CN101561855A - Method and system for controlling computer to access USB device - Google Patents

Abstract

The invention discloses a method and a system for controlling a computer to access a USB device, which belong to the field of information security. The method comprises the following steps that the computer loads a filter driver; the USB device is connected with the computer; the filter driver judges whether a certification device is connected with the computer; if the certification device is connected with the computer, the filter driver and the certification device together finish the verification on whether the USB device is a legal device; if the certification device is not connected with the computer, the filter driver sends connected relation data after emptying to a plug-and-play manager; or the filter driver verifies whether the USB device is a default access device according to a preset default access list. The system comprises the computer, the USB device and the certification device. The method and the system solve the security problem between the computer and the USB device.

Description

Control method and system that a kind of computing machine conducts interviews to USB device

Technical field

The present invention relates to information security field, control method and system that particularly a kind of computing machine conducts interviews to USB device.

Background technology

USB (Universal Serial Bus, USB (universal serial bus)) interface is a kind of new standard of serial line interface, and its major advantage is that speed is fast, low in energy consumption, support PNP (Plug and Play, plug and play), easy to install and use.USB device is that along with the fast development of computer technology and information storage technology, USB device has become people's daily life, office and study imperative equipment by the equipment of usb bus with computer interactive.Increasing user gets used to document storages a large amount of in the computing machine can transmitting file at an easy rate by USB device among USB device, brings great convenience to people.

Carry out between USB device and the computing machine existing many unsafe factors in the process of data communication; protect the safety of data in USB device and the computer interactive process in the prior art and prevent that the means that the disabled user uses USB device to steal sensitive data from mainly comprising: storage encryption or use authenticating user identification equipment guarantee the security of USB device store data, read or intercept and capture sensitive information in order to the control disabled user.For example, utilize the storage encryption of various key mechanisms realizations, perhaps utilize the double factor authentication pattern to come the identity of authenticated store data in the USB device.

These handle means at USB device and computer interactive process safe, the disabled user can intercept and capture USB device and computing machine communicates data by third party software, and characteristic information cracked analysis, reach the purpose of stealing sensitive data, thereby bring potential safety hazard for USB device and compunication.In addition, if USB device is the illegal USB device of computing machine, it is the USB device that is not allowed to use, the disabled user uses illegal USB device and computing machine to carry out alternately so, bootlegging secret or transmitted virus are in computing machine, brought great threat for the safety of sensitive information in the computing machine, the loss that brings thus is inestimable.

Summary of the invention

In order to guarantee the security of USB device and computer interactive process, the invention provides control method and system that a kind of computing machine conducts interviews to USB device, described technical scheme is as follows:

The control method that a kind of computing machine conducts interviews to USB device, described method comprises:

Computing machine loads filtration drive;

USB device and described computing machine connect;

Described filtration drive judges whether authenticating device connects with described computing machine;

If, described filtration drive is tackled the plug and play manager of described computing machine and the interaction data between the usb bus driving, according to the verify data in the described interaction data, whether described filtration drive and described authenticating device are finished described USB device jointly is the checking of legitimate device, when described USB device is legitimate device, described filtration drive sends the annexation data of the described USB device in the described interaction data to described plug and play manager, and preserves described annexation data; When described USB device was illegality equipment, described filtration drive sent last annexation data of preserving to described plug and play manager;

If not, the annexation data after described filtration drive transmission empties are to described plug and play manager; Perhaps, whether described filtration drive is default access equipment according to the described USB device of its default access that presets control tabulation checking; When described USB device was default access equipment, described filtration drive sent the annexation data of described USB device to described plug and play manager; When described USB device was non-default access equipment, described filtration drive sent annexation data after emptying to described plug and play manager.

Described filtration drive judges that whether authenticating device connects with described computing machine, specifically comprises:

Described filtration drive sends privately owned order to the device object pointer of the whole USB device that connect with described computing machine, described device object pointer be USB device and described computing machine when connecting described usb bus drive and create;

Receive the numerical value that described device object pointer returns;

Judge the described numerical value that returns whether with described filtration drive in the numerical value that presets be complementary;

If coupling, then judged result is for being;

If do not match, then judged result is for denying.

Described filtration drive is tackled the plug and play manager of described computing machine and the interaction data between the driving of described usb bus, specifically comprises:

Described filtration drive is tackled the data request packet that the plug and play manager of described computing machine issues, and described data request packet is transmitted to described usb bus drives;

Described filtration drive is tackled the annexation data that described usb bus drives the described USB device of returning.

Described verify data is specially the hardware description symbol of described USB device;

The procurement process of described hardware description symbol is specially:

The annexation data of the described USB device that described filtration drive will be intercepted are compared with the annexation data of its preservation;

When having the USB device of the described computing machine of new access, described filtration drive drives the hardware description symbol information that sends the USB device of obtaining new access USB port to described usb bus, and receives the hardware description symbol that described usb bus drives the described USB device of returning.

Preset USB device control in the described authenticating device and use tabulation, the respective value that described USB device control uses the hardware description symbol of the USB device that storage in the tabulation can legal use to calculate by preset algorithm;

Accordingly, described according to the verify data in the described interaction data, whether described filtration drive and described authenticating device are finished described USB device jointly is the checking of legitimate device, specifically comprises:

Described authenticating device receives described filtration drive drives the described USB device that sends by described usb bus hardware description symbol;

In described authenticating device, in conjunction with default algorithm described hardware description symbol is calculated, obtain the respective value of the hardware description symbol of described USB device;

Enumerate the respective value that hardware description symbol that the control of described USB device uses the described USB device that can legal use of storage in the tabulation calculates by preset algorithm;

If the numerical value that existence equates with the respective value of the hardware description symbol of described USB device in the described respective value of enumerating, then described USB device is a legitimate device; Otherwise described USB device is an illegality equipment.

Preset USB device control in the described authenticating device and use tabulation, the respective value that described USB device control uses the hardware description symbol of the USB device that storage can not be used in the tabulation to calculate by preset algorithm;

Accordingly, described according to the verify data in the described interaction data, whether described filtration drive and described authenticating device are finished described USB device jointly is the checking of legitimate device, specifically comprises:

Described authenticating device receives described filtration drive drives the described USB device that sends by described usb bus hardware description symbol;

In described authenticating device, in conjunction with default algorithm described hardware description symbol is calculated, obtain the respective value of the hardware description symbol of described USB device;

Enumerating described USB device control uses the hardware description of the described USB device that can not use of storage in the tabulation to accord with the respective value that calculates by preset algorithm;

If the numerical value that existence equates with the respective value of the hardware description symbol of described USB device in the described respective value of enumerating, then described USB device is an illegality equipment; Otherwise described USB device is a legitimate device.

Preset USB device control in the described authenticating device and use tabulation, the respective value that described USB device control uses the hardware description symbol of the USB device that storage in the tabulation can legal use to calculate by preset algorithm;

Accordingly, described according to the verify data in the described interaction data, whether described filtration drive and described authenticating device are finished described USB device jointly is the checking of legitimate device, specifically comprises:

Described authenticating device receives the tabulation acquisition message that described filtration drive sends;

Described authenticating device sends to described filtration drive after using predetermined cryptographic algorithm to use tabulation to encrypt described USB device control;

Described filtration drive is used predetermined decipherment algorithm deciphering to obtain described USB device control and is used tabulation;

Described filtration drive uses default algorithm that described hardware description symbol is calculated, and obtains the respective value of the hardware description symbol of described USB device;

Enumerate in the described filtration drive described USB device control that deciphering obtains use in the tabulation can legal use the respective value that calculates by preset algorithm of the hardware description symbol of USB device;

If the numerical value that existence equates with the respective value of the hardware description symbol of described USB device in the described respective value of enumerating, then described USB device is a legitimate device; Otherwise described USB device is an illegality equipment.

Preset USB device control in the described authenticating device and use tabulation, the respective value that described USB device control uses the hardware description symbol of the USB device that storage can not be used in the tabulation to calculate by preset algorithm;

Accordingly, described according to the verify data in the described interaction data, whether described filtration drive and described authenticating device are finished described USB device jointly is the checking of legitimate device, specifically comprises:

Described authenticating device receives the tabulation acquisition message that described filtration drive sends;

Described authenticating device sends to described filtration drive after using predetermined cryptographic algorithm to use tabulation to encrypt described USB device control;

Described filtration drive is used predetermined decipherment algorithm deciphering to obtain described USB device control and is used tabulation;

Described filtration drive uses default algorithm that described hardware description symbol is calculated, and obtains the respective value of the hardware description symbol of described USB device;

Enumerating the described USB device control that deciphering obtains in the described filtration drive uses the hardware description of the USB device that can not use in the tabulation to accord with the respective value that calculates by preset algorithm;

If the numerical value that existence equates with the respective value of the hardware description symbol of described USB device in the described respective value of enumerating, then described USB device is an illegality equipment; Otherwise described USB device is a legitimate device.

Preset USB device control in the described authenticating device and use tabulation, the respective value that described USB device control uses the hardware description symbol of the USB device that storage in the tabulation can legal use to calculate by preset algorithm;

Accordingly, described according to the verify data in the described interaction data, whether described filtration drive and described authenticating device are finished described USB device jointly is the checking of legitimate device, specifically comprises:

Described authenticating device receives described filtration drive drives the described USB device that sends by described usb bus hardware description symbol;

In described authenticating device, in conjunction with default algorithm described hardware description symbol is calculated, obtain the respective value of the hardware description symbol of described USB device;

Enumerate the respective value that hardware description symbol that the control of described USB device uses the described USB device that can legal use of storage in the tabulation calculates by preset algorithm;

Judge and whether have the numerical value that equates with the respective value of the hardware description of described USB device symbol in the described respective value of enumerating;

Judged result is sent to described filtration drive;

When described judged result when existing, described filtration drive judges that described USB device is legal;

When described judged result when not existing, described filtration drive judges that described USB device is an illegality equipment.

Preset USB device control in the described authenticating device and use tabulation, the respective value that described USB device control uses the hardware description symbol of the USB device that storage can not be used in the tabulation to calculate by preset algorithm;

Accordingly, described according to the verify data in the described interaction data, whether described filtration drive and described authenticating device are finished described USB device jointly is the checking of legitimate device, specifically comprises:

Described authenticating device receives described filtration drive drives the described USB device that sends by described usb bus hardware description symbol;

In described authenticating device, in conjunction with default algorithm described hardware description symbol is calculated, obtain the respective value of the hardware description symbol of described USB device;

Enumerating described USB device control uses the hardware description of the described USB device that can not use of storage in the tabulation to accord with the respective value that calculates by preset algorithm;

Judge and whether have the numerical value that equates with the respective value of the hardware description of described USB device symbol in the described respective value of enumerating;

Judged result is sent to described filtration drive;

When described judged result when existing, described filtration drive judges that described USB device is an illegality equipment;

When described judged result when not existing, described filtration drive judges that described USB device is a legitimate device.

But described default access control tabulation is used to store the default access equipment of the described computing machine of default access;

Accordingly, whether described filtration drive is default access equipment according to the described USB device of its default access that presets control tabulation checking, specifically comprises:

When having described USB device in the described default access control tabulation, described USB device is a default access equipment;

When not having described USB device in the described default access control tabulation, described USB device is non-default access equipment.

Described default access control tabulation be used to store can not the described computing machine of default access default access equipment;

Accordingly, whether described filtration drive is default access equipment according to the described USB device of its default access that presets control tabulation checking, specifically comprises:

When having described USB device in the described default access control tabulation, described USB device is non-default access equipment;

When not having described USB device in the described default access control tabulation, described USB device is a default access equipment.

