CN101640595A - Method, device and system for controlling switching of isolation card - Google Patents

Method, device and system for controlling switching of isolation card Download PDF

Info

Publication number
CN101640595A
CN101640595A CN200810117280A CN200810117280A CN101640595A CN 101640595 A CN101640595 A CN 101640595A CN 200810117280 A CN200810117280 A CN 200810117280A CN 200810117280 A CN200810117280 A CN 200810117280A CN 101640595 A CN101640595 A CN 101640595A
Authority
CN
China
Prior art keywords
port
switching
user password
main frame
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN200810117280A
Other languages
Chinese (zh)
Other versions
CN101640595B (en
Inventor
李希喆
田宏萍
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Lenovo Shanghai Electronics Technology Co Ltd
Original Assignee
Lenovo Beijing Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Lenovo Beijing Ltd filed Critical Lenovo Beijing Ltd
Priority to CN200810117280.9A priority Critical patent/CN101640595B/en
Publication of CN101640595A publication Critical patent/CN101640595A/en
Application granted granted Critical
Publication of CN101640595B publication Critical patent/CN101640595B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention discloses a method, a device and a system for controlling the switching of an isolation card. The method is applied to a system which comprises a security hardware device, a host computer and the isolation card, controls the switching of the isolation card through the security hardware device so as to ensure that the host computer can operate in different network environments. The method comprises the following steps: receiving a switching request transmitted by the host computer by the security hardware device, wherein the switching request comprises a user password and switching port information; judging whether the user password is in accordance with a user password which is stored in advance, and determining whether a switching port corresponding to the switching port information is usable or not according to currently recorded switching port information; and transmitting a switching command to the isolation card when the user password is in accordance with the user password which is stored in advance, and the switching port corresponding to the switching port information is usable. The method, the device and the system control the switching process by adopting the security hardware device which is used as a black box and cannot be attacked by Trojan and the like so as to improve the security of switching.

