CN102236755A - One-machine multi-user security access control method - Google Patents
One-machine multi-user security access control method Download PDFInfo
- Publication number
- CN102236755A CN102236755A CN201110113457XA CN201110113457A CN102236755A CN 102236755 A CN102236755 A CN 102236755A CN 201110113457X A CN201110113457X A CN 201110113457XA CN 201110113457 A CN201110113457 A CN 201110113457A CN 102236755 A CN102236755 A CN 102236755A
- Authority
- CN
- China
- Prior art keywords
- user
- file
- usbkey
- security
- document
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention aims to provide a one-machine multi-user security access control method based on a trusted computing module (TCM) and a universal serial bus (USB) key, and solves the problems of multi-user information storage insecurity, absence of running data security after the login of a user with legal identity, resource wasting of a plurality of hard disks required by a plurality of users and the like under an identical operating system. In the method, security file access control over the users is realized in a kernel mode by combining USBKey hardware equipment and a TCM chip, user identity information is stored in the security storage area of the USBKey hardware equipment in form of cipher text, an encryption process is finished in the TCM chip by adopting a standard cryptographic algorithm, the security of private keys is protected by an SMK, the USBKey hardware equipment can be carried along by the user, and the security storage of private information of the user is realized.
Description
Technical field
The invention belongs to the computer information safety technique field, relate in particular to a kind of unit multi-user safety access control method based on TCM chip and USBKey equipment.
Background technology
Because in department of local a lot of government bodies of country, secret market and large-scale company etc., a lot of situations all are many people or a multidisciplinary shared fail-safe computer, in order to satisfy on same machine, each user's information data independent, safe, maintain secrecy the demand that other unauthorized users have no right to visit.Taking all factors into consideration on the basis of each safety factor, developing the safety access control method of a cover based on the unit multi-user of kernel level.
Safe access control to the unit multi-user mainly comprises in the market:
User password and pin mode based on operating system and software carry out granted access to the user.This mode uses the computer program of setting to set up different users and user identification authorization, can realize the security strategy of user capture according to different user rights.
Unit multi-user safe access control based on hardware mode.This mode is mainly by many hard disks and single hard disk multi partition realization physically.Many hard disk multi-users of unit safe access control is to use different physical hard disks by different users, and every physical hard disk adopts different authentication keys, realizes the independence of data, maintains secrecy.Unit single hard disk multi partition is by physically hard disk being carried out subregion, and each district is equivalent to an independently hard disk, by legal authentication, visits specific fdisk during user capture system like this.
Along with the continuous development and the maturation of infotech and hardware technology, more than several unit multi-user secure access patterns generally approved gradually, yet there are problems in present technology:
One, based on the specific user's of operating system unit multi-user access system, mostly adopt single authentication, lack classification rights management login user, its safe coefficient to the dependence of operating system than higher, in case and system password leaks, and then may cause very serious loss.
Two, based on the unit multi-user safe access control mode of hardware mode, the user uses inconvenience, and under the no longer same system, has wasted a lot of disk resources, has increased production cost.
Trusted Computing (Trusted Computing; TC) be one by Trusted Computing tissue (Trusted Computing Group; TCG) technology that promotes and develop; be intended to carry out calculating with communication system in be extensive use of based on the credible calculating platform under the hardware security module support; the Chinese government pays much attention to the application of Trusted Computing at information security field; set up Chinese Trusted Computing working group (TCMU); on Dec 29th, 2007; Password Management office of country has issued " creditable calculation password support platform function and interface specification "; a series of Trusted Computing and cryptographic specification have been stipulated; comprising credible password module; credible password module has defined a subsystem with memory protection and execute protection; this subsystem will be the computing platform foundation that breaks the wall of mistrust, and its independently computational resource will set up strict limited safety protecting mechanism.
TCM chip and USBKey reach its maturity, and the technical scheme of developing high reliability and security for the developer provides technical support, provide technical guarantee for realizing unit multi-user safety method.
Summary of the invention
The object of the present invention is to provide a kind of unit multi-user safety access control method based on TCM and USBKey, it is dangerous to have solved under same operating system the multi-user information storage, it is safe and secret that legal identity user logins back shortage runtime data, problems such as multi-user, the wasting of resources of many hard disks.