The control system that a kind of computing machine conducts interviews to USB device, described system comprises: computing machine, USB device and authenticating device;

Described computing machine comprises load-on module, link block and filtration drive;

Described load-on module is used to load described filtration drive;

Described link block is used for described USB device and described computing machine connects;

Described filtration drive comprises:

Judging unit is used to judge whether authenticating device connects with described computing machine;

Interception unit, be used for when the judged result of described judging unit when being, tackle the plug and play manager of described computing machine and the usb bus interaction data between driving;

Authentication unit is used for the verify data of the interaction data intercepted according to described interception unit, and whether be the checking of legitimate device, preset USB device control in the described authenticating device and use tabulation if finishing described USB device jointly with described authenticating device;

Transmitting element is used for when the checking result of described authentication unit is legitimate device for described USB device, and the annexation data that send the described USB device in the described interaction data are to described plug and play manager, and preserves described annexation data; When described USB device was illegality equipment, the annexation data that send last preservation in the described filtration drive were to described plug and play manager;

Described transmitting element also is used for, when the judged result of described judging unit for not the time, send annexation data after emptying to described plug and play manager.

Described judging unit comprises:

Send subelement, be used for sending privately owned order to the device object pointer of the whole USB device that connect with described computing machine, described device object pointer be USB device and described computing machine when connecting described usb bus drive establishment;

Receive subelement, be used to receive the numerical value that described device object pointer returns;

Judgment sub-unit is used for judging that whether the described numerical value that returns be complementary with the numerical value that described filtration drive presets;

If coupling, then judged result is for being;

If do not match, then judged result is for denying.

Described interception unit specifically comprises:

The first interception subelement is used to tackle the data request packet that the plug and play manager of described computing machine issues;

First transmits subelement, is used for that described data request packet is transmitted to described usb bus and drives;

The second interception subelement is used to tackle the annexation data that described usb bus drives the described USB device of returning.

Described verify data is specially the hardware description symbol of described USB device; The respective value that the control of described USB device uses the hardware description symbol of the USB device that storage in the tabulation can legal use to calculate by preset algorithm;

Accordingly, described authenticating device specifically comprises:

Receiver module is used to receive described filtration drive drives the described USB device that sends by described usb bus hardware description symbol;

Computing module is used for calculating inner described hardware description the symbol in conjunction with default algorithm of described authenticating device, obtains the respective value of the hardware description symbol of described USB device;

Enumerate module, be used for enumerating the respective value that described USB device control uses the hardware description symbol of the described USB device that can legal use of tabulation storage to calculate by preset algorithm;

Authentication module, if be used for the numerical value that described respective value existence of enumerating equates with the respective value of the hardware description symbol of described USB device, it is legal then to authenticate described USB device; Otherwise authenticate described USB device is illegality equipment.

Described verify data is specially the hardware description symbol of described USB device; The respective value that described USB device control uses the hardware description symbol of the USB device that storage can not be used in the tabulation to calculate by preset algorithm;

Accordingly, described authenticating device specifically comprises:

Receiver module is used to receive described filtration drive drives the described USB device that sends by described usb bus hardware description symbol;

Computing module is used for calculating inner described hardware description the symbol in conjunction with default algorithm of described authenticating device, obtains the respective value of the hardware description symbol of described USB device;

Enumerate module, be used for enumerating described USB device control and use the hardware description of the described USB device that can not use of tabulation storage to accord with the respective value that calculates by preset algorithm;

Authentication module, if be used for the numerical value that described respective value existence of enumerating equates with the respective value of the hardware description symbol of described USB device, then authenticating described USB device is illegality equipment; Otherwise authenticate described USB device is legitimate device.

Described verify data is specially the hardware description symbol of described USB device; The respective value that the control of described USB device uses the hardware description symbol of the USB device that storage in the tabulation can legal use to calculate by preset algorithm;

Accordingly, described authenticating device specifically comprises:

Receiver module is used to receive the tabulation acquisition message that described filtration drive sends;

Encrypt sending module, be used to use predetermined cryptographic algorithm that described USB device is controlled and send to described filtration drive after the use tabulation is encrypted;

The filtration drive of described computing machine also comprises:

Decryption unit is used to use predetermined decipherment algorithm deciphering to obtain described USB device control and uses tabulation;

Computing unit is used to use default algorithm that described hardware description symbol is calculated, and obtains the respective value of the hardware description symbol of described USB device;

Enumerate the unit, be used for enumerating described USB device control that described filtration drive deciphering obtains use in the tabulation can legal use the respective value that calculates by preset algorithm of the hardware description symbol of USB device;

Identifying unit if be used for described respective value existence of enumerating and the numerical value that the respective value of the hardware description symbol of described USB device equates, judges that then described USB device is a legitimate device; Otherwise judge that described USB device is an illegality equipment.

Described verify data is specially the hardware description symbol of described USB device; The respective value that described USB device control uses the hardware description symbol of the USB device that storage can not be used in the tabulation to calculate by preset algorithm;

Accordingly, described authenticating device specifically comprises:

Receiver module is used to receive the tabulation acquisition message that described filtration drive sends;

Encrypt sending module, be used to use predetermined cryptographic algorithm that described USB device is controlled and send to described filtration drive after the use tabulation is encrypted;

The filtration drive of described computing machine also comprises:

Decryption unit is used to use predetermined decipherment algorithm deciphering to obtain described USB device control and uses tabulation;

Computing unit is used to use default algorithm that described hardware description symbol is calculated, and obtains the respective value of the hardware description symbol of described USB device;

Enumerate the unit, be used for enumerating described filtration drive and decipher the respective value that the hardware description symbol of the USB device that can not use in the described USB device control use tabulation that obtains calculates by preset algorithm;

Identifying unit if be used for described respective value existence of enumerating and the numerical value that the respective value of the hardware description symbol of described USB device equates, judges that then described USB device is an illegality equipment; Otherwise judge that described USB device is a legitimate device.

Described verify data is specially the hardware description symbol of described USB device; The respective value that the control of described USB device uses the hardware description symbol of the USB device that storage in the tabulation can legal use to calculate by preset algorithm;

Accordingly, described authenticating device specifically comprises:

Receiver module is used to receive described filtration drive drives the described USB device that sends by described usb bus hardware description symbol;

Computing module is used for calculating inner described hardware description the symbol in conjunction with default algorithm of described authenticating device, obtains the respective value of the hardware description symbol of described USB device;

Enumerate module, be used for enumerating the respective value that described USB device control uses the hardware description symbol of the described USB device that can legal use of tabulation storage to calculate by preset algorithm;

Judge module is used for judging whether the described respective value of enumerating exists the numerical value that equates with the respective value of the hardware description symbol of described USB device;

Sending module is used for judged result is sent to described filtration drive;

Accordingly, the filtration drive of described computing machine also comprises:

Identifying unit, be used for when described judged result when existing, judge that described USB device is legal; When described judged result when not existing, judge that described USB device is an illegality equipment.

Described verify data is specially the hardware description symbol of described USB device; The respective value that described USB device control uses the hardware description symbol of the USB device that storage can not be used in the tabulation to calculate by preset algorithm;

Accordingly, described authenticating device specifically comprises:

Receiver module is used to receive described filtration drive drives the described USB device that sends by described usb bus hardware description symbol;

Computing module is used for calculating inner described hardware description the symbol in conjunction with default algorithm of described authenticating device, obtains the respective value of the hardware description symbol of described USB device;

Enumerate module, be used for enumerating described USB device control and use the hardware description of the described USB device that can not use of tabulation storage to accord with the respective value that calculates by preset algorithm;

Judge module is used for judging whether the described respective value of enumerating exists the numerical value that equates with the respective value of the hardware description symbol of described USB device;

Sending module is used for judged result is sent to described filtration drive;

Accordingly, the filtration drive of described computing machine also comprises:

Identifying unit, be used for when described judged result when existing, judge that described USB device is an illegality equipment; When described judged result when not existing, judge that described USB device is a legitimate device.

The control system that a kind of computing machine conducts interviews to USB device, described system comprises: computing machine, USB device and authenticating device;

Described computing machine comprises load-on module, link block and filtration drive;

Described load-on module is used to load described filtration drive;

Described link block is used for described USB device and described computing machine connects;

Described filtration drive comprises:

Judging unit is used to judge whether authenticating device connects with described computing machine;

Interception unit, be used for when the judged result of described judging unit when being, tackle the plug and play manager of described computing machine and the usb bus interaction data between driving;

Authentication unit is used for the verify data of the interaction data intercepted according to described interception unit, and whether finish described USB device jointly with described authenticating device is the checking of legitimate device, and described authenticating device presets USB device control and uses tabulation;

Transmitting element is used for when the checking result of described authentication unit is legitimate device for described USB device, and the annexation data that send the described USB device in the described interaction data are to described plug and play manager, and preserves described annexation data; When described USB device was illegality equipment, the annexation data that send last preservation in the described filtration drive were to described plug and play manager;

Default authentication unit, be used for when the judged result of described judging unit for not the time, whether be default access equipment according to the described USB device of default access control tabulation checking that presets;

Accordingly, described transmitting element also is used for, and when the result of described default authentication unit is default access equipment for described USB device, sends described default access control tabulation to described plug and play manager; When the result of described default authentication unit for described USB device is non-default access equipment, send annexation data after emptying to described plug and play manager.

Described judging unit comprises:

Send subelement, be used for sending privately owned order to the device object pointer of the whole USB device that connect with described computing machine, described device object pointer be USB device and described computing machine when connecting described usb bus drive establishment;

Receive subelement, be used to receive the numerical value that described device object pointer returns;

Judgment sub-unit is used for judging that whether the described numerical value that returns be complementary with the numerical value that described filtration drive presets;

If coupling, then judged result is for being;

If do not match, then judged result is for denying.

Described interception unit specifically comprises:

The first interception subelement is used to tackle the data request packet that the plug and play manager of described computing machine issues;

First transmits subelement, is used for that described data request packet is transmitted to described usb bus and drives;

The second interception subelement is used to tackle the annexation data that described usb bus drives the described USB device of returning.

Described verify data is specially the hardware description symbol of described USB device; The respective value that the control of described USB device uses the hardware description symbol of the USB device that storage in the tabulation can legal use to calculate by preset algorithm;

Accordingly, described authenticating device specifically comprises:

Receiver module is used to receive described filtration drive drives the described USB device that sends by described usb bus hardware description symbol;

Computing module is used for calculating inner described hardware description the symbol in conjunction with default algorithm of described authenticating device, obtains the respective value of the hardware description symbol of described USB device;

Enumerate module, be used for enumerating the respective value that described USB device control uses the hardware description symbol of the described USB device that can legal use of tabulation storage to calculate by preset algorithm;

Authentication module, if be used for the numerical value that described respective value existence of enumerating equates with the respective value of the hardware description symbol of described USB device, it is legal then to authenticate described USB device; Otherwise authenticate described USB device is illegality equipment.

Described verify data is specially the hardware description symbol of described USB device; The respective value that described USB device control uses the hardware description symbol of the USB device that storage can not be used in the tabulation to calculate by preset algorithm;

Accordingly, described authenticating device specifically comprises:

Receiver module is used to receive described filtration drive drives the described USB device that sends by described usb bus hardware description symbol;

Computing module is used for calculating inner described hardware description the symbol in conjunction with default algorithm of described authenticating device, obtains the respective value of the hardware description symbol of described USB device;

Enumerate module, be used for enumerating described USB device control and use the hardware description of the described USB device that can not use of tabulation storage to accord with the respective value that calculates by preset algorithm;

Authentication module, if be used for the numerical value that described respective value existence of enumerating equates with the respective value of the hardware description symbol of described USB device, then authenticating described USB device is illegality equipment; Otherwise authenticate described USB device is legitimate device.