Description

The methods, devices and systems that the control isolation card is switched
Technical field
The present invention relates to communication technical field, particularly a kind of methods, devices and systems of controlling the isolation card switching.
Background technology
Two net isolation cards are with physics mode a PC to be divided into two, make this PC be in different network environments, and the data of moving in different network environments can not be read, revise, destroy.Usually have three network interfaces on each isolation card, be respectively applied for and connect Intranet, outer net and network interface card, also have three hard-disk interfaces, be used to connect the hard disk that corresponds respectively to Intranet and outer net and the hard-disk interface on the mainboard.Two net isolation cards are set on the physical layer of the computer with operating system usually, and Intranet and outer net only use separately hard disk separately, have separately independently operating system on each hard disk, and CPU and internal memory etc. are undertaken by this PC multiplexing.
Isolation card is provided with relay, this relay is equivalent to unidirectional selector switch, when needs switch between Intranet and outer net, can control by this relay, at least comprise that power line switches and data wire switches two kinds of patterns, issuing password by this relay when switching, can adopt the single knife switch mode, be that control relay or upper layer software (applications) send the chip of switching command to isolation card by pci interface, but no matter adopt which kind of switching mode, owing to be to switch to another operating system all, therefore can't audit, and this switching also is difficult to be rejected the change action of the operating system before switching from an operating system; When switching by software mode, because password is often fairly simple, therefore be easy to by attacks such as wooden horses, reduced the fail safe of switching; Isolation card is provided with chip, by the code of FLASH (flash memory) record switching state, but because isolation card only can be finished the isolation between the heterogeneous networks, therefore lacks based on cryptographic fail safe.
Summary of the invention
The object of the present invention is to provide a kind of methods, devices and systems that isolation card is switched of controlling, to solve the problem that the mode of switching by isolation card of the prior art is difficult to control and fail safe is not high.
For solving the problems of the technologies described above, the invention provides following technical scheme:
A kind of method of controlling the isolation card switching, described method is applied to comprise in the system of secure hardware device, main frame and isolation card, and the switching by secure hardware device control isolation card so that main frame operates in different network environments, comprising:
The secure hardware device receives the handoff request that main frame sends, and comprises user password and port switching information in the described handoff request;
Judge whether described user password is consistent with the user password of storage in advance, and whether available according to the port switching of the described port switching information of the port switching validation of information correspondence of current record;
Consistent at described user password with the user password of storage in advance, but and the port switching time spent of described port switching information correspondence, switching command sent to isolation card.
A kind of control isolation card device for switching is applied to comprise in the system of main frame and isolation card, and the switching by described device control isolation card so that main frame operates in different network environments, comprising:
The request receiving element is used to receive the handoff request that main frame sends, and comprises user password and port switching information in the described handoff request;
Judge performance element, be used at described user password consistent with the user password of storage in advance, but and the port switching time spent of described port switching information correspondence, to isolation card transmission switching command.
A kind of system that controls the isolation card switching comprises: main frame, isolation card and secure hardware device,
Described main frame is used for sending handoff request to the secure hardware device, comprises user password and port switching information in the described handoff request;
Described secure hardware device is used to receive described handoff request, and is consistent with the user password of storage in advance at described user password, but and the port switching time spent of described port switching information correspondence, send switching command to isolation card.
By above technical scheme provided by the invention as seen, the present invention adopts third-party secure hardware device that handoff procedure is controlled, therefore can carry out unified record and monitoring to state and the process switched, and can whether send switching command according to the flexible selection of the condition that sets in advance; Because issuing by this secure hardware device of switching command carried out, the secure hardware device is not easy by attacks such as wooden horses as a black box, has promoted the fail safe of switching; The space that has special storaging state information and port information in the secure hardware device, can carry out record to all handoff procedures, and upgrade operations such as deletion, provide query function to upper layer devices such as main frames thus, make the user can grasp the relevant information of switching at any time, and the information of record is difficult for losing, and has promoted the integrality and the fail safe of whole system.
Description of drawings
Fig. 1 controls the first embodiment flow chart of the method for isolation card switching for the present invention;
Fig. 2 controls the second embodiment flow chart of the method for isolation card switching for the present invention;
Fig. 3 controls the 3rd embodiment flow chart of the method for isolation card switching for the present invention;
Fig. 4 controls the 4th embodiment flow chart of the method for isolation card switching for the present invention;
Fig. 5 controls the first embodiment block diagram of isolation card device for switching for the present invention;
Fig. 6 controls the second embodiment block diagram of isolation card device for switching for the present invention;
Fig. 7 controls the 3rd embodiment block diagram of isolation card device for switching for the present invention;