The objective of the invention is to realize in the following manner, described method comprises user's initialization operation, user security file creation operation, security of user files accessing operation and user file access rights retouching operation;
The initialization operation step is as follows:
Step I1. administrator log file safety management system;
Step I2. administrator pulls up administrator USBKey, and inserts new user's USBKey by checking;
The new user profile of step I3. file security control management system utilization generates new subscriber identity data, and these data is stored among the USBKey behind the TCM chip encryption, finishes new user's registration process;
User file creation operation step is as follows:
Step P1. invoke user level process realizes the establishment of file;
Step P2. user selects the access mode (universal or special) of the file of creating, and Request System is called then;
Step P3. selection general file is created mode, then only realizes the data encryption operation to the establishment file, and all users of this machine have operating right to this document, and this document form with ciphertext on hard disk is stored;
Step P4. selects private file to create mode, then need to detect earlier the legitimacy of user's identity, if user's validated user, then operate accordingly by kernel calls, utilize the user totem information of storing among the user USBKey, generate the security control identifier of this document, call the TCM encryption chip then and finish cryptographic operation this document, the acquiescence mode has only this user that this document is had operating right, and this document is stored with the ciphertext form on disk.
The user is as follows to the file access operation steps:
Step S1. invoke user level process realizes the operation to file;
Step S2. user level process is judged next step concrete operations according to operated different file types;
Step S3. if operated be the ordinary file type, then directly key drives with kernel file, by TCM encryption chip driver file is decrypted operation then;
Step S4. if operated be the private file type, whether then need to detect earlier validated user USBKey exists, if detect validated user USBKey, determine the legal operating right of this user to this document, call the decryption oprerations of TCM encryption chip driver realization to file.
The user is as follows to the modify steps of file access authority:
Step H1. user is by user name, password and USBKey log file safety management system
Step H2. user selects the accessing operation authority of other users to file under this user;
Step H3. calls the kernel file controlling and driving, finishes the setting of user file access rights; Advantage of the present invention and beneficial effect are:
Adopt the USBKey hardware device to carry out authentication, compare more reliable and more stablely with biometric apparatus, reduced cost simultaneously; Identity information and file security control information are stored in the USBKey device security storage area; ciphering process uses the TCM chip to finish; whole ciphering process is transparent fully to the user; the TCM chip adopts the close algorithm of state; private key can not obtain; USBKey equipment can be carried, and has realized the safe storage protection of user profile.
The advantage of native system maximum be exactly flexibly, convenient, adopt mode to user transparent, guaranteed the safe, secret of user's personal information, adopt TCM transparent encryption technology simultaneously, guaranteed the safe storage of user data, and the resource of this machine of making, all users are realized sharing of maximum possible, avoided the wasting of resources, increased user's ease for use and intelligibility.
Fig. 1 is user's initial method realization flow figure;
Fig. 2 is that the user creates file realization flow figure;
Fig. 3 is that the user is to file access operation realization flow figure;
Fig. 4 is a user's modification file access authority realization flow.
Embodiment
In order to make purpose of the present invention, more clear, the easy understanding of technical method and advantage below in conjunction with drawings and Examples, is carried out further information explanation to the present invention.Should be appreciated that specific embodiment described herein only in order to explanation the present invention, and be not used in qualification the present invention.
As one embodiment of the present of invention, before disposing access control system, need to do initial work, the new user's initialization of file security control management system concrete grammar performing step is as follows as shown in Figure 1:
Step I1. administrator log file safety management system, need input user name, password and PIN code, USBKey internal calculation user profile checking number of times, checking is by the back login system, checking is not passed through, then can not enter safety management system, input error number of times accumulative total reaches L back of upper limit USBKey and will automatically lock and can't use;
Step I2. administrator pulls up administrator USBKey by checking, imports new user's username and password, and inserts new user's USBKey;
Step I3. system is calculated initial user information (comprising user name and user password) by hash algorithm, draw a regular length user unlabeled data, symmetric encipherment algorithm in utilizing the TCM chip is encrypted it, this subscriber identity data is stored in this user's the USBKey nonvolatile storage after the encryption, finishes the new user's of file security control system registration process.