Described verify data is specially the hardware description symbol of described USB device; The respective value that the control of described USB device uses the hardware description symbol of the USB device that storage in the tabulation can legal use to calculate by preset algorithm;

Accordingly, described authenticating device specifically comprises:

Receiver module is used to receive the tabulation acquisition message that described filtration drive sends;

Encrypt sending module, be used to use predetermined cryptographic algorithm that described USB device is controlled and send to described filtration drive after the use tabulation is encrypted;

The filtration drive of described computing machine also comprises:

Decryption unit is used to use predetermined decipherment algorithm deciphering to obtain described USB device control and uses tabulation;

Computing unit is used to use default algorithm that described hardware description symbol is calculated, and obtains the respective value of the hardware description symbol of described USB device;

Enumerate the unit, be used for enumerating described USB device control that described filtration drive deciphering obtains use in the tabulation can legal use the respective value that calculates by preset algorithm of the hardware description symbol of USB device;

Identifying unit if be used for described respective value existence of enumerating and the numerical value that the respective value of the hardware description symbol of described USB device equates, judges that then described USB device is a legitimate device; Otherwise judge that described USB device is an illegality equipment.

Described verify data is specially the hardware description symbol of described USB device; The respective value that described USB device control uses the hardware description symbol of the USB device that storage can not be used in the tabulation to calculate by preset algorithm;

Accordingly, described authenticating device specifically comprises:

Receiver module is used to receive the tabulation acquisition message that described filtration drive sends;

Encrypt sending module, be used to use predetermined cryptographic algorithm that described USB device is controlled and send to described filtration drive after the use tabulation is encrypted;

The filtration drive of described computing machine also comprises:

Decryption unit is used to use predetermined decipherment algorithm deciphering to obtain described USB device control and uses tabulation;

Computing unit is used to use default algorithm that described hardware description symbol is calculated, and obtains the respective value of the hardware description symbol of described USB device;

Enumerate the unit, be used for enumerating described filtration drive and decipher the respective value that the hardware description symbol of the USB device that can not use in the described USB device control use tabulation that obtains calculates by preset algorithm;

Identifying unit if be used for described respective value existence of enumerating and the numerical value that the respective value of the hardware description symbol of described USB device equates, judges that then described USB device is an illegality equipment; Otherwise judge that described USB device is a legitimate device.

Described verify data is specially the hardware description symbol of described USB device; The respective value that the control of described USB device uses the hardware description symbol of the USB device that storage in the tabulation can legal use to calculate by preset algorithm;

Accordingly, described authenticating device specifically comprises:

Receiver module is used to receive described filtration drive drives the described USB device that sends by described usb bus hardware description symbol;

Computing module is used for calculating inner described hardware description the symbol in conjunction with default algorithm of described authenticating device, obtains the respective value of the hardware description symbol of described USB device;

Enumerate module, be used for enumerating the respective value that described USB device control uses the hardware description symbol of the described USB device that can legal use of tabulation storage to calculate by preset algorithm;

Judge module is used for judging whether the described respective value of enumerating exists the numerical value that equates with the respective value of the hardware description symbol of described USB device;

Sending module is used for judged result is sent to described filtration drive;

Accordingly, the filtration drive of described computing machine also comprises:

Identifying unit, be used for when described judged result when existing, judge that described USB device is a legitimate device; When described judged result when not existing, judge that described USB device is an illegality equipment.

Described verify data is specially the hardware description symbol of described USB device; The respective value that described USB device control uses the hardware description symbol of the USB device that storage can not be used in the tabulation to calculate by preset algorithm;

Accordingly, described authenticating device specifically comprises:

Receiver module is used to receive described filtration drive drives the described USB device that sends by described usb bus hardware description symbol;

Computing module is used for calculating inner described hardware description the symbol in conjunction with default algorithm of described authenticating device, obtains the respective value of the hardware description symbol of described USB device;

Enumerate module, be used for enumerating described USB device control and use the hardware description of the described USB device that can not use of tabulation storage to accord with the respective value that calculates by preset algorithm;

Judge module is used for the numerical value of judging that described respective value existence of enumerating equates with the respective value of the hardware description symbol of described USB device;

Sending module is used for judged result is sent to described filtration drive;

Accordingly, the filtration drive of described computing machine also comprises:

Identifying unit, be used for when described judged result when existing, judge that described USB device is an illegality equipment; When described judged result when not existing, judge that described USB device is a legitimate device.

But described default access control tabulation is used to store the default access equipment of the described computing machine of default access;

Accordingly, described default authentication unit specifically comprises:

First subelement is used for judging that the result of described default authentication unit is a default access equipment for described USB device when there is described USB device in described default access control tabulation;

Second subelement is used for judging that the result of described default authentication unit is non-default access equipment for described USB device when there is not described USB device in described default access control tabulation.

Described default access control tabulation be used to store can not the described computing machine of default access default access equipment;

Accordingly, described default authentication unit specifically comprises:

First subelement is used for judging that the result of described default authentication unit is non-default access equipment for described USB device when there is described USB device in described default access control tabulation;

Second subelement is used for judging that the result of described default authentication unit is a default access equipment for described USB device when there is not described USB device in described default access control tabulation.

The beneficial effect that technical scheme provided by the invention is brought is:

Filtration drive by having preset default access control tabulation with preset USB device control and use the authenticating device of tabulation to finish authentication jointly the legitimacy of the USB device that inserts computing machine, thereby controlled the visit of computing machine, solved the unsafe problems in the reciprocal process of USB device and computing machine USB device.

Description of drawings

The signal flow graph of Fig. 1 control method that to be the computing machine that provides in the embodiment of the invention 1 conduct interviews to USB device;

The method flow diagram of Fig. 2 control method that to be the computing machine that provides in the embodiment of the invention 1 conduct interviews to USB device;

Fig. 3 is the synoptic diagram of the USB device annexation intercepted of the filtration drive that provides in the embodiment of the invention 1;

Fig. 4 is the synoptic diagram of the filtration drive that provides in the embodiment of the invention 1 USB device annexation of preserving;

Fig. 5 is the another kind of synoptic diagram of the filtration drive that provides in the embodiment of the invention 1 USB device annexation of preserving;

Fig. 6 is that the method flow diagram that increases new legal USB device in the tabulation is used in the USB device control of presetting in the increase authenticating device that provides in the embodiment of the invention 1;

Fig. 7 is that the method flow diagram that increases new legal USB device in the tabulation is used in the USB device control of presetting in the deletion authenticating device that provides in the embodiment of the invention 1;

The structural representation of Fig. 8 control system that to be the computing machine that provides in the embodiment of the invention 2 conduct interviews to USB device;

The structural representation of Fig. 9 control system that to be the computing machine that provides in the embodiment of the invention 3 conduct interviews to USB device.

Embodiment

For making the purpose, technical solutions and advantages of the present invention clearer, embodiment of the present invention is described further in detail below in conjunction with accompanying drawing.

Embodiment 1

The control method that present embodiment provides a kind of computing machine that USB device is conducted interviews, referring to Fig. 1, Fig. 1 has provided the signal flow graph of this control method, below respectively to the signal flow in each step to carrying out detailed explanation:

101: when USB device inserted the USB port of computing machine, the USB controller of computing machine produced and interrupts sending to the usb bus driving;

The 102:USB bus driver is made response to this interruption, the invalid equipment relation function of plug and play manager in the call operation system equipment Management Unit;

103: the plug and play manager in the operating system device management component sends packet (being the input and output request package) and drives to usb bus, in this process, be transmitted to usb bus after the filtration drive that computing machine loads is tackled this input and output request package and drive;

104: filtration drive interception usb bus drives the data of returning (being USB device annexation data);

105: according to the verify data in these data of returning, whether filtration drive and authenticating device are finished USB device jointly is the checking of legitimate device;

106: when USB device was legitimate device, filtration drive sent the annexation of USB device to the plug and play manager, and annexation is preserved; When USB device was illegality equipment, filtration drive sent last legal annexation of preserving to the plug and play manager.

Here need to prove that filtration drive can also judge whether USB device is the equipment of default access according to its built-in default access control tabulation.When USB device was default access equipment, filtration drive sent the plug and play manager of last annexation data of preserving to computing machine.

Wherein, the annexation of USB device is specially the annexation data of USB device, and the annexation of following all USB device also is the annexation data of USB device, repeats no more.

Below in conjunction with Fig. 2, a kind of computing machine that present embodiment is provided is described in detail the flow process of the control method that USB device conducts interviews, and this method specifically can comprise:

Step 201: computing machine loads filtration drive;

Need to prove that filtration drive is a kind of mainly based on the layered model of WDM (Windows Driver Model, window driving model).In this layered model, have two drivers on the hardware device at least, be respectively function driver (function driver) and bus driver (bus driver).Wherein, function driver is realized the concrete function of equipment.An equipment also may increase filter drive program (filter driver) layer, the behavior that is used for changing standard device drivers.These drivers of serving same equipment have been formed a device stack.In device stack, filter drive program is attached to the upper strata or the lower floor of function driver, tackles corresponding IRP (I/O Request Packet, I/O request package), and does corresponding processing, with the behavior that changes equipment or add new function.Filter drive program is only handled those its I/O request of being concerned about, and other I/O request is not dealt with, and can change the behavior of equipment so very neatly, and IRP will transmit from top to bottom and return along certain sequence.Therefore, can use filter drive program inspection, revise, finish the IRP that it is intercepted and captured, perhaps the IRP of structure oneself.

The filtration drive that computing machine in the present embodiment loads is that the usb bus that loads between computer plug and play manager PNPManager and usb bus drive drives upper filtration drive.

The USB port of step 202:USB equipment and computing machine connects, and the usb bus in the computing machine drives and is this USB device that connects establishment device object pointer PDO (Physical Device Object), and stores this device object pointer;

Wherein, USB device is specifically as follows USB flash disk class memory device, keyboard and mouse class HID (Human InputDevice) equipment or other intelligent USB device etc.

Concrete, when the USB port of USB device and computing machine connected, the USB controller produced hardware interrupts, and usb bus drives this hardware interrupts of response then, for the USB device establishment device object pointer of this new access and be stored in the internal memory of computing machine.The USB device that connects in the present embodiment can be one or more, and the usb bus driving is created device object pointer PDO respectively for each USB device that connects.

Step 203: the filtration drive that loads in the step 201 sends privately owned order for the device object pointer that each usb bus drives the USB device of establishment, judges that each device object pointer returns the values match whether numerical value preset with filtration drive;

If then filtration drive judges that authenticating device has inserted the USB port of computing machine, execution in step 204;

If not, then filtration drive judges that authenticating device does not insert the USB port of computing machine, execution in step 215 or 216.

In the practical application, it can also be the hardware description symbol that filtration drive is obtained the USB device that inserts USB port, the hardware description symbol coupling of the authenticating device whether the hardware description symbol of judging each USB device presets with filtration drive, be that then filtration drive judges that authenticating device has inserted the USB port of computing machine; , then filtration drive does not judge that authenticating device does not insert the USB port of computing machine.Wherein, the process of hardware description symbol that filtration drive is obtained USB device is identical with the process that the following hardware description of obtaining the USB device of new access accords with, and does not do herein and gives unnecessary details.

Here need to prove that authenticating device is a kind of intelligent USB device, its inside has been preset USB device control and has been used tabulation.USB device control uses the hardware description symbol of having stored USB device that can legal use in the tabulation by the respective value that preset algorithm calculates, and is used for judging in follow-up process whether the USB device that inserts USB port is legal.Certainly, the hardware description that USB device control in the authenticating device uses tabulation can also store the USB device that can not use accords with the respective value that calculates by preset algorithm, is used for equally judging in follow-up process whether the USB device that inserts USB port is legal.