Fig. 8 controls the 4th embodiment block diagram of isolation card device for switching for the present invention;
Fig. 9 controls the first embodiment block diagram of the system of isolation card switching for the present invention;
Figure 10 controls the second embodiment block diagram of the system of isolation card switching for the present invention.
Embodiment
Core of the present invention has provided a kind of method that isolation card is switched of controlling, device and system, the secure hardware device receives the handoff request that main frame sends, comprise user password and port switching information in the described handoff request, judge whether described user password is consistent with the user password of storage in advance, and whether the port switching according to the described port switching information of the port switching validation of information correspondence of current record is available, consistent at described user password with the user password of storage in advance, but and the port switching time spent of described port switching information correspondence, send switching command to isolation card.
In order to make those skilled in the art person understand the present invention program better, and above-mentioned purpose of the present invention, feature and advantage can be become apparent more, the present invention is further detailed explanation below in conjunction with the drawings and specific embodiments.
The first embodiment flow process that the present invention controls the method that isolation card switches is as shown in Figure 1:
Step 101: the secure hardware device receives the handoff request that main frame sends.
Wherein, comprise user password and port switching information in the handoff request that main frame sends, send the foundation of switching command as whether to isolation card.
Step 102: judge whether the user password in the handoff request is consistent with the password of storage in advance, if then execution in step 103; Otherwise, process ends.
Concrete, the user password of storing in advance when the secure hardware device reads in initialization operation by the main frame transmission, more whether Cun Chu user password is consistent with the user password in the described handoff request.
Step 103: judge according to the port information of current record whether the port switching in the handoff request is available, if then execution in step 104; Otherwise, process ends.
Concrete, the secure hardware device is according to the service recorder of this port switching that reads, judge whether this port switching is current occupied, when unoccupied, according to judging this port switching whether in the time range of its time stamp record for the timestamp of each port setting in advance, if judge that then this port switching can use, otherwise, judge that this port switching is unavailable.
Step 104: the secure hardware device sends switching command to isolation card.
Wherein, the secure hardware device can send to main frame with switching command, by main frame switching command is forwarded to described isolation card; Perhaps the secure hardware device directly is sent to the transfer relay of isolation card by output port with switching command, and promptly isolation card does not communicate with main frame.
The second embodiment flow process that the present invention controls the method that isolation card switches as shown in Figure 2, this embodiment shows the secure hardware device to begin to the detailed process that sends switching command from initialization operation:
Step 201: the secure hardware device receives user password and the port definition tabulation that main frame sends.
When the user uses main frame for the first time, the user need be provided with user password (also claiming the administrator password) by the upper layer software (applications) of main frame, and generate the port definition tabulation according to the port on the isolation card, then user password and port definition tabulation are sent to the secure hardware device.
The secure hardware device can be specially TPM (Trusted Platform Module, trusted root) safety chip, TCM safety chip or MTM safety chip.With the TPM safety chip is example, is meant the safety chip that meets the TPM standard, and it can protect main frame to prevent disabled user's visit effectively.TPM safety chip purposes is very extensive, can store, manage BIOS startup password and harddisk password, and these passwords are stored in the chip, even if power down information can not lost yet.The TPM safety chip can carry out the wider encryption of scope, promptly except carrying out that traditional start is encrypted and hard disk encrypted, can also encrypt the login of system login, application software, transmit again after encrypting by TPM, so just not worry that information and password stolen by the people.
Step 202: according to user password and port definition tabulation carrying out initialization operation.
The secure hardware device carries out initialization operation according to user password that receives and port definition tabulation, preserves the tabulation of this user password and port definition at least.
Step 203: receive the handoff request that comprises user password and port switching that main frame sends.
When the user uses this system, if the switching demand is arranged, then need to main frame input user password and the port switching of choosing, main frame sends the handoff request that comprises user password and port switching to the secure hardware device.
Step 204: the user password of storing in advance when the secure hardware device reads in initialization operation by the main frame transmission.
Step 205: more whether Cun Chu user password is consistent with the user password in the handoff request, if then execution in step 206; Otherwise, process ends.
Step 206: the secure hardware device reads the service recorder of this port switching.
In the port definition tabulation of secure hardware device, comprise all of the port on the isolation card, and real-time update and record are all carried out in the current use to each port, therefore after the user password coupling, need be in reading handoff request the current service recorder of port switching.
Step 207: judge according to service recorder whether port switching is current occupied, if, process ends then; Otherwise, execution in step 208.
Step 208: judge that according to the timestamp that is provided with for each port in advance port switching is whether in the time range that its time stamp is recorded, if then execution in step 209; Otherwise, process ends.
