010060319A1 (en) * | 2008-11-29 | 2010-06-03 | 成都市华为赛门铁克科技有限公司 | Store equipment, authentication device and control method of the store device |
| CN101853344A (en) * | 2009-03-31 | 2010-10-06 | 英特尔公司 | Checking to contents of input-output devices based on platform |
| CN101510187B (en) * | 2009-03-20 | 2011-03-30 | 华中科技大学 | Method for implementing smart card control instruction communication on standard data interface |
| CN102088348A (en) * | 2010-12-22 | 2011-06-08 | 东南大学 | Mobile phone security chip for embedded platform and protection system comprising same |
| CN102279814A (en) * | 2011-08-19 | 2011-12-14 | 北方工业大学 | Encryption anti-copy system and anti-copy method thereof |
| CN102404161A (en) * | 2010-09-14 | 2012-04-04 | 北京哈工大计算机网络与信息安全技术研究中心 | Method and universal serial bus (USB) equipment for detecting secret leakage |
| CN101673248B (en) * | 2008-09-10 | 2012-06-13 | 群联电子股份有限公司 | Storage system, controller and data protection method |
| CN102609367A (en) * | 2011-11-25 | 2012-07-25 | 无锡华御信息技术有限公司 | USB (Universal Serial Bus) flash disc system with safety control and audit |
| CN101739757B (en) * | 2008-11-17 | 2012-11-21 | 群联电子股份有限公司 | Flash memory storage system, controller and data protection method |
| CN102902634A (en) * | 2012-08-17 | 2013-01-30 | 北海华澜微电子有限公司 | Storage device with encryption-based protection function |
| CN102902635A (en) * | 2012-09-29 | 2013-01-30 | 无锡华御信息技术有限公司 | Safety U disk system for enterprises |
| CN103095704A (en) * | 2013-01-15 | 2013-05-08 | 杭州华三通信技术有限公司 | Trusted medium online validation method and device |
| WO2013097426A1 (en) * | 2011-12-27 | 2013-07-04 | 中兴通讯股份有限公司 | Wireless communication terminal and method for securely running industry software |
| CN103761468A (en) * | 2014-01-13 | 2014-04-30 | 金硕澳门离岸商业服务有限公司 | Micro control chip provided with double CPUs (central processing units) |
| CN103838784A (en) * | 2012-11-23 | 2014-06-04 | 杭州星纬物联技术有限公司 | Data manager management method based on USB drive |
| CN104657671A (en) * | 2013-11-19 | 2015-05-27 | 研祥智能科技股份有限公司 | Access authority management method and system for mobile storage device |
| CN104917750A (en) * | 2015-04-16 | 2015-09-16 | 中国科学院计算技术研究所 | SDN-faced control layer and data layer communication channel self-configuration method and system thereof |
| CN105072114A (en) * | 2015-08-11 | 2015-11-18 | 深圳市文鼎创数据科技有限公司 | Automatic form filling method, password manager, upper computer and system |
| CN105303081A (en) * | 2015-05-07 | 2016-02-03 | 同方计算机有限公司 | Method and system of host for identifying ID of USB (Universal Serial Bus) main control chip reliably |
| CN105653995A (en) * | 2015-09-01 | 2016-06-08 | 刘晓建 | Repeatedly-use dependable computing apparatus of common computer man-computer interaction equipment |
| CN106302541A (en) * | 2016-10-18 | 2017-01-04 | 安徽天达网络科技有限公司 | A kind of data safety supervision system |
| CN106778326A (en) * | 2016-11-28 | 2017-05-31 | 福建升腾资讯有限公司 | A kind of method and system for realizing movable storage device protection |
| CN107292182A (en) * | 2017-06-29 | 2017-10-24 | 江苏鲁汶仪器有限公司 | A kind of semiconductor equipment control system hot plug is anti-to crack tailored version hardware encipherment protection device |
| CN107506668A (en) * | 2017-08-31 | 2017-12-22 | 北京计算机技术及应用研究所 | A kind of USB flash disk access method based on communication information real-time authentication |
| CN107908574A (en) * | 2017-11-22 | 2018-04-13 | 深圳华中科技大学研究院 | The method for security protection of solid-state disk data storage |
| CN107968803A (en) * | 2016-10-20 | 2018-04-27 | 中国电信股份有限公司 | For long-range evidence collecting method, device, mobile terminal and the system of mobile terminal |
| CN108345803A (en) * | 2018-03-22 | 2018-07-31 | 北京可信华泰科技有限公司 | A kind of data access method and device of trusted storage device |
| CN108345804A (en) * | 2018-03-22 | 2018-07-31 | 北京可信华泰信息技术有限公司 | A kind of storage method in trusted computation environment and device |
| CN108763891A (en) * | 2018-06-11 | 2018-11-06 | 山东超越数控电子股份有限公司 | A kind of Special safety management platform and method for encryption mobile hard disk |