In the present embodiment, all insert computing machines USB port USB device filtration drive and authenticating device confirm its just can not be filtered after legal drive filter out, therefore when not having authenticating device to insert USB port, all USB device all are filtered to drive and filter out.Specific implementation is: USB device inserts USB port, computing machine PNP manager issues I/O request package IRP (IRP_QUERY_BUS_RELATIONS), filtration drive is tackled this I/O request package IRP and is transmitted to the usb bus driving, and after usb bus driving basis is received I/O request package IRP and is returned the USB device annexation, tackle this USB device annexation, filtration drive empties the annexation of this USB device then, the USB device annexation of sky is returned the step 215 of the concrete realization of PNP manager referring to the embodiment of the invention, the USB device that then inserts the computing machine USB port all is filtered, and can not use.Optionally, there not being authenticating device to insert under the situation of USB port, if this USB device is a default access equipment, also can be filtered driving and filters out, concrete realization is referring to the step 216 of the embodiment of the invention.

Step 204: the plug and play manager of computing machine issues packet, and the request usb bus confirms to insert the USB device annexation of USB port;

Concrete, PNP manager issues I/O request package IRP in the computing machine, and the request usb bus drives the USB device annexation of confirming to insert its USB port.

Wherein, USB device inserts USB port, the USB controller produces hardware interrupts, usb bus drives this interruption of response then, create device object pointer PDO for the new USB device that inserts and be stored in calculator memory, usb bus drives and calls the invalid equipment relation function IoInvalidateDeviceRelations that PNP manager provides immediately, and then plug and play manager PNP manager transmission I/O request package IRP (IRP_QUERY_BUS_RELATIONS) drives to usb bus.

Step 205: filtration drive is tackled above-mentioned input and output request package IRP, and is transmitted to the usb bus driving, and tackles the USB device annexation after usb bus drives the affirmation of returning;

Concrete, the I/O request package IRP (IRP_QUERY_BUS_RELATIONS) that above-mentioned filtration drive (the upper filtration drive of usb bus driving just) issues plug and play manager PNP manager is transmitted to usb bus and drives, and drive at usb bus receive I/O request package IRP, return the USB device annexation after, tackle this USB device annexation.

Step 206: filtration drive judges whether the USB device of new access USB port according to its USB device annexation of intercepting;

If, execution in step 207;

If not, the USB device annexation of intercepting is directly returned to the plug and play manager.

Concrete, after the upper filtration drive interception usb bus that usb bus drives drives the USB device annexation of returning, the USB device annexation that inserts on the USB device annexation of this interception and the usb bus preserved last time is compared, judge whether the USB device of new access USB port.Wherein, filtration drive is stored the USB device annexation of its last interception and is emptied behind computer shutdown.

Concrete deterministic process can be shown in following process:

Suppose USB device annexation that upper filtration drive that usb bus drives intercepts as shown in Figure 3, and the USB device annexation that inserts on the usb bus of upper filtration drive storage as shown in Figure 4; So, filtration drive is judged the USB device 3 (USB flash disk) of new access USB port;

Suppose USB device annexation that upper filtration drive that usb bus drives intercepts as shown in Figure 3, and the USB device annexation that inserts on the usb bus of upper filtration drive storage as shown in Figure 5; So, filtration drive is judged the USB device that does not have newly to insert USB port.

When judging when not having newly to insert the USB device of USB port, filtration drive is directly returned the USB device annexation the intercepted form with I/O request package IRP to plug and play manager PNPmanager.

Step 207: filtration drive drives the hardware description symbol information that sends the USB device of obtaining new access USB port to usb bus;

Concrete, the upper filtration drive that usb bus drives is according to the new device object pointer (being the PDO that the usb bus driving in the step 202 is created) that inserts the USB device of USB port in its USB device annexation of obtaining, with this pointer is parameter, drive transmission to usb bus and obtain device descriptor function G et-Derice_Descriptor (Get_Device_Descriptor), usb bus drives receives this PDO parameter, sending the new hardware description that inserts the USB device of USB port behind Get-Derice_Descriptor (Get_Device_Descriptor) function accords with to filtration drive.

With the example that is exemplified as in the step 206, the USB device of this new access USB port is equipment 3 (USB flash disk).

Step 208: filtration drive receives this hardware description symbol, and the device object pointer of this hardware description symbol and authenticating device is sent to the usb bus driving;

Concrete process is not done herein and is given unnecessary details with step 207.

Step 209:USB bus driver receives the device object pointer of hardware description symbol and authenticating device, and finds authenticating device according to this device object pointer on its usb bus, and the hardware description symbol is sent to authenticating device;

Step 210: authenticating device adopts the preset algorithm of its storage, calculates this hardware description that receives symbol and obtains corresponding numerical value;

Concrete, the hardware description symbol that this calculating receives obtains the process of corresponding numerical value to carry out in authenticating device inside, authenticating device default algorithm can be informative abstract 5 algorithms, hash algorithm or other hashing algorithm (HMAC, Hash Message Authentication Code).

Step 211: authenticating device is enumerated the control of its USB device that presets and is used numerical value in the tabulation, searches whether to have the value that equates with the corresponding numerical value that calculates in the step 210;

If, illustrate that then this USB device is a legitimate device, can not be filtered driving and filter out, can allow computing machine that it is conducted interviews, execution in step 212;

If not, execution in step 214;

Step 212: filtration drive receives the USB device legal information that authenticating device sends, and then the USB device annexation of intercepting is returned the plug and play manager;

Step 213:USB equipment can not be filtered to drive and filter out, and can be discerned by computer system, allows computing machine that USB device is conducted interviews;

Need to prove, in the operation of reality,, also do not represent computing machine just can conduct interviews USB device even if allow computing machine that USB device is conducted interviews." have two drivers on the hardware device at least, be respectively function driver and bus driver " described in chief reason such as the step 201, and in the present embodiment and for mentioning function driver.When allowing computing machine that USB device is conducted interviews, have only function driver has been installed on computers USB device can and computing machine between carry out the mutual of information, there is not the USB device of installation function driver on computers, even if allow computing machine that it is conducted interviews, computing machine still can't be visited this USB device.

Step 214: filtration drive receives the USB device invalid information that authenticating device sends, and the legal USB device annexation that the last time is preserved is returned the plug and play manager then.

Concrete, the upper filtration drive that usb bus drives is by I/O request package IRP (IRP_QUERY_BUS_RELATIONS), the USB device annexation of its preservation is returned plug and play manager PNP manager, make plug and play manager PNP manager think the USB device that does not have newly to insert USB port, the USB device that then newly inserts USB port is filtered, can not be discerned by computer system, computing machine can not be operated USB device.

Step 215: filtration drive empties the annexation of this USB device, and the USB device annexation of sky is returned plug and play manager PNP manager;

Step 216: whether filtration drive is default access equipment according to its this USB device of default access that presets control tabulation checking.

When this USB device was default access equipment, filtration drive sent the plug and play manager of the annexation data of this USB device to computing machine;

When this USB device was non-default access equipment, filtration drive sent the annexation data that the empty plug and play manager to computing machine.

Here need to prove that default access control tabulation can be stored the white list of default access equipment, also can store the blacklist of default access equipment.

Wherein, but when default access control list storage be the default access list of devices (being white list) of default access computing machine the time, the judged result of step 216 is specifically as follows:

When having this USB device in the default access control tabulation, this USB device is a default access equipment;

When not having this USB device in the default access control tabulation, this USB device is non-default access equipment.

Perhaps, when default access control list storage be can not default access computer default access list of devices (being blacklist) time, the judged result of step 216 is specifically as follows:

When having this USB device in the default access control tabulation, this USB device is non-default access equipment;

When not having this USB device in the default access control tabulation, this USB device is a default access equipment.

Need to prove, in the present embodiment, when USB device pulls away USB port, if this USB device is an authenticating device, then after the USB controller produces hardware interrupts, the deletion usb bus drives and is the device object pointer PDO of its establishment, after tackling usb bus subsequently and driving the USB device annexation of returning, learn that relatively authenticating device pulls out, then filtration drive empties this USB device annexation, the USB device annexation of sky is returned to PNP manager, and the USB device that then inserts the computing machine USB port all is filtered, and can not use, or whether the USB device that is inserted by default access control tabulation judgement is default access equipment, be that this USB device annexation is returned to PNP manager, the USB device annexation that empties do not returned to PNP manager, method is the same to be repeated no more.If this USB device is other USB device except that authenticating device, then after the USB controller produces hardware interrupts, the deletion usb bus drives and is the device object pointer PDO of its establishment, after tackling usb bus subsequently and driving the USB device annexation of returning, learnt that relatively USB device pulls out, then this has been pulled out the USB device annexation of USB device and returned PNP manager.

To sum up, step 201 to step 215 or 216 has been introduced the control method that computing machine conducts interviews to USB device particularly.

Replaceable, step 209 to step 214 can also be following step:

Step 209 ': usb bus drives the device object pointer that receives hardware description symbol and authenticating device, and finds authenticating device according to this device object pointer on its usb bus, sends tabulation to authenticating device and obtains message;

Step 210 ': authenticating device receives usb bus and drives the tabulation acquisition message that sends, and uses tabulation to carry out encryption according to the cryptographic algorithm of making an appointment the USB device control that preset authenticating device inside, sends to usb bus and drives;

Step 211 ': tabulation is used in the USB device control after the filtration drive interception encryption, is decrypted according to the decipherment algorithm of making an appointment, and obtains USB device control and uses tabulation;

Step 212 ': filtration drive adopts the preset algorithm of its storage, and the hardware description symbol that receives in the calculation procedure 208 obtains corresponding numerical value;

The value that the corresponding numerical value that calculates in the step 213 ': whether filtration drive is enumerated USB device control and used numerical value in the tabulation, search to exist and step 212 ' equates;

If, illustrate that then this USB device is a legitimate device, can not be filtered driving and filter out, can allow computing machine it to be conducted interviews execution in step 214 ';

If not, illustrate that then this USB device is an illegality equipment, can be filtered driving and filter out, do not allow computing machine that it is conducted interviews, execution in step 216 ';

Step 214 ': filtration drive returns the USB device annexation of intercepting to the plug and play manager;

Step 215 ': USB device can not be filtered to drive and filter out, and can be discerned by computer system, allows computing machine that USB device is conducted interviews;

Step 216 ': the legal USB device annexation that filtration drive is preserved the last time is returned the plug and play manager.

Also replaceable, step 211 to step 214 can also be following step:

Step 211 ": authenticating device is enumerated the control of its USB device that presets and is used numerical value in the tabulation, searches whether to have the value that equates with the corresponding numerical value that calculates in the step 210;

If, execution in step 212 ";

If not, execution in step 214 ";

Step 212 ": filtration drive judges that the USB device of this new access is legal USB device, returns the USB device annexation of intercepting to the plug and play manager then;

Step 213 ": USB device can not be filtered to drive and filter out, and can be discerned by computer system, allows computing machine that USB device is conducted interviews;

Step 214 ": filtration drive judges that this USB device is illegal USB device, then its last legal USB device annexation of preserving is returned the plug and play manager.

What also need to further specify is, what present embodiment used list storage with the control of the USB device that presets in the authenticating device is that the legal USB device control is used to tabulate and is example, use storage can not be used in the tabulation USB device control to use the in addition not detailed description of tabulation for USB device control, can obtain the operating process of this method in such cases but those skilled in the art can not carry out performing creative labour, therefore not repeat them here.

Below, use tabulation at the USB device control of presetting in the authenticating device, present embodiment need to prove: the validated user of authenticating device can use tabulation make amendment to the control of the USB device that presets in the authenticating device, and comprising increases and delete this USB device control and use operations such as list item in the tabulation.