As shown in Figure 2, described file security control management system user to create the file concrete steps as follows:
Step P1. invoke user level process realizes the establishment of file;
Step P2. user selects the access mode (universal or special) of the file of creating, and Request System is called then;
Step P3. selects general file to create mode, then the calling system kernel file drives, calling the encryption of bottom TCM encryption chip driving realization to file, all users of this machine have operating right to this document, and this document data form with ciphertext on hard disk is stored;
Step P4. selects private file to create mode, needs to detect earlier whether user USBKey exists and available, if USBKey is unavailable or do not exist, then prompting please be inserted validated user USBKey; If detect the USBKey of validated user, then by calling the kernel type of drive, use the user totem information of storing among the USBKey to generate the security control identifier of file or folder, calling the cryptographic operation of bottom TCM encryption chip driving realization to file, the acquiescence mode has only this user that this document is had operating right, and this document form with ciphertext on hard disk is stored.
As shown in Figure 3, described file security control system is as follows to file access operation concrete grammar performing step:
Step S1. invoke user level process realizes the operation to file;
Step S2. user level process by the kernel level system call, is judged next step concrete operations according to operated different file types;
Step S3. if operated be the ordinary file type, then directly key drives with kernel file, by TCM encryption chip driver file is decrypted operation then;
Step S4. if operated be the private file type, whether then need to detect earlier validated user USBKey exists, if legal USBKey does not exist, then prompting please be inserted validated user USBKey, if detect is validated user USBKey, then, determine the legal operating right of this user, calling the decryption oprerations of TCM encryption chip driver realization file to this document by judging the information among this USBKey;
As shown in Figure 4, described file security control system is as follows to revised file access control right concrete grammar performing step:
Step H1. user log file safety management system, need input user name, password and PIN code, USBKey internal calculation user profile checking number of times, checking is by the back login system, checking is not passed through, then can not enter safety management system, input error number of times accumulative total reaches L back of upper limit USBKey and will automatically lock and can't use;
Step H2. lands the user of file security control management system, will select different user and file respectively the listed files under user list and this user;
Step H3. calls the kernel file controlling and driving, finishes the access rights setting of different user to specific file in the tabulation under this user;
The present invention adopts the USBKey hardware device to realize the safe access control of user to file in conjunction with the TCM chip under kernel mode; User Identity information is stored in the USBKey device security storage area with the ciphertext form; adopt state's Data Encryption Standard cryptographic algorithm; ciphering process is finished in the TCM chip; private key is subjected to the SMK safeguard protection; USBKey equipment can be carried, and has realized the safe storage of user's personal information.
Claims (1)
1. a unit multi-user safety access control method is characterized in that, comprises user's initialization operation, user security file creation operation, security of user files accessing operation and user file access rights retouching operation, wherein:
The initialization operation step is as follows:
Step I1. administrator log file safety management system;
Step I2. administrator pulls up administrator USBKey by checking, and inserts new for the USBKey that produces;
The new user profile of step I3. file security control management system utilization generates new subscriber identity data, and these data is stored among the USBKey behind the TCM chip encryption, finishes new user's registration process;
User file creation operation step is as follows:
Step P1. invoke user level process realizes the establishment of file;
Step P2. user selects the access mode of the file of creating, and is universal or special, and Request System is called then;
Step P3. selection general file is created mode, then only realizes the data encryption operation to the establishment file, and all users of this machine have operating right to this document, and this document form with ciphertext on hard disk is stored;