| CN109101788A (en) * | 2018-06-19 | 2018-12-28 | 光大环保技术研究院(南京)有限公司 | A kind of incinerator automatic combustion control system encryption device and encryption method |
| CN110059469A (en) * | 2019-04-09 | 2019-07-26 | 广东电网有限责任公司 | A kind of safe U disc system and its application method |
| CN112052201A (en) * | 2020-09-27 | 2020-12-08 | 中孚安全技术有限公司 | USB device management and control method and system based on Linux kernel layer |
| CN113609538A (en) * | 2021-07-09 | 2021-11-05 | 国网福建省电力有限公司电力科学研究院 | Access control method, device and equipment for mobile storage medium and storage medium |
| CN113806763A (en) * | 2021-07-16 | 2021-12-17 | 广州鲁邦通物联网科技有限公司 | Method, security server and system for safely acquiring data of field device |
| WO2022068298A1 (en) * | 2020-09-30 | 2022-04-07 | 北京智芯微电子科技有限公司 | Usb flash disk access method and usb flash disk |
| CN116644487A (en) * | 2023-07-27 | 2023-08-25 | 山东溯源安全科技有限公司 | Safety detection system |
| US20230394501A1 (en) * | 2017-02-22 | 2023-12-07 | Amazon Technologies, Inc. | Security policy enforcement |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105488395A (en) * | 2015-06-04 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Method and device for performing malicious device detection based on USB communication data |
-
2007
- 2007-01-08 CN CNB2007100003300A patent/CN100498742C/en not_active Expired - Fee Related
Cited By (57)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009062373A1 (en) * | 2007-10-15 | 2009-05-22 | Beijing Jinaobo Digital Information Technology Co., Ltd. | Method of implementing network genuine identification |
| US8667576B2 (en) | 2008-05-27 | 2014-03-04 | Silicon Motion, Inc. | Method for preventing data in a computer system from being accessed by unauthorized user |
| CN101593261A (en) * | 2008-05-27 | 2009-12-02 | 慧国(上海)软件科技有限公司 | Computer system and data guard method thereof and machine-readable media |
| CN101673248B (en) * | 2008-09-10 | 2012-06-13 | 群联电子股份有限公司 | Storage system, controller and data protection method |
| CN101739757B (en) * | 2008-11-17 | 2012-11-21 | 群联电子股份有限公司 | Flash memory storage system, controller and data protection method |
| CN101753532A (en) * | 2008-11-29 | 2010-06-23 | 成都市华为赛门铁克科技有限公司 | Method for controlling storage equipment, verifying device and storage device |
| WO2010060319A1 (en) * | 2008-11-29 | 2010-06-03 | 成都市华为赛门铁克科技有限公司 | Store equipment, authentication device and control method of the store device |
| CN101500138B (en) * | 2008-12-26 | 2014-06-18 | 深圳市同洲电子股份有限公司 | Digital television receiving terminal and data secret keeping method and system thereof |
| CN101500138A (en) * | 2008-12-26 | 2009-08-05 | 深圳市同洲电子股份有限公司 | Digital television receiving terminal and data secret keeping method and system thereof |
| CN101510187B (en) * | 2009-03-20 | 2011-03-30 | 华中科技大学 | Method for implementing smart card control instruction communication on standard data interface |
| CN101853344B (en) * | 2009-03-31 | 2017-09-22 | 英特尔公司 | The checking based on platform to contents of input-output devices |
| CN101853344A (en) * | 2009-03-31 | 2010-10-06 | 英特尔公司 | Checking to contents of input-output devices based on platform |
| CN102404161A (en) * | 2010-09-14 | 2012-04-04 | 北京哈工大计算机网络与信息安全技术研究中心 | Method and universal serial bus (USB) equipment for detecting secret leakage |
| CN102088348A (en) * | 2010-12-22 | 2011-06-08 | 东南大学 | Mobile phone security chip for embedded platform and protection system comprising same |
| CN102279814A (en) * | 2011-08-19 | 2011-12-14 | 北方工业大学 | Encryption anti-copy system and anti-copy method thereof |
| CN102609367A (en) * | 2011-11-25 | 2012-07-25 | 无锡华御信息技术有限公司 | USB (Universal Serial Bus) flash disc system with safety control and audit |
| WO2013097426A1 (en) * | 2011-12-27 | 2013-07-04 | 中兴通讯股份有限公司 | Wireless communication terminal and method for securely running industry software |
| US9104518B2 (en) | 2011-12-27 | 2015-08-11 | Zte Corporation | Wireless communication terminal and method for securely running industry software |