When the keeper wished to increase new legal USB device in the USB device control use tabulation that authenticating device presets, referring to Fig. 6, this increase process comprised:

Step 601: the hardware description symbol that will wish the new legal USB device of increase sends to authenticating device;

Step 602: authenticating device adopts the preset algorithm of its storage, calculates the respective value of this hardware description symbol;

Wherein, the computation process of this step is carried out in authenticating device inside, and the default algorithm of authenticating device is: informative abstract 5 algorithms, hash algorithm or other hashing algorithm etc.

Step 603: this numerical value that calculates is write the position, end that tabulation is used in USB device control that authenticating device presets.

When the keeper wished to delete USB device in the USB device control use tabulation that authenticating device presets, referring to Fig. 7, this delete procedure comprised:

Step 701: the hardware description symbol that will wish the USB device of deletion sends to authenticating device;

Step 702: authenticating device adopts the preset algorithm of its storage, calculates the respective value of this hardware description symbol;

Wherein, the computation process of this step is carried out in authenticating device inside, and the default algorithm of authenticating device is: informative abstract 5 algorithms, hash algorithm or other hashing algorithm etc.

Step 703: authenticating device is enumerated the control of its USB device that presets and is used numerical value in the tabulation, finds wherein the numerical value that equates with the numerical value that calculates in the step 702, uses in USB device control and deletes this numerical value in the tabulation.

The control method that the embodiment of the invention provides a kind of computing machine that USB device is conducted interviews, filtration drive by having preset default access control tabulation with preset USB device control and use the authenticating device of tabulation to finish authentication jointly the legitimacy of the USB device that inserts computing machine, thereby controlled the visit of computing machine, solved the unsafe problems in the reciprocal process of USB device and computing machine USB device.

Embodiment 2

The control system that present embodiment provides a kind of computing machine that USB device is conducted interviews, as shown in Figure 8, referring to the method that provides among the method embodiment 1, this system comprises: computing machine 801, USB device 802 and authenticating device 803;

Computing machine 801 comprises load-on module 801A, link block 801B and filtration drive 801C;

Load-on module 801A is used to load filtration drive 801C;

Link block 801B is used for USB device 802 and connects with computing machine 801;

Filtration drive 801C comprises:

Judging unit is used to judge whether authenticating device 803 connects with computing machine 801, and tabulation is used in the control of storage USB device in the authenticating device 803;

Interception unit, be used for when the judged result of judging unit when being, the interaction data between the plug and play manager of interception computing machine 801 and the usb bus driving;

Authentication unit is used for the verify data of the interaction data intercepted according to interception unit, and whether finish USB device 802 jointly with authenticating device 803 is the checking of legitimate device, and authenticating device 803 presets USB device control and uses tabulation;

Transmitting element is used for when the checking result of authentication unit is legitimate device for USB device 802, and the annexation data that send the USB device 802 in the interaction data are to the plug and play manager, and preservation annexation data; When USB device 802 was illegality equipment, the annexation data that send last preservation in the filtration drive were to the plug and play manager;

Transmitting element also is used for, when the judged result of judging unit for not the time, send annexation data after emptying to the plug and play manager.

Further, judging unit comprises:

Send subelement, be used for sending privately owned order to the device object pointer of the whole USB device that connect with computing machine 801, the device object pointer be USB device and computing machine 801 when connecting usb bus drive establishment;

Receive subelement, be used for the numerical value that the receiving equipment pointer to object returns;

Judgment sub-unit is used for judging that whether the numerical value that returns be complementary with the numerical value that filtration drive presets;

If coupling, then judged result is for being;

If do not match, then judged result is for denying.

Further, interception unit specifically comprises:

The first interception subelement is used to tackle the data request packet that the plug and play manager of computing machine 801 issues;

First transmits subelement, is used for that data request packet is transmitted to usb bus and drives;

The second interception subelement is used to tackle the annexation data that usb bus drives the USB device of returning 802.

Verify data is specially the hardware description symbol of USB device 802; Storage in the tabulation is used in USB device control is the respective value that the hardware description symbol of USB device that can legal use calculates by preset algorithm;

Accordingly, authenticating device 803 specifically comprises:

Receiver module is used for receiving filtration and drives the hardware description symbol that drives the USB device 802 that sends by usb bus;

Computing module is used for calculating authenticating device 803 inner hardware description the symbol in conjunction with default algorithm, obtains the respective value of the hardware description symbol of USB device 802;

Enumerate module, be used for enumerating USB device control use the tabulation storage can legal use the respective value that calculates by preset algorithm of the hardware description symbol of USB device;

Authentication module is if the respective value that is used for enumerating existence and the numerical value that the respective value of the hardware description symbol of USB device 802 equates then authenticate USB device 802 and be legitimate device; Otherwise authentication USB device 802 is an illegality equipment.

Verify data is specially the hardware description symbol of USB device 802; Storage in the tabulation is used in USB device control is the respective value that the hardware description symbol of the USB device that can not use calculates by preset algorithm;

Accordingly, authenticating device 803 specifically comprises:

Receiver module is used for receiving filtration and drives the hardware description symbol that drives the USB device 802 that sends by usb bus;

Computing module is used for calculating authenticating device 803 inner hardware description the symbol in conjunction with default algorithm, obtains the respective value of the hardware description symbol of USB device 802;

Enumerate module, be used for enumerating USB device control and use the hardware description of the USB device that can not use of tabulation storage to accord with the respective value that calculates by preset algorithm;

Authentication module, if the numerical value that the respective value that is used for enumerating existence equates with the respective value of the hardware description symbol of USB device 802, then USB device 802 is an illegality equipment; Otherwise USB device 802 is a legitimate device.

Verify data is specially the hardware description symbol of USB device 802; The respective value that USB device control uses the hardware description symbol of the USB device that storage in the tabulation can legal use to calculate by preset algorithm;

Accordingly, authenticating device 803 specifically comprises:

Receiver module is used for receiving filtration and drives the tabulation acquisition message that sends;

Encrypt sending module, be used to use predetermined cryptographic algorithm that USB device is controlled and send to filtration drive after the use tabulation is encrypted;

The filtration drive of computing machine 801 also comprises:

Decryption unit is used to use predetermined decipherment algorithm to separate and obtains USB device control use tabulation;

Computing unit is used to use default algorithm that the hardware description symbol is calculated, and obtains the respective value of the hardware description symbol of USB device 802;

Enumerate the unit, be used for enumerating USB device control that the filtration drive deciphering obtains use in the tabulation can legal use the respective value that calculates by preset algorithm of the hardware description symbol of USB device;

Identifying unit is if the respective value that is used for enumerating existence and the numerical value that the respective value of the hardware description symbol of USB device 802 equates judge that then USB device 802 is legitimate device; Otherwise judge that USB device 802 is an illegality equipment.

Verify data is specially the hardware description symbol of USB device 802; The respective value that USB device control uses the hardware description symbol of the USB device that storage can not be used in the tabulation to calculate by preset algorithm;

Accordingly, authenticating device 803 specifically comprises:

Receiver module is used for receiving filtration and drives the tabulation acquisition message that sends;

Encrypt sending module, be used to use predetermined cryptographic algorithm that USB device is controlled and send to filtration drive after the use tabulation is encrypted;

The filtration drive of computing machine 801 also comprises:

Decryption unit is used to use predetermined decipherment algorithm deciphering to obtain USB device control and uses tabulation;

Computing unit is used to use default algorithm that the hardware description symbol is calculated, and obtains the respective value of the hardware description symbol of USB device 802;

Enumerate the unit, be used for enumerating filtration drive and decipher the respective value that the hardware description symbol of the USB device that can not use in the USB device control use tabulation that obtains calculates by preset algorithm;

Identifying unit is if the respective value that is used for enumerating existence and the numerical value that the respective value of the hardware description symbol of USB device 802 equates judge that then USB device 802 is illegality equipment; Otherwise judge that USB device 802 is a legitimate device.

Verify data is specially the hardware description symbol of USB device 802; The respective value that USB device control uses the hardware description symbol of the USB device that storage in the tabulation can legal use to calculate by preset algorithm;

Accordingly, authenticating device 803 specifically comprises:

Receiver module is used for receiving filtration and drives the hardware description symbol that drives the USB device 802 that sends by usb bus;

Computing module is used for calculating authenticating device 803 inner hardware description the symbol in conjunction with default algorithm, obtains the respective value of the hardware description symbol of USB device 802;

Enumerate module, be used for enumerating USB device control use the tabulation storage can legal use the respective value that calculates by preset algorithm of the hardware description symbol of USB device;

Judge module is used for judging whether the respective value of enumerating exists the numerical value that equates with the respective value of the hardware description of USB device 802 symbol;

Sending module is used for judged result is sent to filtration drive;

Accordingly, the filtration drive of computing machine 801 also comprises:

Identifying unit, be used for when judged result when existing, judge that USB device 802 is legal; When judged result when not existing, judge that USB device 802 is an illegality equipment.

Verify data is specially the hardware description symbol of USB device 802; The respective value that USB device control uses the hardware description symbol of the USB device that storage can not be used in the tabulation to calculate by preset algorithm;

Accordingly, authenticating device 803 specifically comprises:

Receiver module is used for receiving filtration and drives the hardware description symbol that drives the USB device 802 that sends by usb bus;

Computing module is used for calculating authenticating device 803 inner hardware description the symbol in conjunction with default algorithm, obtains the respective value of the hardware description symbol of USB device 802;

Enumerate module, be used for enumerating USB device control and use the hardware description of the USB device that can not use of tabulation storage to accord with the respective value that calculates by preset algorithm;

Judge module is used for judging whether the respective value of enumerating exists the numerical value that equates with the respective value of the hardware description of USB device 802 symbol;

Sending module is used for judged result is sent to filtration drive;

Accordingly, the filtration drive of computing machine 801 also comprises:

Identifying unit, be used for when judged result when existing, judge that USB device 802 is an illegality equipment; When judged result when not existing, judge that USB device 802 is a legitimate device.

The control system that the embodiment of the invention provides a kind of computing machine that USB device is conducted interviews, filtration drive module by having preset default access control tabulation with preset USB device control and use the authenticating device of tabulation to finish authentication jointly the legitimacy of the USB device that inserts computing machine, thereby controlled the visit of computing machine, solved the unsafe problems in the reciprocal process of USB device and computing machine USB device.

Embodiment 3

The control system that present embodiment provides a kind of computing machine that USB device is conducted interviews, as shown in Figure 9, referring to the method that provides among the method embodiment, this system comprises: computing machine 901, USB device 902 and authenticating device 903;

Computing machine 901 comprises load-on module 901A, link block 901B and filtration drive 901C;

Load-on module 901A is used to load filtration drive 901C;

Link block 901B is used for USB device 902 and connects with computing machine 901;

Filtration drive 901C comprises:

Judging unit is used to judge whether authenticating device 903 connects with computing machine 901;

Interception unit, be used for when the judged result of judging unit when being, the interaction data between the plug and play manager of interception computing machine 901 and the usb bus driving;

Authentication unit is used for the verify data of the interaction data intercepted according to interception unit, and whether finish USB device 902 jointly with authenticating device 903 is the checking of legitimate device, and authenticating device 903 presets USB device control and uses tabulation;

Transmitting element is used for when the checking result of authentication unit is legitimate device for USB device 902, and the annexation data that send the USB device 902 in the interaction data are to the plug and play manager, and preservation annexation data; When USB device 902 was illegality equipment, the annexation data that send preservation last time among the filtration drive 901C were to the plug and play manager;

Default authentication unit, be used for when the judged result of judging unit for not the time, whether be default access equipment according to the default access control tabulation checking USB device 902 that presets;

Accordingly, transmitting element also is used for, and when the result of default authentication unit is default access equipment for USB device, sends default access control tabulation to the plug and play manager; When the result of default authentication unit for USB device is non-default access equipment, send annexation data after filtration drive 901C empties to the plug and play manager.