Step P4. selects private file to create mode, then need to detect earlier the legitimacy of user's identity, if user's validated user, then operate accordingly by kernel calls, utilize the user totem information of storing among the user USBKey, generate the security control identifier of this document, call the TCM encryption chip then and finish cryptographic operation this document, the acquiescence mode has only this user that this document is had operating right, and this document is stored with the ciphertext form on disk;
The user is as follows to the file access operation steps:
Step S1. invoke user level process realizes the operation to file;
Step S2. user level process is judged next step concrete operations according to operated different file types;
Step S3. if operated be the ordinary file type, then directly key drives with kernel file, by TCM encryption chip driver file is decrypted operation then;
Step S4. if operated be the private file type, whether then need to detect earlier validated user USBKey exists, if detect validated user USBKey, determine the legal operating right of this user to this document, call the decryption oprerations of TCM encryption chip driver realization to file;
The user is as follows to the modify steps of file access authority:
Step H1. user is by user name, password and USBKey log file safety management system
Step H2. user selects the accessing operation authority of other users to file under this user;
Step H3. calls the kernel file controlling and driving, finishes the setting of user file access rights.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110113457XA CN102236755A (en) | 2011-05-04 | 2011-05-04 | One-machine multi-user security access control method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110113457XA CN102236755A (en) | 2011-05-04 | 2011-05-04 | One-machine multi-user security access control method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102236755A true CN102236755A (en) | 2011-11-09 |
Family
ID=44887398
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110113457XA Pending CN102236755A (en) | 2011-05-04 | 2011-05-04 | One-machine multi-user security access control method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102236755A (en) |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103198037A (en) * | 2013-04-22 | 2013-07-10 | 广东电网公司电力科学研究院 | Reliable pipe control method and system for IO (input output) equipment |
| CN103780609A (en) * | 2014-01-14 | 2014-05-07 | 北京淦蓝润和信息技术有限公司 | Cloud data processing method and device and cloud data security gateway |
| CN103810413A (en) * | 2014-03-05 | 2014-05-21 | 上海动联信息技术股份有限公司 | Check system and check method for avoiding USBKey password locking |
| CN104506320A (en) * | 2014-12-15 | 2015-04-08 | 山东中创软件工程股份有限公司 | Method and system for identity authentication |
| CN104573464A (en) * | 2014-12-30 | 2015-04-29 | 北京工业大学 | Office terminal system reentrant method based on USB controllers |
| CN105141416A (en) * | 2015-10-14 | 2015-12-09 | 公安部第三研究所 | User authority distribution control system based on hardware chip and method thereof |
| WO2015196525A1 (en) * | 2014-06-23 | 2015-12-30 | 中兴通讯股份有限公司 | Encryption method and apparatus, and operation method and apparatus for kernel encryption data |
| CN106385314A (en) * | 2016-08-29 | 2017-02-08 | 福建联迪商用设备有限公司 | Data isolation system, data isolation system and method for isolating data by using data isolation system |
| CN106790307A (en) * | 2017-03-28 | 2017-05-31 | 联想(北京)有限公司 | Network safety managing method and server |
| CN108021798A (en) * | 2017-12-21 | 2018-05-11 | 鸿秦(北京)科技有限公司 | A kind of trusted operating system based on USBkey |
| CN108229189A (en) * | 2017-12-29 | 2018-06-29 | 北京元心科技有限公司 | The self contained navigation method and device of kernel file |
| CN108833090A (en) * | 2018-05-25 | 2018-11-16 | 四川斐讯信息技术有限公司 | It is a kind of to store the encryption method of equipment, decryption method and storage equipment |
| CN109117652A (en) * | 2018-08-03 | 2019-01-01 | 合肥联宝信息技术有限公司 | A kind of file encryption and decryption method |
| CN110688680A (en) * | 2019-10-14 | 2020-01-14 | 山东超越数控电子股份有限公司 | Method for realizing safe login |
| CN115550058A (en) * | 2022-11-21 | 2022-12-30 | 卓望数码技术(深圳)有限公司 | Shared file transparent encryption method and system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101025769A (en) * | 2006-02-22 | 2007-08-29 | 联想(北京)有限公司 | Multi-user safety chip resource allocation method and muiti-user safety system |
| CN101122938A (en) * | 2007-09-25 | 2008-02-13 | 北大方正集团有限公司 | Data file safe treatment method and system |
| CN101986325A (en) * | 2010-11-01 | 2011-03-16 | 山东超越数控电子有限公司 | Computer security access control system and method |
-
2011
- 2011-05-04 CN CN201110113457XA patent/CN102236755A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101025769A (en) * | 2006-02-22 | 2007-08-29 | 联想(北京)有限公司 | Multi-user safety chip resource allocation method and muiti-user safety system |
| CN101122938A (en) * | 2007-09-25 | 2008-02-13 | 北大方正集团有限公司 | Data file safe treatment method and system |