| CN102902634A (en) * | 2012-08-17 | 2013-01-30 | 北海华澜微电子有限公司 | Storage device with encryption-based protection function |
| CN102902634B (en) * | 2012-08-17 | 2015-05-27 | 杭州华澜微科技有限公司 | Storage device with encryption-based protection function |
| CN102902635A (en) * | 2012-09-29 | 2013-01-30 | 无锡华御信息技术有限公司 | Safety U disk system for enterprises |
| CN102902635B (en) * | 2012-09-29 | 2015-01-07 | 无锡华御信息技术有限公司 | Safety U disk system for enterprises |
| CN103838784A (en) * | 2012-11-23 | 2014-06-04 | 杭州星纬物联技术有限公司 | Data manager management method based on USB drive |
| CN103095704A (en) * | 2013-01-15 | 2013-05-08 | 杭州华三通信技术有限公司 | Trusted medium online validation method and device |
| CN104657671A (en) * | 2013-11-19 | 2015-05-27 | 研祥智能科技股份有限公司 | Access authority management method and system for mobile storage device |
| CN104657671B (en) * | 2013-11-19 | 2019-03-19 | 研祥智能科技股份有限公司 | The access authority management method and system of movable storage device |
| CN103761468A (en) * | 2014-01-13 | 2014-04-30 | 金硕澳门离岸商业服务有限公司 | Micro control chip provided with double CPUs (central processing units) |
| CN104917750A (en) * | 2015-04-16 | 2015-09-16 | 中国科学院计算技术研究所 | SDN-faced control layer and data layer communication channel self-configuration method and system thereof |
| CN104917750B (en) * | 2015-04-16 | 2017-11-21 | 中国科学院计算技术研究所 | A kind of key-course towards SDN and data Layer communication port self-configuration method and its system |
| CN105303081A (en) * | 2015-05-07 | 2016-02-03 | 同方计算机有限公司 | Method and system of host for identifying ID of USB (Universal Serial Bus) main control chip reliably |
| CN105072114A (en) * | 2015-08-11 | 2015-11-18 | 深圳市文鼎创数据科技有限公司 | Automatic form filling method, password manager, upper computer and system |
| CN105653995A (en) * | 2015-09-01 | 2016-06-08 | 刘晓建 | Repeatedly-use dependable computing apparatus of common computer man-computer interaction equipment |
| CN105653995B (en) * | 2015-09-01 | 2019-02-15 | 江苏腾武信息技术有限公司 | The trust computing device of reusable general purpose computer human-computer interaction device |
| CN106302541A (en) * | 2016-10-18 | 2017-01-04 | 安徽天达网络科技有限公司 | A kind of data safety supervision system |
| CN107968803A (en) * | 2016-10-20 | 2018-04-27 | 中国电信股份有限公司 | For long-range evidence collecting method, device, mobile terminal and the system of mobile terminal |
| CN106778326A (en) * | 2016-11-28 | 2017-05-31 | 福建升腾资讯有限公司 | A kind of method and system for realizing movable storage device protection |
| US20230394501A1 (en) * | 2017-02-22 | 2023-12-07 | Amazon Technologies, Inc. | Security policy enforcement |
| CN107292182A (en) * | 2017-06-29 | 2017-10-24 | 江苏鲁汶仪器有限公司 | A kind of semiconductor equipment control system hot plug is anti-to crack tailored version hardware encipherment protection device |
| CN107506668A (en) * | 2017-08-31 | 2017-12-22 | 北京计算机技术及应用研究所 | A kind of USB flash disk access method based on communication information real-time authentication |
| CN107908574A (en) * | 2017-11-22 | 2018-04-13 | 深圳华中科技大学研究院 | The method for security protection of solid-state disk data storage |
| CN107908574B (en) * | 2017-11-22 | 2021-09-10 | 深圳华中科技大学研究院 | Safety protection method for solid-state disk data storage |
| CN108345804A (en) * | 2018-03-22 | 2018-07-31 | 北京可信华泰信息技术有限公司 | A kind of storage method in trusted computation environment and device |
| CN108345803A (en) * | 2018-03-22 | 2018-07-31 | 北京可信华泰科技有限公司 | A kind of data access method and device of trusted storage device |
| CN108345803B (en) * | 2018-03-22 | 2021-01-08 | 北京可信华泰科技有限公司 | Data access method and device of trusted storage equipment |
| CN108345804B (en) * | 2018-03-22 | 2021-01-08 | 北京可信华泰信息技术有限公司 | Storage method and device in trusted computing environment |
| CN108763891A (en) * | 2018-06-11 | 2018-11-06 | 山东超越数控电子股份有限公司 | A kind of Special safety management platform and method for encryption mobile hard disk |
| CN109101788A (en) * | 2018-06-19 | 2018-12-28 | 光大环保技术研究院(南京)有限公司 | A kind of incinerator automatic combustion control system encryption device and encryption method |