Further, judging unit comprises:

Send subelement, be used for sending privately owned order to the device object pointer of the whole USB device that connect with computing machine, the device object pointer be USB device 902 when connecting with computing machine 901 usb bus drive and create;

Receive subelement, be used for the numerical value that the receiving equipment pointer to object returns;

Judgment sub-unit is used for judging that whether the numerical value that returns be complementary with the numerical value that filtration drive presets;

If coupling, then judged result is for being;

If do not match, then judged result is for denying.

Further, interception unit specifically comprises:

The first interception subelement is used to tackle the data request packet that the plug and play manager of computing machine 901 issues;

First transmits subelement, is used for that data request packet is transmitted to usb bus and drives;

The second interception subelement is used to tackle the annexation data that usb bus drives the USB device of returning 902.

Verify data is specially the hardware description symbol of USB device 902; Storage in the tabulation is used in USB device control is the respective value that the hardware description symbol of USB device that can legal use calculates by preset algorithm;

Accordingly, authenticating device 903 specifically comprises:

Receiver module is used for receiving filtration and drives the hardware description symbol that drives the USB device 902 that sends by usb bus;

Computing module is used for calculating authenticating device 903 inner hardware description the symbol in conjunction with default algorithm, obtains the respective value of the hardware description symbol of USB device 902;

Enumerate module, be used for enumerating USB device control use the tabulation storage can legal use the respective value that calculates by preset algorithm of the hardware description symbol of USB device 902;

Authentication module, if the numerical value that the respective value that is used for enumerating existence equates with the respective value of the hardware description symbol of USB device 902, it is legal then to authenticate USB device 902; Otherwise authentication USB device 902 is an illegality equipment.

Verify data is specially the hardware description symbol of USB device 902; Storage in the tabulation is used in USB device control is the respective value that the hardware description symbol of the USB device that can not use calculates by preset algorithm;

Accordingly, authenticating device 903 specifically comprises:

Receiver module is used for receiving filtration and drives the hardware description symbol that drives the USB device 902 that sends by usb bus;

Computing module is used for calculating authenticating device 903 inner hardware description the symbol in conjunction with default algorithm, obtains the respective value of the hardware description symbol of USB device 902;

Enumerate module, be used for enumerating USB device control and use the hardware description of the USB device that can not use of tabulation storage to accord with the respective value that calculates by preset algorithm;

Authentication module is if the respective value that is used for enumerating existence and the numerical value that the respective value of the hardware description symbol of USB device 902 equates then authenticate USB device 902 and be illegality equipment; Otherwise authentication USB device 902 is a legitimate device.

Verify data is specially the hardware description symbol of USB device 902; The respective value that USB device control uses the hardware description symbol of the USB device that storage in the tabulation can legal use to calculate by preset algorithm;

Accordingly, authenticating device 903 specifically comprises:

Receiver module is used for receiving filtration and drives the tabulation acquisition message that sends;

Encrypt sending module, be used to use predetermined cryptographic algorithm that USB device is controlled and send to filtration drive after the use tabulation is encrypted;

The filtration drive of computing machine 901 also comprises:

Decryption unit is used to use predetermined decipherment algorithm deciphering to obtain USB device control and uses tabulation;

Computing unit is used to use default algorithm that the hardware description symbol is calculated, and obtains the respective value of the hardware description symbol of USB device 902;

Enumerate the unit, be used for enumerating USB device control that the filtration drive deciphering obtains use storage in the tabulation can legal use the respective value that calculates by preset algorithm of the hardware description symbol of USB device;

Identifying unit is if the respective value that is used for enumerating existence and the numerical value that the respective value of the hardware description symbol of USB device 902 equates judge that then USB device 902 is legitimate device; Otherwise judge that USB device 902 is an illegality equipment.

Verify data is specially the hardware description symbol of USB device 902; The respective value that USB device control uses the hardware description symbol of the USB device that storage can not be used in the tabulation to calculate by preset algorithm;

Accordingly, authenticating device 903 specifically comprises:

Receiver module is used for receiving filtration and drives the tabulation acquisition message that sends;

Encrypt sending module, be used to use predetermined cryptographic algorithm that USB device is controlled and send to filtration drive after the use tabulation is encrypted;

The filtration drive of computing machine 901 also comprises:

Decryption unit is used to use predetermined decipherment algorithm deciphering to obtain USB device control and uses tabulation;

Computing unit is used to use default algorithm that the hardware description symbol is calculated, and obtains the respective value of the hardware description symbol of USB device 902;

Enumerate the unit, be used for enumerating the respective value that USB device control that the filtration drive deciphering obtains uses the hardware description symbol of the USB device that can not use of storage in the tabulation to calculate by preset algorithm;

Identifying unit is if the respective value that is used for enumerating existence and the numerical value that the respective value of the hardware description symbol of USB device 902 equates judge that then USB device 902 is illegality equipment; Otherwise judge that USB device 902 is a legitimate device.

Verify data is specially the hardware description symbol of USB device 902; The respective value that USB device control uses the hardware description symbol of the USB device that storage in the tabulation can legal use to calculate by preset algorithm;

Accordingly, authenticating device 903 specifically comprises:

Receiver module is used for receiving filtration and drives the hardware description symbol that drives the USB device 902 that sends by usb bus;

Computing module is used for calculating authenticating device 903 inner hardware description the symbol in conjunction with default algorithm, obtains the respective value of the hardware description symbol of USB device 902;

Enumerate module, be used for enumerating USB device control use the tabulation storage can legal use the respective value that calculates by preset algorithm of the hardware description symbol of USB device;

Judge module is used for judging whether the respective value of enumerating exists the numerical value that equates with the respective value of the hardware description of USB device 902 symbol;

Sending module is used for judged result is sent to filtration drive;

Accordingly, the filtration drive of computing machine 901 also comprises:

Identifying unit, be used for when judged result when existing, judge that USB device 902 is legal; When judged result when not existing, judge that USB device 902 is an illegality equipment.

Verify data is specially the hardware description symbol of USB device 902; The respective value that USB device control uses the hardware description symbol of the USB device that storage can not be used in the tabulation to calculate by preset algorithm;

Accordingly, authenticating device 903 specifically comprises:

Receiver module is used for receiving filtration and drives the hardware description symbol that drives the USB device 902 that sends by usb bus;

Computing module is used for calculating authenticating device 903 inner hardware description the symbol in conjunction with default algorithm, obtains the respective value of the hardware description symbol of USB device 902;

Enumerate module, be used for enumerating USB device control and use the hardware description of the USB device that can not use of tabulation storage to accord with the respective value that calculates by preset algorithm;

Judge module is used for judging whether the respective value of enumerating exists the numerical value that equates with the respective value of the hardware description of USB device 902 symbol;

Sending module is used for judged result is sent to filtration drive;

Accordingly, the filtration drive of computing machine 901 also comprises:

Identifying unit, be used for when judged result when existing, judge that USB device 902 is an illegality equipment; When judged result when not existing, judge that USB device 902 is a legitimate device.

Wherein, but default access control tabulation is used to store the default access list of devices of default access computing machine;

Accordingly, default authentication unit specifically comprises:

First subelement is used for judging that the result of default authentication unit is a default access equipment for USB device when there is USB device in default access control tabulation;

Second subelement is used for judging that the result of default authentication unit is non-default access equipment for USB device when there is not USB device in default access control tabulation.

Perhaps, default access control tabulation be used to store can not default access computer the default access list of devices;

Accordingly, default authentication unit specifically comprises:

First subelement is used for judging that the result of default authentication unit is non-default access equipment for USB device when there is USB device in default access control tabulation;

Second subelement is used for judging that the result of default authentication unit is a default access equipment for USB device when there is not USB device in default access control tabulation.

The control system that the embodiment of the invention provides a kind of computing machine that USB device is conducted interviews, filtration drive module by having preset default access control tabulation with preset USB device control and use the authenticating device of tabulation to finish authentication jointly the legitimacy of the USB device that inserts computing machine, thereby controlled the visit of computing machine, solved the unsafe problems in the reciprocal process of USB device and computing machine USB device.

The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being done, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.

Claims (32)

1, a kind of computing machine is characterized in that the control method that USB device conducts interviews, and described method comprises:

Computing machine loads filtration drive;

USB device and described computing machine connect;

Described filtration drive judges whether authenticating device connects with described computing machine;

If, described filtration drive is tackled the plug and play manager of described computing machine and the interaction data between the usb bus driving, whether described filtration drive is finished described USB device according to the verify data in the described interaction data and described authenticating device jointly is the checking of legitimate device, when described USB device is legitimate device, described filtration drive sends the annexation data of the described USB device in the described interaction data to described plug and play manager, and preserves described annexation data; When described USB device was illegality equipment, described filtration drive sent last annexation data of preserving to described plug and play manager;

If not, the annexation data after described filtration drive transmission empties are to described plug and play manager; Perhaps, whether described filtration drive is default access equipment according to the described USB device of its default access that presets control tabulation checking; When described USB device was default access equipment, described filtration drive sent the annexation data of described USB device to described plug and play manager; When described USB device was non-default access equipment, described filtration drive sent annexation data after emptying to described plug and play manager.

2, the method for claim 1 is characterized in that, described filtration drive judges that whether authenticating device connects with described computing machine, specifically comprises:

Described filtration drive sends privately owned order to the device object pointer of the whole USB device that connect with described computing machine, described device object pointer be USB device and described computing machine when connecting described usb bus drive and create;

Receive the numerical value that described device object pointer returns;

Judge the described numerical value that returns whether with described filtration drive in the numerical value that presets be complementary;

If coupling, then judged result is for being;

If do not match, then judged result is for denying.

3, the method for claim 1 is characterized in that, described filtration drive is tackled the plug and play manager of described computing machine and the interaction data between the driving of described usb bus, specifically comprises:

Described filtration drive is tackled the data request packet that the plug and play manager of described computing machine issues, and described data request packet is transmitted to described usb bus drives;

Described filtration drive is tackled the annexation data that described usb bus drives the described USB device of returning.

4, method as claimed in claim 3 is characterized in that, described verify data is specially the hardware description symbol of described USB device;

The procurement process of described hardware description symbol is specially:

The annexation data of the described USB device that described filtration drive will be intercepted are compared with the annexation data of its preservation;

When comparative result inserts the USB device of described computing machine for existence is new, described filtration drive drives the hardware description symbol information that sends the USB device of obtaining new access USB port to described usb bus, receives the hardware description symbol that described usb bus drives the described USB device of returning.

5, method as claimed in claim 4, it is characterized in that, preset USB device control in the described authenticating device and use tabulation, the respective value that described USB device control uses the hardware description symbol of the USB device that storage in the tabulation can legal use to calculate by preset algorithm;

Accordingly, described according to the verify data in the described interaction data, whether described filtration drive and described authenticating device are finished described USB device jointly is the checking of legitimate device, specifically comprises:

Described authenticating device receives described filtration drive drives the described USB device that sends by described usb bus hardware description symbol;

In described authenticating device, in conjunction with default algorithm described hardware description symbol is calculated, obtain the respective value of the hardware description symbol of described USB device;

Enumerate the respective value that hardware description symbol that the control of described USB device uses the described USB device that can legal use of storage in the tabulation calculates by preset algorithm;

If the numerical value that existence equates with the respective value of the hardware description symbol of described USB device in the described respective value of enumerating, then described USB device is a legitimate device; Otherwise described USB device is an illegality equipment.