| CN101986325A (en) * | 2010-11-01 | 2011-03-16 | 山东超越数控电子有限公司 | Computer security access control system and method |
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103198037A (en) * | 2013-04-22 | 2013-07-10 | 广东电网公司电力科学研究院 | Reliable pipe control method and system for IO (input output) equipment |
| CN103780609A (en) * | 2014-01-14 | 2014-05-07 | 北京淦蓝润和信息技术有限公司 | Cloud data processing method and device and cloud data security gateway |
| CN103810413A (en) * | 2014-03-05 | 2014-05-21 | 上海动联信息技术股份有限公司 | Check system and check method for avoiding USBKey password locking |
| WO2015196525A1 (en) * | 2014-06-23 | 2015-12-30 | 中兴通讯股份有限公司 | Encryption method and apparatus, and operation method and apparatus for kernel encryption data |
| CN104506320B (en) * | 2014-12-15 | 2018-04-17 | 山东中创软件工程股份有限公司 | A kind of identity authentication method and system |
| CN104506320A (en) * | 2014-12-15 | 2015-04-08 | 山东中创软件工程股份有限公司 | Method and system for identity authentication |
| CN104573464A (en) * | 2014-12-30 | 2015-04-29 | 北京工业大学 | Office terminal system reentrant method based on USB controllers |
| CN105141416A (en) * | 2015-10-14 | 2015-12-09 | 公安部第三研究所 | User authority distribution control system based on hardware chip and method thereof |
| CN106385314A (en) * | 2016-08-29 | 2017-02-08 | 福建联迪商用设备有限公司 | Data isolation system, data isolation system and method for isolating data by using data isolation system |
| CN106790307A (en) * | 2017-03-28 | 2017-05-31 | 联想(北京)有限公司 | Network safety managing method and server |
| CN108021798A (en) * | 2017-12-21 | 2018-05-11 | 鸿秦(北京)科技有限公司 | A kind of trusted operating system based on USBkey |
| CN108229189A (en) * | 2017-12-29 | 2018-06-29 | 北京元心科技有限公司 | The self contained navigation method and device of kernel file |
| CN108833090A (en) * | 2018-05-25 | 2018-11-16 | 四川斐讯信息技术有限公司 | It is a kind of to store the encryption method of equipment, decryption method and storage equipment |
| CN109117652A (en) * | 2018-08-03 | 2019-01-01 | 合肥联宝信息技术有限公司 | A kind of file encryption and decryption method |
| CN109117652B (en) * | 2018-08-03 | 2022-02-18 | 合肥联宝信息技术有限公司 | File encryption and decryption method |
| CN110688680A (en) * | 2019-10-14 | 2020-01-14 | 山东超越数控电子股份有限公司 | Method for realizing safe login |
| CN115550058A (en) * | 2022-11-21 | 2022-12-30 | 卓望数码技术(深圳)有限公司 | Shared file transparent encryption method and system |
| CN115550058B (en) * | 2022-11-21 | 2023-03-10 | 卓望数码技术(深圳)有限公司 | Shared file transparent encryption method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102236755A (en) | One-machine multi-user security access control method | |
| CN102646077B (en) | A kind of method of the full disk encryption based on credible password module | |
| US10489574B2 (en) | Method and system for enterprise network single-sign-on by a manageability engine | |
| JP6275653B2 (en) | Data protection method and system | |
| CN108055133B (en) | Key security signature method based on block chain technology | |
| US11132468B2 (en) | Security processing unit of PLC and bus arbitration method thereof | |
| WO2020192406A1 (en) | Method and apparatus for data storage and verification | |
| TWI706658B (en) | Cryptographic calculation, method for creating working key, cryptographic service platform and equipment | |
| CN101441601B (en) | Ciphering transmission method of hard disk ATA instruction and system | |
| CN101986325A (en) | Computer security access control system and method | |
| CN102948114A (en) | Single-use authentication methods for accessing encrypted data | |
| CN101853363A (en) | File protection method and system | |
| CN101901313A (en) | Linux file protection system and method | |
| CN102473213A (en) | System and method for providing secure virtual machines | |
| CN102456193A (en) | Mobile storage equipment and data processing system and method based on same | |
| CN101827101A (en) | Information asset protection method based on credible isolated operating environment | |
| CN101794362A (en) | Trusted computation trust root device for computer and computer | |
| CN102289631B (en) | Method for realizing virtual safety computing environment | |
| CN102207999A (en) | Data protection method based on trusted computing cryptography support platform | |
| CN103186479A (en) | Double hard disc isolation encryption device, method and computer based on single operating system | |
| CN102163267A (en) | Solid state disk as well as method and device for secure access control thereof | |
| US20150264047A1 (en) | Method and system for providing secure communication between multiple operating systems in a communication device | |
| CN105262590A (en) | Method and system for safely insulating keys in virtual environment | |
| WO2021218278A1 (en) | Method for processing data, and computing device | |
| CN105160272B (en) | A kind of safe encryption method and system based on autonomous controlled data library |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20111109 |