In the embodiment of the invention, in advance for each port is provided with timestamp, this timestamp shows the time range that port switches, and is only carrying out work sometime so that control certain port.Can control timestamp by RTC (Real-Time Clock, safety chip real-time clock) or monotone counter are set, for example, when adopting RCT, certain port can be set in certain clock cycle, be operated in outer net.
Step 209: the secure hardware device sends the switching command that comprises described port switching, process ends to isolation card.
When port switching current unoccupied, and judge that according to the timestamp of this port switching it is current in the time range of switching, then the secure hardware device can send switching command to main frame, by main frame switching command is transmitted to isolation card, realizes the switching of software control; Perhaps the secure hardware device does not pass through main frame, but directly by output port GPIO (General Purpose Input Output, general input and output) with being connected of isolation card transfer relay, switching command is directly sent to isolation card, realize the switching of hardware controls, because the upper layer software (applications) by main frame does not send switching command, therefore improved switch safety.
The 3rd embodiment flow process that the present invention controls the method that isolation card switches as shown in Figure 3, when this embodiment shows between secure hardware device and the main frame and to communicate by letter by the secret key encryption mode, the detailed process that the switching of isolation card is controlled:
Step 301: storage administrator's key in advance in secure hardware device and main frame.
In order to strengthen the fail safe of communicating by letter between main frame and the secure hardware device, can be in advance be used for the administrator key encrypted communicating by letter in secure hardware device and host memory storage.
Step 302: judge whether to select use and management person's key, if then execution in step 303; Otherwise, execution in step 309.
Though all stored administrator key in secure hardware device and the main frame, when intercommunication, can select whether to use this administrator key to carry out coded communication as required flexibly.
Step 303: the secure hardware device receives the handoff request through the administrator key encryption that main frame sends.
When secure hardware device and main frame are all selected use and management person's key to communicate to encrypt, main frame is encrypted the handoff request that comprises user password and port switching with the administrator key of storage in advance, and the handoff request after will encrypting sends to the secure hardware device.
Step 304: handoff request is decrypted.
After the secure hardware device receives the handoff request of encryption, this handoff request is decrypted according to the manner of decryption corresponding with this cipher mode.
Step 305: judge whether the user password in the handoff request is consistent with the password of storage in advance, if then execution in step 306; Otherwise, process ends.
Step 306: judge according to the port information of current record whether the port switching in the handoff request is available, if then execution in step 307; Otherwise, process ends.
Step 307: the secure hardware device sends the switching command of encrypting through administrator key to main frame.
Owing to select coded communication between secure hardware device and the main frame, so the secure hardware device is encrypted through administrator key also at the switching command that sends to main frame.
Step 308: the switching command after main frame will be deciphered is forwarded to isolation card, process ends.
Step 309: the secure hardware device receives the handoff request that main frame sends.
When secure hardware device and main frame were all selected not use and management member key to communicate to encrypt, then the handoff request that sends of the main frame that receives of secure hardware device was the unencrypted handoff request.
Step 310: when user password consistent with the user password of storage in advance, but and confirm the port switching time spent according to the port information of current record, transmit switching command by main frame to isolation card, process ends.
The 4th embodiment flow process that the present invention controls the method that isolation card switches as shown in Figure 4, this embodiment shows when further having state information and switching information record function in the secure hardware device, the detailed process that the control isolation card is switched:
Step 401: carry out initialization operation after user password that secure hardware device reception main frame sends and the port definition tabulation.
Step 402: the handover information of secure hardware device recording state information and each port.
Wherein, the state information of secure hardware device comprises state flag bit, state index and state backup information.The state backup information specifically refers to the data space of secure hardware device under current state, comprises PCR, user and KEY etc., and user mode information etc.
The timestamp that the handover information of each port comprises the service recorder of each port, be provided with for each port etc.
Step 403: receive the handoff request that comprises user password and port switching that main frame sends.
Step 404: the user password of storing in advance when the secure hardware device reads in initialization operation by the main frame transmission.
Step 405: more whether Cun Chu user password is consistent with the user password in the handoff request, if then execution in step 406; Otherwise, process ends.
Step 406: whether the memory space of judging recording status information and handover information is enough, if then execution in step 407; Otherwise, execution in step 410.
In the present embodiment owing to will carry out real-time servicing, renewal and record to the handover information of the state information of secure hardware device and each port, therefore need to judge whether the memory space of recording status information and handover information is enough, so that can carry out record to the state information and the handover information of current port switching correspondence, state information and port handover information be inquired about for the upper layer software (applications) in the main frame.
Step 407: judge according to the port information of current record whether the port switching in the handoff request is available, if then execution in step 408; Otherwise, process ends.
Step 408: in the corresponding stored space, upgrade the state information of secure hardware device and the handover information of port switching according to port switching.