6, method as claimed in claim 4, it is characterized in that, preset USB device control in the described authenticating device and use tabulation, the respective value that described USB device control uses the hardware description symbol of the USB device that storage can not be used in the tabulation to calculate by preset algorithm;

Accordingly, described according to the verify data in the described interaction data, whether described filtration drive and described authenticating device are finished described USB device jointly is the checking of legitimate device, specifically comprises:

Described authenticating device receives described filtration drive drives the described USB device that sends by described usb bus hardware description symbol;

In described authenticating device, in conjunction with default algorithm described hardware description symbol is calculated, obtain the respective value of the hardware description symbol of described USB device;

Enumerating described USB device control uses the hardware description of the described USB device that can not use of storage in the tabulation to accord with the respective value that calculates by preset algorithm;

If the numerical value that existence equates with the respective value of the hardware description symbol of described USB device in the described respective value of enumerating, then described USB device is an illegality equipment; Otherwise described USB device is a legitimate device.

7, method as claimed in claim 4, it is characterized in that, preset USB device control in the described authenticating device and use tabulation, the respective value that described USB device control uses the hardware description symbol of the USB device that storage in the tabulation can legal use to calculate by preset algorithm;

Accordingly, described according to the verify data in the described interaction data, whether described filtration drive and described authenticating device are finished described USB device jointly is the checking of legitimate device, specifically comprises:

Described authenticating device receives the tabulation acquisition message that described filtration drive sends;

Described authenticating device sends to described filtration drive after using predetermined cryptographic algorithm to use tabulation to encrypt described USB device control;

Described filtration drive is used predetermined decipherment algorithm deciphering to obtain described USB device control and is used tabulation;

Described filtration drive uses default algorithm that described hardware description symbol is calculated, and obtains the respective value of the hardware description symbol of described USB device;

Enumerate in the described filtration drive respective value that hardware description symbol that described USB device control that deciphering obtains uses the described USB device that can legal use of storage in the tabulation calculates by preset algorithm;

If the numerical value that existence equates with the respective value of the hardware description symbol of described USB device in the described respective value of enumerating, then described USB device is a legitimate device; Otherwise described USB device is an illegality equipment.

8, method as claimed in claim 4, it is characterized in that, preset USB device control in the described authenticating device and use tabulation, the respective value that described USB device control uses the hardware description symbol of the USB device that storage can not be used in the tabulation to calculate by preset algorithm;

Accordingly, described according to the verify data in the described interaction data, whether described filtration drive and described authenticating device are finished described USB device jointly is the checking of legitimate device, specifically comprises:

Described authenticating device receives the tabulation acquisition message that described filtration drive sends;

Described authenticating device sends to described filtration drive after using predetermined cryptographic algorithm to use tabulation to encrypt described USB device control;

Described filtration drive is used predetermined decipherment algorithm deciphering to obtain described USB device control and is used tabulation;

Described filtration drive uses default algorithm that described hardware description symbol is calculated, and obtains the respective value of the hardware description symbol of described USB device;

Enumerate the hardware description of deciphering the described USB device that can not use of storage in the described USB device control use tabulation that obtains in the described filtration drive and accord with the respective value that calculates by preset algorithm;

If the numerical value that existence equates with the respective value of the hardware description symbol of described USB device in the described respective value of enumerating, then described USB device is an illegality equipment; Otherwise described USB device is a legitimate device.

9, method as claimed in claim 4, it is characterized in that, preset USB device control in the described authenticating device and use tabulation, the respective value that described USB device control uses the hardware description symbol of the USB device that storage in the tabulation can legal use to calculate by preset algorithm;

Accordingly, described according to the verify data in the described interaction data, whether described filtration drive and described authenticating device are finished described USB device jointly is the checking of legitimate device, specifically comprises:

Described authenticating device receives described filtration drive drives the described USB device that sends by described usb bus hardware description symbol;

In described authenticating device, in conjunction with default algorithm described hardware description symbol is calculated, obtain the respective value of the hardware description symbol of described USB device;

Enumerate the respective value that hardware description symbol that the control of described USB device uses the described USB device that can legal use of storage in the tabulation calculates by preset algorithm;

Judge and whether have the numerical value that equates with the respective value of the hardware description of described USB device symbol in the described respective value of enumerating;

Judged result is sent to described filtration drive;

When described judged result when existing, described filtration drive judges that described USB device is legal;

When described judged result when not existing, described filtration drive judges that described USB device is an illegality equipment.

10, method as claimed in claim 4, it is characterized in that, preset USB device control in the described authenticating device and use tabulation, the respective value that described USB device control uses the hardware description symbol of the USB device that storage can not be used in the tabulation to calculate by preset algorithm;

Accordingly, described according to the verify data in the described interaction data, whether described filtration drive and described authenticating device are finished described USB device jointly is the checking of legitimate device, specifically comprises:

Described authenticating device receives described filtration drive drives the described USB device that sends by described usb bus hardware description symbol;

In described authenticating device, in conjunction with default algorithm described hardware description symbol is calculated, obtain the respective value of the hardware description symbol of described USB device;

Enumerating described USB device control uses the hardware description of the described USB device that can not use of storage in the tabulation to accord with the respective value that calculates by preset algorithm;

Judge and whether have the numerical value that equates with the respective value of the hardware description of described USB device symbol in the described respective value of enumerating;

Judged result is sent to described filtration drive;

When described judged result when existing, described filtration drive judges that described USB device is an illegality equipment;

When described judged result when not existing, described filtration drive judges that described USB device is a legitimate device.

11, the method for claim 1 is characterized in that, but described default access control tabulation is used to store the default access equipment of the described computing machine of default access;

Accordingly, whether described filtration drive is default access equipment according to the described USB device of its default access that presets control tabulation checking, specifically comprises:

When having described USB device in the described default access control tabulation, described USB device is a default access equipment;

When not having described USB device in the described default access control tabulation, described USB device is non-default access equipment.

12, the method for claim 1 is characterized in that, described default access control tabulation be used to store can not the described computing machine of default access default access equipment;

Accordingly, whether described filtration drive is default access equipment according to the described USB device of its default access that presets control tabulation checking, specifically comprises:

When having described USB device in the described default access control tabulation, described USB device is non-default access equipment;

When not having described USB device in the described default access control tabulation, described USB device is a default access equipment.

13, a kind of computing machine is characterized in that the control system that USB device conducts interviews, and described system comprises: computing machine, USB device and authenticating device;

Described computing machine comprises load-on module, link block and filtration drive;

Described load-on module is used to load described filtration drive;

Described link block is used for described USB device and described computing machine connects;

Described filtration drive comprises:

Judging unit is used to judge whether authenticating device connects with described computing machine;

Interception unit, be used for when the judged result of described judging unit when being, tackle the plug and play manager of described computing machine and the usb bus interaction data between driving;

Authentication unit is used for the verify data of the interaction data intercepted according to described interception unit, and whether be the checking of legitimate device, preset USB device control in the described authenticating device and use tabulation if finishing described USB device jointly with described authenticating device;

Transmitting element is used for when the checking result of described authentication unit is legitimate device for described USB device, and the annexation data that send the described USB device in the described interaction data are to described plug and play manager, and preserves described annexation data; When described USB device was illegality equipment, the annexation data that send last preservation in the described filtration drive were to described plug and play manager;

Described transmitting element also is used for, when the judged result of described judging unit for not the time, send annexation data after emptying to described plug and play manager.

14, system as claimed in claim 13 is characterized in that, described judging unit comprises:

Send subelement, be used for sending privately owned order to the device object pointer of the whole USB device that connect with described computing machine, described device object pointer be USB device and described computing machine when connecting described usb bus drive establishment;

Receive subelement, be used to receive the numerical value that described device object pointer returns;

Judgment sub-unit is used for judging that whether the described numerical value that returns be complementary with the numerical value that described filtration drive presets;

If coupling, then judged result is for being;

If do not match, then judged result is for denying.

15, system as claimed in claim 13 is characterized in that, described interception unit specifically comprises:

The first interception subelement is used to tackle the data request packet that the plug and play manager of described computing machine issues;

First transmits subelement, is used for that described data request packet is transmitted to described usb bus and drives;

The second interception subelement is used to tackle the annexation data that described usb bus drives the described USB device of returning.

16, system as claimed in claim 13 is characterized in that, described verify data is specially the hardware description symbol of described USB device; The respective value that the control of described USB device uses the hardware description symbol of the USB device that storage in the tabulation can legal use to calculate by preset algorithm;

Accordingly, described authenticating device specifically comprises:

Receiver module is used to receive described filtration drive drives the described USB device that sends by described usb bus hardware description symbol;

Computing module is used for calculating inner described hardware description the symbol in conjunction with default algorithm of described authenticating device, obtains the respective value of the hardware description symbol of described USB device;

Enumerate module, be used for enumerating the respective value that described USB device control uses the hardware description symbol of the described USB device that can legal use of tabulation storage to calculate by preset algorithm;

Authentication module, if be used for the numerical value that described respective value existence of enumerating equates with the respective value of the hardware description symbol of described USB device, it is legal then to authenticate described USB device; Otherwise authenticate described USB device is illegality equipment.

17, system as claimed in claim 13 is characterized in that, described verify data is specially the hardware description symbol of described USB device; The respective value that described USB device control uses the hardware description symbol of the USB device that storage can not be used in the tabulation to calculate by preset algorithm;

Accordingly, described authenticating device specifically comprises:

Receiver module is used to receive described filtration drive drives the described USB device that sends by described usb bus hardware description symbol;

Computing module is used for calculating inner described hardware description the symbol in conjunction with default algorithm of described authenticating device, obtains the respective value of the hardware description symbol of described USB device;

Enumerate module, be used for enumerating described USB device control and use the hardware description of the described USB device that can not use of tabulation storage to accord with the respective value that calculates by preset algorithm;

Authentication module, if be used for the numerical value that described respective value existence of enumerating equates with the respective value of the hardware description symbol of described USB device, then authenticating described USB device is illegality equipment; Otherwise authenticate described USB device is legitimate device.

18, system as claimed in claim 13 is characterized in that, described verify data is specially the hardware description symbol of described USB device; The respective value that the control of described USB device uses the hardware description symbol of the USB device that storage in the tabulation can legal use to calculate by preset algorithm;

Accordingly, described authenticating device specifically comprises:

Receiver module is used to receive the tabulation acquisition message that described filtration drive sends;

Encrypt sending module, be used to use predetermined cryptographic algorithm that described USB device is controlled and send to described filtration drive after the use tabulation is encrypted;

The filtration drive of described computing machine also comprises:

Decryption unit is used to use predetermined decipherment algorithm deciphering to obtain described USB device control and uses tabulation;

Computing unit is used to use default algorithm that described hardware description symbol is calculated, and obtains the respective value of the hardware description symbol of described USB device;

Enumerate the unit, be used for enumerating described USB device control that described filtration drive deciphering obtains use in the tabulation can legal use the respective value that calculates by preset algorithm of the hardware description symbol of USB device;

Identifying unit if be used for described respective value existence of enumerating and the numerical value that the respective value of the hardware description symbol of described USB device equates, judges that then described USB device is a legitimate device; Otherwise judge that described USB device is an illegality equipment.

19, system as claimed in claim 13 is characterized in that, described verify data is specially the hardware description symbol of described USB device; The respective value that described USB device control uses the hardware description symbol of the USB device that storage can not be used in the tabulation to calculate by preset algorithm;

Accordingly, described authenticating device specifically comprises:

Receiver module is used to receive the tabulation acquisition message that described filtration drive sends;

Encrypt sending module, be used to use predetermined cryptographic algorithm that described USB device is controlled and send to described filtration drive after the use tabulation is encrypted;

The filtration drive of described computing machine also comprises:

Decryption unit is used to use predetermined decipherment algorithm deciphering to obtain described USB device control and uses tabulation;

Computing unit is used to use default algorithm that described hardware description symbol is calculated, and obtains the respective value of the hardware description symbol of described USB device;

Enumerate the unit, be used for enumerating described filtration drive and decipher the respective value that the hardware description symbol of the USB device that can not use in the described USB device control use tabulation that obtains calculates by preset algorithm;

Identifying unit if be used for described respective value existence of enumerating and the numerical value that the respective value of the hardware description symbol of described USB device equates, judges that then described USB device is an illegality equipment; Otherwise judge that described USB device is a legitimate device.

