CN101330428A - Apparatus for safe mobile client terminal of virtual special network and use method thereof - Google Patents
Apparatus for safe mobile client terminal of virtual special network and use method thereof Download PDFInfo
- Publication number
- CN101330428A CN101330428A CNA2008101035337A CN200810103533A CN101330428A CN 101330428 A CN101330428 A CN 101330428A CN A2008101035337 A CNA2008101035337 A CN A2008101035337A CN 200810103533 A CN200810103533 A CN 200810103533A CN 101330428 A CN101330428 A CN 101330428A
- Authority
- CN
- China
- Prior art keywords
- mobile client
- vpn
- client terminal
- safe mobile
- storage chip
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention relates to a secure mobile client device for a virtual private network (VPN), which can prevent intentional or unintentional falsification or deletion of an application program and realize both security and convenience. The secure mobile client device is characterized in that the device comprises a control chip, a storage chip and an interface port, wherein both the storage chip and the interface port are connected with the control chip. The invention further discloses a method of using the secure mobile client device of the VPN, which is characterized in that the device is constructed by the following steps: dividing a hidden sector, an optical disk sector and a file closed security sector on the storage chip; setting a user name, a user password and an administrator password; writing corresponding VPN client configuration information and a server authentication certificate into the hidden zone; preparing an optical disk image file containing a VPN client program, and writing in an optical dick boot sector.
Description
Technical field
The invention belongs to VPN (virtual private network) safety device field; especially a kind of safe mobile client terminal device and using method thereof of utilizing control chip and storage chip to realize being used for VPN (virtual private network), this mobile client end device has been realized VPN (virtual private network) (VPN) client-side program and functions such as the hiding protection of configuration information, twice authentication and file encryption-decryption.
Background technology
VPN (virtual private network) (Virtual Private Network, VPN) as an important component part of network security, be applied to more and more in the modern enterprises and institutions, the safety long-distance access scheme that VPN provides can solve the secure communication problem between the strange land department of modern enterprises and institutions effectively.
Use at present VPN technologies comparatively widely is IPSec VPN, but the IPSec vpn solution need be used fat client computer (huge application program need be moved and safeguard to client), and this has brought a lot of management problemses and high support cost to enterprise.Fat client computer solution needs enterprise to employ huge support troop, helps the terminal use to install, safeguard and fix a breakdown.For overcoming this problem; can exempt the SSL VPN technologies that client is installed arises at the historic moment; but SSL VPN application limit is also very big, lays particular emphasis on this pattern of database-application server-Web server-browser, and restriction is more on deployment way, protection range, authentication mode.In addition, (clientless) speech is not entirely true concerning SSL VPN " to exempt from client ".Though the SSL vpn tunneling begins to set up from user's browser, often must download desktop agency---Java applet or ActiveX control so that visit thin client, client/server, perhaps other and be not suitable for the application that webpage is represented.At the limitation of these two kinds of main flow VPN technologies, many VPN manufacturer provides this two kinds of solutions simultaneously for client.Enterprise not only still will dispose IPSec VPN and safeguard client software on each PC, also will solve the described in front weak point of SSL vpn products but so.
As the USB Key of authentication use, general capacity is less, can only deposit several certificates, can't deposit relatively large application program in the market.And as the USB flash disk of common storage, file of storage is easy to infective virus so that is distorted, steals or delete on it.Even if integrate the product of USB Key and USB flash disk function, as Key and USB flash disk are connected together as the safe U disc of an equipment use with hub or control chip, also only provide authentication and encrypt storage, prevent that other people from usurping or lose back the losing of classified papers, after authentication was passed through, stored classified papers still were subjected to virus easily or distort artificially or destroy.