Owing to can use according to the port switching in the port information judgement handoff request of current record, and current memory space is enough, therefore upgrades the state information of secure hardware device and the handover information of port switching according to port switching in the corresponding stored space.
Step 409: the secure hardware device directly is sent to the transfer relay of described isolation card, process ends by output port with described switching command.
Step 410: the state information and the handover information that write down the earliest in the deletion memory space, return step 407.
Because the insufficient memory of recording status information and handover information, because the state information and the port handover information that write down in the memory space are all arranged according to time sequencing, therefore can set in advance under the full state of memory space, according to the deletion state information and the handover information of record the earliest of putting in order, so that the state information and the handover information of the current port switching correspondence of enough spatial registration are arranged.
The method of controlling the isolation card switching with the present invention is corresponding, and the present invention also provides the embodiment of control isolation card device for switching and system.
The first embodiment block diagram that the present invention controls the isolation card device for switching as shown in Figure 5, this device comprises: request receiving element 510 and judge performance element 520.
Wherein, request receiving element 510 is used to receive the handoff request that main frame sends, and comprises user password and port switching information in the described handoff request;
It is consistent with the user password of storage in advance to judge that performance element 520 is used at described user password, but and the port switching time spent of described port switching information correspondence, send switching command to isolation card.
The second embodiment block diagram that the present invention controls the isolation card device for switching as shown in Figure 6, this device comprises: initialization information receiving element 610, initialization performance element 620, request receiving element 630 and judge performance element 640.
Wherein, initialization information receiving element 610 is used to receive user password and the port definition tabulation that main frame sends, described user password is the user password of main frame user's input of storage when first the use, comprises all of the port on the described isolation card in the described port definition tabulation;
Initialization performance element 620 is used for according to described user password and port definition tabulation carrying out initialization operation;
Request receiving element 630 is used to receive the handoff request that main frame sends, and comprises user password and port switching information in the described handoff request;
Judge that performance element 640 further comprises:
The user password reading unit, the user password of storing in advance when being used to read in initialization operation by the main frame transmission;
The user password comparing unit, whether the user password that is used for more described storage in advance is consistent with the user password of described handoff request;
The port switching judging unit, be used for when the user password of storing in advance is consistent with the user password of described handoff request, service recorder according to the described port switching that reads, judge whether described port switching is current occupied, when unoccupied, according to judging that for the timestamp of each port setting described port switching is whether in the time range of its time stamp record in advance, if, then described port switching can be used, otherwise described port switching is unavailable;
The switching command transmitting element, but be used for sending switching command to described isolation card when the described port switching time spent.
The 3rd embodiment block diagram that the present invention controls the isolation card device for switching as shown in Figure 7, this device comprises: initialization information receiving element 710, initialization performance element 720, key storing unit 730, communication encryption unit 740, request receiving element 750 and judge performance element 760.
Wherein, initialization information receiving element 710 is used to receive user password and the port definition tabulation that main frame sends, described user password is the user password of main frame user's input of storage when first the use, comprises all of the port on the described isolation card in the described port definition tabulation;
Initialization performance element 720 is used for according to described user password and port definition tabulation carrying out initialization operation;
Key storing unit 730 is used for storing in advance the administrator key consistent with main frame;
Communication encryption unit 740 is used for by described administrator key the information that transfers to main frame being encrypted when selecting to use described key;
Request receiving element 750 is used to receive the handoff request through the administrator key encryption that main frame sends, and comprises user password and port switching information in the described handoff request;
It is consistent with the user password of storage in advance to judge that performance element 760 is used for the described user password of the handoff request after judging deciphering, but and confirm port switching time spent of described port switching information correspondence according to the port information of current record, send the switching command of encrypting through administrator key to main frame, the switching command after will being deciphered by main frame is forwarded to isolation card.
The 4th embodiment block diagram that the present invention controls the isolation card device for switching as shown in Figure 8, this device comprises: initialization information receiving element 810, initialization performance element 820, state information record cell 830, port information record cell 840, request receiving element 850, memory space judging unit 860, updated stored space cell 870 and judge performance element 880.
Wherein, initialization information receiving element 810 is used to receive user password and the port definition tabulation that main frame sends, described user password is the user password of main frame user's input of storage when first the use, comprises all of the port on the described isolation card in the described port definition tabulation;