20, system as claimed in claim 13 is characterized in that, described verify data is specially the hardware description symbol of described USB device; The respective value that the control of described USB device uses the hardware description symbol of the USB device that storage in the tabulation can legal use to calculate by preset algorithm;

Accordingly, described authenticating device specifically comprises:

Receiver module is used to receive described filtration drive drives the described USB device that sends by described usb bus hardware description symbol;

Computing module is used for calculating inner described hardware description the symbol in conjunction with default algorithm of described authenticating device, obtains the respective value of the hardware description symbol of described USB device;

Enumerate module, be used for enumerating the respective value that described USB device control uses the hardware description symbol of the described USB device that can legal use of tabulation storage to calculate by preset algorithm;

Judge module is used for judging the described respective value of the enumerating numerical value whether existence equates with the respective value of the hardware description symbol of described USB device;

Sending module is used for judged result is sent to described filtration drive;

Accordingly, the filtration drive of described computing machine also comprises:

Identifying unit, be used for when described judged result when existing, judge that described USB device is legal; When described judged result when not existing, judge that described USB device is an illegality equipment.

21, system as claimed in claim 15 is characterized in that, described verify data is specially the hardware description symbol of described USB device; The respective value that described USB device control uses the hardware description symbol of the USB device that storage can not be used in the tabulation to calculate by preset algorithm;

Accordingly, described authenticating device specifically comprises:

Receiver module is used to receive described filtration drive drives the described USB device that sends by described usb bus hardware description symbol;

Computing module is used for calculating inner described hardware description the symbol in conjunction with default algorithm of described authenticating device, obtains the respective value of the hardware description symbol of described USB device;

Enumerate module, be used for enumerating described USB device control and use the hardware description of the described USB device that can not use of tabulation storage to accord with the respective value that calculates by preset algorithm;

Judge module is used for judging whether the described respective value of enumerating exists the numerical value that equates with the respective value of the hardware description symbol of described USB device;

Sending module is used for judged result is sent to described filtration drive;

Accordingly, the filtration drive of described computing machine also comprises:

Identifying unit, be used for when described judged result when existing, judge that described USB device is an illegality equipment; When described judged result when not existing, judge that described USB device is a legitimate device.

22, a kind of computing machine is characterized in that the control system that USB device conducts interviews, and described system comprises: computing machine, USB device and authenticating device;

Described computing machine comprises load-on module, link block and filtration drive;

Described load-on module is used to load described filtration drive;

Described link block is used for described USB device and described computing machine connects;

Described filtration drive comprises:

Judging unit is used to judge whether authenticating device connects with described computing machine;

Interception unit, be used for when the judged result of described judging unit when being, tackle the plug and play manager of described computing machine and the usb bus interaction data between driving;

Authentication unit is used for the verify data of the interaction data intercepted according to described interception unit, and whether finish described USB device jointly with described authenticating device is the checking of legitimate device;

Transmitting element is used for when the checking result of described authentication unit is legitimate device for described USB device, and the annexation data that send the described USB device in the described interaction data are to described plug and play manager, and preserves described annexation data; When described USB device was illegality equipment, the annexation data that send last preservation in the described filtration drive were to described plug and play manager;

Default authentication unit, be used for when the judged result of described judging unit for not the time, whether be default access equipment according to the described USB device of default access control tabulation checking that presets;

Accordingly, described transmitting element also is used for, and when the result of described default authentication unit was default access equipment for described USB device, the annexation data that send described USB device were to described plug and play manager; When the result of described default authentication unit for described USB device is non-default access equipment, send annexation data after emptying to described plug and play manager.

23, the system as claimed in claim 22 is characterized in that, described judging unit comprises:

Send subelement, be used for sending privately owned order to the device object pointer of the whole USB device that connect with described computing machine, described device object pointer be USB device and described computing machine when connecting described usb bus drive establishment;

Receive subelement, be used to receive the numerical value that described device object pointer returns;

Judgment sub-unit is used for judging that whether the described numerical value that returns be complementary with the numerical value that described filtration drive presets;

If coupling, then judged result is for being;

If do not match, then judged result is for denying.

24, the system as claimed in claim 22 is characterized in that, described interception unit specifically comprises:

The first interception subelement is used to tackle the data request packet that the plug and play manager of described computing machine issues;

First transmits subelement, is used for that described data request packet is transmitted to described usb bus and drives;

The second interception subelement is used to tackle the annexation data that described usb bus drives the described USB device of returning.

25, the system as claimed in claim 22 is characterized in that, described verify data is specially the hardware description symbol of described USB device; Storage in the tabulation is used in the control of described USB device is the respective value that the hardware description symbol of USB device that can legal use calculates by preset algorithm;

Accordingly, described authenticating device specifically comprises:

Receiver module is used to receive described filtration drive drives the described USB device that sends by described usb bus hardware description symbol;

Computing module is used for calculating inner described hardware description the symbol in conjunction with default algorithm of described authenticating device, obtains the respective value of the hardware description symbol of described USB device;

Enumerate module, be used for enumerating the respective value that described USB device control uses the hardware description symbol of the described USB device that can legal use of tabulation storage to calculate by preset algorithm;

Authentication module, if be used for the numerical value that described respective value existence of enumerating equates with the respective value of the hardware description symbol of described USB device, it is legal then to authenticate described USB device; Otherwise authenticate described USB device is illegality equipment.

26, the system as claimed in claim 22 is characterized in that, described verify data is specially the hardware description symbol of described USB device; Storage in the tabulation is used in the control of described USB device is the respective value that the hardware description symbol of the USB device that can not use calculates by preset algorithm;

Accordingly, described authenticating device specifically comprises:

Receiver module is used to receive described filtration drive drives the described USB device that sends by described usb bus hardware description symbol;

Computing module is used for calculating inner described hardware description the symbol in conjunction with default algorithm of described authenticating device, obtains the respective value of the hardware description symbol of described USB device;

Enumerate module, be used for enumerating described USB device control and use the hardware description of the described USB device that can not use of tabulation storage to accord with the respective value that calculates by preset algorithm;

Authentication module, if be used for the numerical value that described respective value existence of enumerating equates with the respective value of the hardware description symbol of described USB device, then authenticating described USB device is illegality equipment; Otherwise authenticate described USB device is legitimate device.

27, the system as claimed in claim 22 is characterized in that, described verify data is specially the hardware description symbol of described USB device; The respective value that the control of described USB device uses the hardware description symbol of the USB device that storage in the tabulation can legal use to calculate by preset algorithm;

Accordingly, described authenticating device specifically comprises:

Receiver module is used to receive the tabulation acquisition message that described filtration drive sends;

Encrypt sending module, be used to use predetermined cryptographic algorithm that described USB device is controlled and send to described filtration drive after the use tabulation is encrypted;

The filtration drive of described computing machine also comprises:

Decryption unit is used to use predetermined decipherment algorithm deciphering to obtain described USB device control and uses tabulation;

Computing unit is used to use default algorithm that described hardware description symbol is calculated, and obtains the respective value of the hardware description symbol of described USB device;

Enumerate the unit, be used for enumerating described USB device control that described filtration drive deciphering obtains use in the tabulation can legal use the respective value that calculates by preset algorithm of the hardware description symbol of USB device;

Identifying unit if be used for described respective value existence of enumerating and the numerical value that the respective value of the hardware description symbol of described USB device equates, judges that then described USB device is a legitimate device; Otherwise judge that described USB device is an illegality equipment.

28, the system as claimed in claim 22 is characterized in that, described verify data is specially the hardware description symbol of described USB device; The respective value that described USB device control uses the hardware description symbol of the USB device that storage can not be used in the tabulation to calculate by preset algorithm;

Accordingly, described authenticating device specifically comprises:

Receiver module is used to receive the tabulation acquisition message that described filtration drive sends;

Encrypt sending module, be used to use predetermined cryptographic algorithm that described USB device is controlled and send to described filtration drive after the use tabulation is encrypted;

The filtration drive of described computing machine also comprises:

Decryption unit is used to use predetermined decipherment algorithm deciphering to obtain described USB device control and uses tabulation;

Computing unit is used to use default algorithm that described hardware description symbol is calculated, and obtains the respective value of the hardware description symbol of described USB device;

Enumerate the unit, be used for enumerating the respective value that described USB device control that described filtration drive deciphering obtains uses the hardware description symbol of the USB device that can not use of storage in the tabulation to calculate by preset algorithm;

Identifying unit if be used for described respective value existence of enumerating and the numerical value that the respective value of the hardware description symbol of described USB device equates, judges that then described USB device is an illegality equipment; Otherwise judge that described USB device is a legitimate device.

29, the system as claimed in claim 22 is characterized in that, described verify data is specially the hardware description symbol of described USB device; The respective value that the control of described USB device uses the hardware description symbol of the USB device that storage in the tabulation can legal use to calculate by preset algorithm;

Accordingly, described authenticating device specifically comprises:

Receiver module is used to receive described filtration drive drives the described USB device that sends by described usb bus hardware description symbol;

Computing module is used for calculating inner described hardware description the symbol in conjunction with default algorithm of described authenticating device, obtains the respective value of the hardware description symbol of described USB device;

Enumerate module, be used for enumerating the respective value that described USB device control uses the hardware description symbol of the described USB device that can legal use of tabulation storage to calculate by preset algorithm;

Judge module is used for judging whether the described respective value of enumerating exists the numerical value that equates with the respective value of the hardware description symbol of described USB device;

Sending module is used for judged result is sent to described filtration drive;

Accordingly, the filtration drive of described computing machine also comprises:

Identifying unit, be used for when described judged result when existing, judge that described USB device is legal; When described judged result when not existing, judge that described USB device is an illegality equipment.

30, the system as claimed in claim 22 is characterized in that, described verify data is specially the hardware description symbol of described USB device; The respective value that described USB device control uses the hardware description symbol of the USB device that storage can not be used in the tabulation to calculate by preset algorithm;

Accordingly, described authenticating device specifically comprises:

Receiver module is used to receive described filtration drive drives the described USB device that sends by described usb bus hardware description symbol;

Computing module is used for calculating inner described hardware description the symbol in conjunction with default algorithm of described authenticating device, obtains the respective value of the hardware description symbol of described USB device;

Enumerate module, be used for enumerating described USB device control and use the hardware description of the described USB device that can not use of tabulation storage to accord with the respective value that calculates by preset algorithm;

Judge module is used for judging whether the described respective value of enumerating exists the numerical value that equates with the respective value of the hardware description symbol of described USB device;

Sending module is used for judged result is sent to described filtration drive;

Accordingly, the filtration drive of described computing machine also comprises:

Identifying unit, be used for when described judged result when existing, judge that described USB device is an illegality equipment; When described judged result when not existing, judge that described USB device is a legitimate device.

31, the system as claimed in claim 22 is characterized in that, but described default access control tabulation is used to store the default access equipment of the described computing machine of default access;

Accordingly, described default authentication unit specifically comprises:

First subelement is used for judging that the result of described default authentication unit is a default access equipment for described USB device when there is described USB device in described default access control tabulation;

Second subelement is used for judging that the result of described default authentication unit is non-default access equipment for described USB device when there is not described USB device in described default access control tabulation.

32, the system as claimed in claim 22 is characterized in that, described default access control tabulation be used to store can not the described computing machine of default access default access equipment;

Accordingly, described default authentication unit specifically comprises:

First subelement is used for judging that the result of described default authentication unit is non-default access equipment for described USB device when there is described USB device in described default access control tabulation;

Second subelement is used for judging that the result of described default authentication unit is a default access equipment for described USB device when there is not described USB device in described default access control tabulation.

Images