Summary of the invention
The purpose of this invention is to provide a kind of can compatible both advantages between IPSec VPN and SSL VPN, maintenance cost is cheap, the safe mobile client terminal device of the VPN (virtual private network) of applied range.The VPN safe mobile client terminal adopts anti-tamper mobile storage mode to store client-side program, need not download and installation process during use, be connected thereby can start automatically and finish authentication foundation safety with server, and can prevent to have a mind to or by mistake distort or delete application program, realize safety and dual purpose easily.
Technical scheme of the present invention is: the device of safe mobile client terminal of virtual special network, it is characterized in that comprising control chip, storage chip and interface port, and described storage chip links to each other with control chip respectively with interface port.
Described storage chip is the Flash storage chip.
The using method of the device of safe mobile client terminal of virtual special network is characterized in that the structure of device comprises the following steps:
---on storage chip realized the hidden area, CD district, the division in file security district;
---be provided with user name, user cipher and administrator's password;
---write the hidden area corresponding VPN client configuration information and with the certificate of certification of server end;
---make the compact disc image files that comprises the VPN client-side program writes in the CD boot section.
The device users login comprises the following steps:
--insert safe mobile client terminal after, authentication is also carried out in client self-starting prompting user login, if authentification failure normal Connection Service device and can't the access file closed security zone then; If authenticate by domestic consumer, then client reads certificate information and carries out two-way authentication with long-range server automatically, sets up secure tunnel;
Device manager's login comprises the following steps:
The keeper is by the login of specialized configuration instrument, if authentification failure then can't use this equipment; If by administrator authentication, can reconfigure safe mobile client terminal after keeper's login or its configuration information is made amendment, comprise and revise user name and user password, administrator password, each partition size and subregion content.
Effect of the present invention is: the VPN safe mobile client terminal adopts the Socks5 agreement of the session layer that works in OSI RM to build vpn tunneling; client-side program adopts the form of mobile storage; and realize to hide the purpose of protection, client-side program self-starting and automatic identity authentication by control chip; avoid the installation configuration of loaded down with trivial details client-side program, really realized perfect vpn solution.
The present invention is described further below in conjunction with drawings and Examples.
Description of drawings
Fig. 1 is the hardware block diagram of VPN safe mobile client terminal of the present invention;
Fig. 2 is the program flow chart of VPN safe mobile client terminal of the present invention.
Embodiment
As shown in Figure 1, the device of safe mobile client terminal of virtual special network comprises control chip, storage chip and interface port, and described storage chip links to each other with control chip respectively with interface port, and storage chip is the Flash storage chip.
The advantage that the carrier of VPN safe mobile client terminal combines USB Key and common U disk has increased more security feature simultaneously again, by control chip control the visit of storage medium has been realized the division of a plurality of functional areas, comprise the hidden area, three parts in analog rom boot section and file security district.
Hidden area: utilize control chip on memory device, to mark off hidden partition, be used for depositing the letter of identity or the pin sign indicating number that authenticate between authentication between user and the client and client and the server end, the corresponding configuration information of VPN client-side program etc.Concerning domestic consumer, this subregion is invisible, avoids being subjected to virus or artificially has a mind to or by mistake distort or destroy.Even the user has misapplied the information that formatting command also can't destroy this subregion.When client-side program was upgraded, the keeper can be re-loaded to the hidden area with configuration information.
The analog rom boot section: novel trojan horse often utilizes self-starting function to propagate and destroy the whole operation system, and microsoft operation system is not supported the self-starting of movable storage device.This product utilization control chip simulates the CD boot section on movable storage device, by analog rom guiding and startup VPN client-side program, need not any fitting operation and do not stay unnecessary garbage files on terminal.The attribute of analog rom boot section acquiescence is read-only, and the VPN client-side program that is kept at this subregion can't be distorted or be deleted in domestic consumer.In the control program of chip, realized improved DH IKE, set up safety with server end by two-way authentication and be connected
The file security district: realize the cryptographic algorithm of symmetry in the control program of CPU, ordinary file is deposited in the file security district with the form of complete ciphertext, has only and has passed through correctly visit of password authentication.Encryption key is stored among the CPU, and by the secret attribute of CPU is set, the content that is stored among the CPU can only be carried out and can not read, thus the fail safe that key among the CPU is left in assurance in.
The VPN safe mobile client terminal is finished with the safety of server end by double probate and is connected.At first, when the VPN safe mobile client terminal was connected on the PC, client software moved and points out the user to import entry password automatically and realizes the authentication of VPN safe mobile client terminal to the user; Secondly, client is to after the authenticating user identification success, and the VPN safe mobile client terminal reads user's relevant identity information in the hidden area; At last by with vpn server finish the authentication of server alternately to client.The user downloads the file security district that can directly leave the VPN safe mobile client terminal behind the vital document in by VPN from company's Intranet, avoid vital document be not intended to run off, realize that simultaneously safe mobile client terminal loses the protection of back to stored file.When client-side program is upgraded, by the management tool of keeper by special use client-side program is downloaded to the CD subregion of VPN safe mobile client terminal again, this process can not influence the information that the user deposits in VPN safe mobile client terminal file security district.
The using method of VPN (virtual private network) client terminal device is: the first step, the authentication of user and VPN safe mobile client terminal: after inserting the VPN safe mobile client terminal, VPN client self-starting prompting user login is if authentification failure then can't normally connect vpn server and can't the access file closed security zone; If authenticate, then change next step by domestic consumer; In second step, the authentication of client and server end: the VPN client reads certificate information and automatic and long-range vpn server carries out two-way authentication, sets up secure tunnel.This moment, the hidden area was invisible, and system shows CD subregion (not readable) and file security district (read-write).
Its construction step is:
Initialization procedure: 1, under initial condition, the keeper utilizes development interface that control chip is programmed on the Flash storage chip and realizes the hidden area, CD district, the division in file security district; 2, utilize development interface that control chip is provided with user name, and administrator's password, and user cipher; 3, utilize development interface to write the hidden area corresponding VPN client configuration information and with the certificate of certification of server end; 4, make to guide automatically and compact disc image files that comprise the VPN client-side program, corresponding document is write in the CD district by development interface; 5, the VPN safe mobile client terminal is in a safe condition to make up and finishes.
User's login step is: after 1, inserting the VPN safe mobile client terminal, VPN client self-starting prompting user login is if authentification failure then can't normally connect vpn server and can't the access file closed security zone; If authenticate, then change 2 by domestic consumer; 2, the VPN client reads certificate information and automatically carries out two-way authentication with long-range vpn server, sets up secure tunnel.This moment, the hidden area was invisible, and system shows CD subregion (not readable) and file security district (read-write); 3, after the login, the user can revise password by calling configuration tool.
Keeper's login step: 1, the keeper is by the login of specialized configuration instrument, if authentification failure then can't use this equipment; If, then change 2 by administrator authentication; 2, can reconfigure the VPN safe mobile client terminal after the keeper login or its configuration information is made amendment, comprise and revise user name and user password, administrator password, each partition size and subregion content etc.
User's login and keeper's login are referring to Fig. 2.
Interface is described:
CopyISO2USBKey (): the CD mirroring of formulating is copied to USB flash disk, and right of execution is limited to the keeper, and USB flash disk also is in initial condition.
MakeUSBKey (): the CD configuration information is write, and right of execution is limited to the keeper, and USB flash disk also is in initial condition.
EreaseUSBKey (): wipe USB flash disk, right of execution is limited to the keeper.
GetUSBKeyUserName (): obtain the USB flash disk name, USB flash disk is a safe condition.
GetUSBKeyStatus (): obtain the USB flash disk current state, comprise subregion state, and current login situation, USB flash disk is a safe condition.
LoginUSBKey (): keeper or user's login.Select different identity according to parameter, USB flash disk is a safe condition.
ChangeUSBKeyPass (): keeper or user's modification password.Select different identity according to parameter, USB flash disk is a safe condition.
ReadUSBKeyHiden (): read the hidden area, USB flash disk is a safe condition.
WriteUSBKeyHiden (): write the hidden area, USB flash disk is a safe condition.
Claims (5)
1, the device of safe mobile client terminal of virtual special network is characterized in that comprising control chip, storage chip and interface port, and described storage chip links to each other with control chip respectively with interface port.
2, the device of safe mobile client terminal of virtual special network according to claim 1 is characterized in that described storage chip is the Flash storage chip.
3, a kind of using method of device of safe mobile client terminal of virtual special network as claimed in claim 1 or 2 is characterized in that the structure of device comprises the following steps:
---on storage chip realized the hidden area, CD district, the division in file security district;
---be provided with user name, user cipher and administrator's password;
---write the hidden area respective virtual private network client end configuration information and with the certificate of certification of server end;
---make the compact disc image files that comprises the VPN (virtual private network) client-side program writes in the CD boot section.
4, the using method of the device of safe mobile client terminal of virtual special network according to claim 3 is characterized in that, described device users login comprises the following steps:
--insert safe mobile client terminal after, authentication is also carried out in client self-starting prompting user login, if authentification failure normal Connection Service device and can't the access file closed security zone then; If authenticate by domestic consumer, then client reads certificate information and carries out two-way authentication with long-range server automatically, sets up secure tunnel;
5, the using method of the device of safe mobile client terminal of virtual special network according to claim 3 is characterized in that, corresponding device keeper login comprises the following steps:
The keeper is by the login of specialized configuration instrument, if authentification failure then can't use this equipment; If by administrator authentication, can reconfigure safe mobile client terminal after keeper's login or its configuration information is made amendment, comprise and revise user name and user password, administrator password, each partition size and subregion content.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008101035337A CN101330428A (en) | 2008-04-08 | 2008-04-08 | Apparatus for safe mobile client terminal of virtual special network and use method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008101035337A CN101330428A (en) | 2008-04-08 | 2008-04-08 | Apparatus for safe mobile client terminal of virtual special network and use method thereof |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101330428A true CN101330428A (en) | 2008-12-24 |
Family
ID=40206030
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2008101035337A Pending CN101330428A (en) | 2008-04-08 | 2008-04-08 | Apparatus for safe mobile client terminal of virtual special network and use method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101330428A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101848089A (en) * | 2010-03-03 | 2010-09-29 | 哈尔滨斯达皓普管理系统有限公司 | Establishment management system based on USB hardware device |
| CN102541392A (en) * | 2010-12-13 | 2012-07-04 | 联想(北京)有限公司 | State switching method and device |
| CN102799541A (en) * | 2012-07-09 | 2012-11-28 | 江南大学 | Combination control method of movable medium data protection |
| CN103873491A (en) * | 2012-12-07 | 2014-06-18 | 华耀(中国)科技有限公司 | VPN safe browser system and setting method |
| CN104852925A (en) * | 2015-05-28 | 2015-08-19 | 江南大学 | Method for leakproof, secure storage and backup of data of mobile smart terminal |
| CN109155780A (en) * | 2016-05-31 | 2019-01-04 | 安维智有限公司 | Equipment certification based on tunnel client end network request |
| CN114697022A (en) * | 2022-03-18 | 2022-07-01 | 北京国泰网信科技有限公司 | Encryption authentication method applied to power distribution network system |
| CN115879114A (en) * | 2022-12-02 | 2023-03-31 | 深圳安巽科技有限公司 | Website access encryption control method, system and storage medium |
-
2008
- 2008-04-08 CN CNA2008101035337A patent/CN101330428A/en active Pending
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101848089B (en) * | 2010-03-03 | 2013-01-23 | 哈尔滨斯达皓普管理系统有限公司 | Establishment management system based on USB hardware device |
| CN101848089A (en) * | 2010-03-03 | 2010-09-29 | 哈尔滨斯达皓普管理系统有限公司 | Establishment management system based on USB hardware device |
| CN102541392A (en) * | 2010-12-13 | 2012-07-04 | 联想(北京)有限公司 | State switching method and device |
| CN102541392B (en) * | 2010-12-13 | 2015-03-25 | 联想(北京)有限公司 | State switching method and device |
| CN102799541A (en) * | 2012-07-09 | 2012-11-28 | 江南大学 | Combination control method of movable medium data protection |
| CN103873491B (en) * | 2012-12-07 | 2017-07-21 | 华耀(中国)科技有限公司 | A kind of VPN secure browsers system and method to set up |
| CN103873491A (en) * | 2012-12-07 | 2014-06-18 | 华耀(中国)科技有限公司 | VPN safe browser system and setting method |
| CN104852925A (en) * | 2015-05-28 | 2015-08-19 | 江南大学 | Method for leakproof, secure storage and backup of data of mobile smart terminal |
| CN104852925B (en) * | 2015-05-28 | 2018-08-28 | 江南大学 | Mobile intelligent terminal anti-data-leakage secure storage, backup method |
| CN109155780A (en) * | 2016-05-31 | 2019-01-04 | 安维智有限公司 | Equipment certification based on tunnel client end network request |
| CN109155780B (en) * | 2016-05-31 | 2021-08-20 | 安维智有限公司 | Device authentication based on tunnel client network request |
| CN114697022A (en) * | 2022-03-18 | 2022-07-01 | 北京国泰网信科技有限公司 | Encryption authentication method applied to power distribution network system |
| CN115879114A (en) * | 2022-12-02 | 2023-03-31 | 深圳安巽科技有限公司 | Website access encryption control method, system and storage medium |
| CN115879114B (en) * | 2022-12-02 | 2023-09-08 | 深圳安巽科技有限公司 | Website access encryption control method, system and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10402568B2 (en) | Protecting computing devices from unauthorized access | |
| CN101330428A (en) | Apparatus for safe mobile client terminal of virtual special network and use method thereof | |
| EP2442204B1 (en) | System and method for privilege delegation and control | |
| EP3058502B1 (en) | Secure client drive mapping and file storage system for mobile device management type security | |
| JP2019091480A (en) | Image analysis and management | |
| CN105308923B (en) | Data management to the application with multiple operating mode | |
| US8271790B2 (en) | Method and system for securely identifying computer storage devices | |
| EP2230622B1 (en) | Mass storage device with automated credentials loading | |
| US20170048204A9 (en) | Controlling mobile device access to secure data | |
| CN105379223A (en) | Validating the identity of a mobile application for mobile application management | |
| WO2013144767A1 (en) | Computer with flexible operating system | |
| CN105308561A (en) | Providing a native desktop using cloud-synchronized data | |
| CN112912880A (en) | Container builder for personalized web services | |
| CN103109510A (en) | Resource safety access method and device | |
| CN101827101A (en) | Information asset protection method based on credible isolated operating environment | |
| CN102843416A (en) | Set-up of thin client computer | |
| CN107145531A (en) | The user management method of distributed file system and distributed file system | |
| CN106933605B (en) | Intelligent process identification control method and system | |
| CN110633172A (en) | USB flash disk and data synchronization method thereof | |
| US10728243B2 (en) | Automating establishment of initial mutual trust during deployment of a virtual appliance in a managed virtual data center environment | |
| CN111178896B (en) | Bus taking payment method, device and storage medium | |
| CN110555682B (en) | Multi-channel implementation method based on alliance chain | |
| CN115801270A (en) | Information authentication method and device, electronic equipment and storage medium | |
| CN105871840A (en) | Certificate management method and system | |
| CN108388792A (en) | A kind of office operation system reinforcement method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20081224 |