Initialization performance element 820 is used for according to described user password and port definition tabulation carrying out initialization operation;
State information record cell 830 is used to write down the state information of described secure hardware device, and described state information comprises state flag bit, state index and state backup information;
Port information record cell 840 is used to write down the handover information of each port, the timestamp that described handover information comprises the service recorder of each port, is provided with for each port;
Request receiving element 850 is used to receive the handoff request that main frame sends, and comprises user password and port switching information in the described handoff request;
Memory space judging unit 860 is used to judge whether the memory space of described state information of record and described handover information is enough;
Updated stored space cell 870 is used for when described memory space is enough, in the corresponding stored space, upgrade the state information of described secure hardware device and the handover information of described port switching according to described port switching, when described insufficient memory, after the state information and handover information that in the described memory space of deletion, writes down the earliest, upgrade the state information of described secure hardware device and the handover information of described port switching according to described port switching;
It is consistent with the user password of storage in advance to judge that performance element 880 is used at described user password, but and the port switching time spent of described port switching information correspondence, send switching command to isolation card.
First embodiment that the present invention controls the system that isolation card switches as shown in Figure 9, this system comprises: main frame 910, isolation card 920 and secure hardware device 930.Secure hardware device 930 sends switching command by main frame 910 to isolation card 920 in this system.
Wherein, main frame 910 is used for sending handoff request to secure hardware device 930, comprises user password and port switching information in the described handoff request;
Secure hardware device 930 is used to receive described handoff request, when judging that described user password is consistent with the user password of storage in advance, but and confirm port switching time spent of described port switching information correspondence according to the port information of current record, send switching command to main frame 910, main frame 910 is forwarded to isolation card 920 with switching command.
Further, whole system is before carrying out switching controls, main frame 910 also is used for sending user password and port definition tabulation to described secure hardware device 930, described user password is the user password of main frame user's input of storage when first the use, comprises all of the port on the described isolation card in the described port definition tabulation; Described secure hardware device 930 also is used for according to described user password and port definition tabulation carrying out initialization operation.
Second embodiment that the present invention controls the system that isolation card switches as shown in figure 10, this system comprises: main frame 1010, isolation card 1020 and secure hardware device 1030.Secure hardware device 1030 directly sends switching command to isolation card 1020 in this system.
Wherein, main frame 1010 is used for sending handoff request to secure hardware device 1030, comprises user password and port switching information in the described handoff request;
Secure hardware device 1030 is used to receive described handoff request, when judging that described user password is consistent with the user password of storage in advance, but and confirm the described port switching information corresponding port time spent according to the port information of current record, described switching command directly is sent to the transfer relay of described isolation card 1020 by output port.
Further, whole system is before carrying out switching controls, main frame 1010 also is used for sending user password and port definition tabulation to described secure hardware device 1030, described user password is the user password of main frame user's input of storage when first the use, comprises all of the port on the described isolation card in the described port definition tabulation; Described secure hardware device 1030 also is used for according to described user password and port definition tabulation carrying out initialization operation.
As seen through the above description of the embodiments, can carry out unified record and monitoring to state and the process switched, and can whether send switching command according to the flexible selection of the condition that sets in advance; Because issuing by this secure hardware device of switching command carried out, the secure hardware device is not easy by attacks such as wooden horses as a black box, has promoted the fail safe of switching; The space that has special storaging state information and port information in the secure hardware device, can carry out record to all handoff procedures, and upgrade operations such as deletion, provide query function to upper layer devices such as main frames thus, make the user can grasp the relevant information of switching at any time, and the information of record is difficult for losing, and has promoted the integrality and the fail safe of whole system.Those skilled in the art can be well understood to the present invention and can realize by the mode that software adds essential general hardware platform.Based on such understanding, the part that technical scheme of the present invention contributes to prior art in essence in other words can embody with the form of software product, this computer software product can be stored in the storage medium, as ROM/RAM, magnetic disc, CD etc., comprise that some instructions are with so that a computer equipment (can be a personal computer, server, the perhaps network equipment etc.) carry out the described method of some part of each embodiment of the present invention or embodiment.
Above-described embodiment of the present invention does not constitute the qualification to protection range of the present invention.Any modification of being done within the spirit and principles in the present invention, be equal to and replace and improvement etc., all should be included within protection scope of the present invention.

Claims (17)

1, a kind of method of controlling the isolation card switching, described method is applied to comprise in the system of secure hardware device, main frame and isolation card, by the switching of secure hardware device control isolation card, so that main frame operates in different network environments, it is characterized in that, comprising:
The secure hardware device receives the handoff request that main frame sends, and comprises user password and port switching information in the described handoff request;
Judge whether described user password is consistent with the user password of storage in advance, and whether available according to the port switching of the described port switching information of the port switching validation of information correspondence of current record;
Consistent at described user password with the user password of storage in advance, but and the port switching time spent of described port switching information correspondence, switching command sent to isolation card.
2, method according to claim 1 is characterized in that, before the handoff request that described reception main frame sends, also comprises:
The secure hardware device receives user password and the port definition tabulation that main frame sends, and described user password is the user password of main frame user's input of storage when first the use, comprises all of the port on the described isolation card in the described port definition tabulation;
The secure hardware device is according to described user password and port definition tabulation carrying out initialization operation.
3, method according to claim 1 is characterized in that, whether the described user password of judging user password and storage in advance consistent comprising:
The user password of storing in advance when the secure hardware device reads in initialization operation by the main frame transmission;
Whether the user password of more described storage in advance is consistent with the user password in the described handoff request.
4, method according to claim 1 is characterized in that, whether the port switching of the described described port switching information of port switching validation of information correspondence according to current record available comprising:
The secure hardware device judges according to the service recorder of the described port switching that reads whether described port switching is current occupied;
When unoccupied, according to judging described port switching whether in the time range of its time stamp record for the timestamp of each port setting in advance, if then described port switching can be used, otherwise described port switching is unavailable.
5, method according to claim 1 is characterized in that, describedly sends switching command to isolation card and comprises:
The secure hardware device sends to main frame with described switching command, by main frame described switching command is forwarded to described isolation card; Or
The secure hardware device directly is sent to described switching command the transfer relay of described isolation card by output port.
6, according to any described method of claim 1 to 5, it is characterized in that, also comprise before the handoff request that described reception main frame sends:
Storage administrator's key in advance in secure hardware device and the described main frame;
When selecting to use described key, information transmitted is all encrypted by described administrator key between described secure hardware device and the described main frame.
7, method according to claim 1 is characterized in that, also comprises before the handoff request that described secure hardware device reception main frame sends:
Write down the state information of described secure hardware device, described state information comprises state flag bit, state index and state backup information;
Write down the handover information of each port, the timestamp that described handover information comprises the service recorder of each port, is provided with for each port.
8, method according to claim 7 is characterized in that, describedly also comprises before isolation card sends switching command:
Whether the memory space of judging described state information of record and described handover information is enough;
If then in the corresponding stored space, upgrade the state information of described secure hardware device and the handover information of described port switching according to described port switching;
Otherwise, after the state information and handover information that in the described memory space of deletion, writes down the earliest, upgrade the state information of described secure hardware device and the handover information of described port switching according to described port switching; Or return the full information of memory space, and stop to send switching command to isolation card to main frame.
9, a kind of control isolation card device for switching is applied to comprise in the system of main frame and isolation card, and the switching by described device control isolation card so that main frame operates in different network environments, is characterized in that, comprising:
The request receiving element is used to receive the handoff request that main frame sends, and comprises user password and port switching information in the described handoff request;
Judge performance element, be used at described user password consistent with the user password of storage in advance, but and the port switching time spent of described port switching information correspondence, to isolation card transmission switching command.
10, device according to claim 9 is characterized in that, also comprises:
The initialization information receiving element, be used to receive user password and the port definition tabulation that main frame sends, described user password is the user password of main frame user's input of storage when first the use, comprises all of the port on the described isolation card in the described port definition tabulation;
The initialization performance element is used for according to described user password and port definition tabulation carrying out initialization operation.
11, device according to claim 9 is characterized in that, described judgement performance element comprises:
The user password reading unit, the user password of storing in advance when being used to read in initialization operation by the main frame transmission;
The user password comparing unit, whether the user password that is used for more described storage in advance is consistent with the user password of described handoff request;
The port switching judging unit, be used for when the user password of storing in advance is consistent with the user password of described handoff request, service recorder according to the described port switching that reads, judge whether described port switching is current occupied, when unoccupied, according to judging that for the timestamp of each port setting described port switching is whether in the time range of its time stamp record in advance, if, then described port switching can be used, otherwise described port switching is unavailable;
The switching command transmitting element, but be used for sending switching command to isolation card when the described port switching time spent.
12, device according to claim 9 is characterized in that, also comprises:
Key storing unit is used for storing in advance the administrator key consistent with main frame;
The communication encryption unit is used for by described administrator key the information that transfers to main frame being encrypted when selecting to use described key.
13, device according to claim 9 is characterized in that, also comprises:
The state information record cell is used to write down the state information of described secure hardware device, and described state information comprises state flag bit, state index and state backup information;
The port information record cell is used to write down the handover information of each port, the timestamp that described handover information comprises the service recorder of each port, is provided with for each port.
14, device according to claim 13 is characterized in that, also comprises:
The memory space judging unit is used to judge whether the memory space of described state information of record and described handover information is enough;
The updated stored space cell, be used for when described memory space is enough, in the corresponding stored space, upgrade the state information of described secure hardware device and the handover information of described port switching according to described port switching, when described insufficient memory, after the state information and handover information that in the described memory space of deletion, writes down the earliest, upgrade the state information of described secure hardware device and the handover information of described port switching according to described port switching.
15, a kind of system that controls the isolation card switching is characterized in that, comprising: main frame, isolation card and secure hardware device,
Described main frame is used for sending handoff request to the secure hardware device, comprises user password and port switching information in the described handoff request;
Described secure hardware device is used to receive described handoff request, and is consistent with the user password of storage in advance at described user password, but and the port switching time spent of described port switching information correspondence, send switching command to isolation card.
16, system according to claim 15, it is characterized in that, described main frame also is used for, send user password and port definition tabulation to described secure hardware device, described user password is the user password of main frame user's input of storage when first the use, comprises all of the port on the described isolation card in the described port definition tabulation;
Described secure hardware device also is used for, according to described user password and port definition tabulation carrying out initialization operation.
17, system according to claim 15 is characterized in that, described secure hardware device is forwarded to described isolation card by main frame with described switching command; Or
Described secure hardware device directly is sent to described switching command the transfer relay of described isolation card by output port.
CN200810117280.9A 2008-07-28 2008-07-28 Method, device and system for controlling switching of isolation card Active CN101640595B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN200810117280.9A CN101640595B (en) 2008-07-28 2008-07-28 Method, device and system for controlling switching of isolation card

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200810117280.9A CN101640595B (en) 2008-07-28 2008-07-28 Method, device and system for controlling switching of isolation card

Publications (2)

Publication Number Publication Date
CN101640595A true CN101640595A (en) 2010-02-03
CN101640595B CN101640595B (en) 2015-03-25

Family

ID=41615404

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200810117280.9A Active CN101640595B (en) 2008-07-28 2008-07-28 Method, device and system for controlling switching of isolation card

Country Status (1)

Country Link
CN (1) CN101640595B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102279337A (en) * 2011-04-19 2011-12-14 珠海经济特区伟思有限公司 Network security separated card testing system
CN104486289A (en) * 2014-10-30 2015-04-01 中国人民解放军信息工程大学 Data one-way transmission method and system

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1281190A (en) * 2000-08-23 2001-01-24 深圳市宏网实业有限公司 Network security computer with single motherboard
CN2492979Y (en) * 2001-07-27 2002-05-22 赵敏 Network isolator unit with identity confirmation
CN1202479C (en) * 2002-11-28 2005-05-18 李大东 Safety protective computer

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102279337A (en) * 2011-04-19 2011-12-14 珠海经济特区伟思有限公司 Network security separated card testing system
CN104486289A (en) * 2014-10-30 2015-04-01 中国人民解放军信息工程大学 Data one-way transmission method and system
CN104486289B (en) * 2014-10-30 2017-09-29 中国人民解放军信息工程大学 Data unidirectional transmission method and system

Also Published As

Publication number Publication date
CN101640595B (en) 2015-03-25

Similar Documents

Publication Publication Date Title
CN102945355B (en) Fast Data Encipherment strategy based on sector map is deferred to
CN103081396B (en) Communication terminal, communication system and communication means
CN102624699B (en) Method and system for protecting data
CN104335548B (en) A kind of secure data processing unit and method
CN101441601B (en) Ciphering transmission method of hard disk ATA instruction and system
CN101102180B (en) Inter-system binding and platform integrity verification method based on hardware security unit
CN102855452A (en) Method for following quick data encryption strategy based on encryption piece
CA2886511A1 (en) Assembling of isolated remote data
CN103973715B (en) Cloud computing security system and method
EP4064084A1 (en) Password management method and related device
CN1322431C (en) Encryption retention and data retrieve based on symmetric cipher key
CN106682521B (en) File transparent encryption and decryption system and method based on driver layer
CN103413100A (en) File security protection system
CN111736783A (en) Self-service printing method based on block chain
CN102201044A (en) Universal serial bus (USB) security key
JP2008005408A (en) Recorded data processing apparatus
CN103634789A (en) Mobile terminal and method
US20040034768A1 (en) Data encryption device based on protocol analyse
CN101640595B (en) Method, device and system for controlling switching of isolation card
CN100476841C (en) Method and system for centrally managing code to hard disk of enterprise
US20090024844A1 (en) Terminal And Method For Receiving Data In A Network
CN201199439Y (en) Mobile storage apparatus
CN101777097A (en) Monitorable mobile storage device
CN114340051B (en) Portable gateway based on high-speed transmission interface
CN100550735C (en) The method of multifunction intelligent key equipment and security control thereof

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C41 Transfer of patent application or patent right or utility model
TR01 Transfer of patent right

Effective date of registration: 20160606

Address after: 201203 Shanghai Zhangjiang High Tech Park of Pudong New Area Chunxiao Road No. 289 Room 501

Patentee after: Lenovo (Shanghai) Information Technology Co., Ltd.

Address before: 100085 Beijing, Haidian District information industry base on the road No. 6

Patentee before: Lenovo (Beijing) Co., Ltd.