| CN109101788B (en) * | 2018-06-19 | 2022-06-03 | 光大环保技术研究院(南京)有限公司 | Encryption device and encryption method for automatic combustion control system of incinerator |
| CN110059469A (en) * | 2019-04-09 | 2019-07-26 | 广东电网有限责任公司 | A kind of safe U disc system and its application method |
| CN112052201A (en) * | 2020-09-27 | 2020-12-08 | 中孚安全技术有限公司 | USB device management and control method and system based on Linux kernel layer |
| WO2022068298A1 (en) * | 2020-09-30 | 2022-04-07 | 北京智芯微电子科技有限公司 | Usb flash disk access method and usb flash disk |
| CN113609538A (en) * | 2021-07-09 | 2021-11-05 | 国网福建省电力有限公司电力科学研究院 | Access control method, device and equipment for mobile storage medium and storage medium |
| CN113609538B (en) * | 2021-07-09 | 2024-03-08 | 国网福建省电力有限公司电力科学研究院 | Access control method, device and equipment for mobile storage medium and storage medium |
| CN113806763A (en) * | 2021-07-16 | 2021-12-17 | 广州鲁邦通物联网科技有限公司 | Method, security server and system for safely acquiring data of field device |
| CN113806763B (en) * | 2021-07-16 | 2024-05-24 | 广州鲁邦通物联网科技股份有限公司 | Method, security server and system for safely acquiring data of field device |
| CN116644487A (en) * | 2023-07-27 | 2023-08-25 | 山东溯源安全科技有限公司 | Safety detection system |
| CN116644487B (en) * | 2023-07-27 | 2023-12-08 | 山东溯源安全科技有限公司 | Safety detection system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100498742C (en) | 2009-06-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101051292A (en) | Reliable U disc, method for realizing reliable U disc safety and its data communication with computer | |
| CN1294499C (en) | Safety video frequency card in computer equipment with digital right managing system | |
| CN1581118A (en) | Secure device, information processing terminal, integrated circuit, application apparatus and method | |
| CN1266875C (en) | Content issuing/receiving method | |
| CN1794256A (en) | Data processing device, telecommunication terminal equipment and method for processing data by data processing equipment | |
| CN1758590A (en) | Information processing apparatus, information processing method, and program | |
| CN1770688A (en) | User authentication system | |
| CN1758589A (en) | Information processing apparatus, information processing method, and program | |
| CN1324487C (en) | Data storing device | |
| CN1871568A (en) | Program execution device | |
| CN1380610A (en) | System and method for testing computer device | |
| CN1504028A (en) | Cryptographic authentication with ephemeral modules | |
| CN1788263A (en) | Login system and method | |
| CN1722046A (en) | Safe processor and the program that is used for safe processor | |
| CN1460225A (en) | Data processing system, memory device, data processor, data processing method and program | |
| CN1993684A (en) | Memory card, data exchanging system and data exchanging method | |
| CN1476580A (en) | Content usage authority management system and management method | |
| CN1302406A (en) | Method and system for secure transactions in computer system | |
| CN1423232A (en) | IC card capable of carrying multiple card-management programmes | |
| CN101076807A (en) | Disposable cepher | |
| CN101042736A (en) | Smart card and method for accessing objects in smart card | |
| CN1855808A (en) | Device and method for providing security services | |
| CN1365474A (en) | Authentication system | |
| CN1992586A (en) | Electronic document management program, electronic document management system and electronic document management method | |
| CN101042738A (en) | Method for implementing smart card multi-application and data processing apparatus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| DD01 | Delivery of document by public notice |
Addressee: Guo Tao Document name: Review of business letter |
|
| DD01 | Delivery of document by public notice |
Addressee: Beijing Mingyu Technology Co., Ltd. Document name: Notification of Termination of Patent Right |
|
| DD01 | Delivery of document by public notice | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090610 Termination date: 20180108 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |