CN102368773B - Access control method of mobile memory, mobile memory and system - Google Patents
Access control method of mobile memory, mobile memory and system Download PDFInfo
- Publication number
- CN102368773B CN102368773B CN201110337782.4A CN201110337782A CN102368773B CN 102368773 B CN102368773 B CN 102368773B CN 201110337782 A CN201110337782 A CN 201110337782A CN 102368773 B CN102368773 B CN 102368773B
- Authority
- CN
- China
- Prior art keywords
- certificate
- mobile memory
- fileinfo
- user
- display unit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention, which belongs to the information security field, discloses an access control method of a mobile memory, the mobile memory and a system. The method comprises the following steps that: a mobile memory obtains a user certificate from user certificates stored in a certificate storage device through a certificate read-write interface; the mobile memory uses a root certificate stored in advance to carry out authentication on the obtained user certificate; and after the authentication is done successfully, the mobile memory receives a file information browsing request sent by a file information display device that is connected with the mobile memory and extracts file information that is corresponded to the file information browsing request; and the extracted file information is sent to the file information display device to carry out displaying. According to the method provided in the invention, a poor security problem of access control of a mobile storage device in the prior art can be solved, wherein the problem is caused by employing a static password to carried out user identity authentication.
Description
Technical field
The present invention relates to information security field, relate in particular to a kind of access control method, mobile memory and system of mobile memory.
Background technology
Along with mobile memory, the rapid of the mobile memory (being designated hereinafter simply as USB flash disk) that the USB of especially take is interface popularized, and the safety issue that is stored in the file in USB flash disk receives publicity day by day.
In order to strengthen the fail safe of USB flash disk, the safe U disc that can control the file access operation of USB flash disk is applied to the fields such as military affairs, finance, business gradually.The safe U disc basic principle of controlling that conducts interviews is, user is before the file in safe U disc conducts interviews, need to safe U disc, send authenticate password (being designated hereinafter simply as password) by terminal, safe U disc authenticates password, and authentication is carried out the operations such as file read-write by rear just permission to safe U disc.
Existing safe U disc is used static authenticate password to carry out authentication to user, and fail safe is poor.
Summary of the invention
The object of embodiment of the present invention is to provide a kind of access control method, mobile memory and system of mobile memory, improve the fail safe of mobile memory access, solve existing safe U disc and use static authenticate password to carry out authentication to user, the problem that fail safe is poor.
The object of the invention is to be achieved through the following technical solutions:
Embodiment of the present invention provides a kind of access control method of mobile memory, and the method comprises the following steps:
Mobile memory obtains user certificate by certificate read-write interface from the user certificate of certificate storage device storage;
Mobile memory is used pre-stored root certificate to authenticate the user certificate getting, after authentication success, mobile memory receives the fileinfo browse request that connected fileinfo display unit sends, and the extraction fileinfo corresponding with this document information browse request is sent to fileinfo display unit and shows.
In said method, before mobile memory obtains user certificate by certificate read-write interface from the user certificate of certificate storage device storage, also comprise: described mobile memory is connected with fileinfo display unit, after connecting, receive the authentication request that fileinfo display unit sends; Receive the operation of obtaining user certificate described in carrying out after described authentication request.
In said method, in described authentication request, comprise cert store authenticate password;
Mobile memory obtains user certificate in the following manner from the user certificate of certificate storage device storage through certificate read-write interface:
Mobile memory extracts the cert store authenticate password in authentication request, sends the certificate read requests that comprises cert store authenticate password through certificate read-write interface to certificate storage device;
After certificate storage device is to the cert store authenticate password authentication success in the certificate read requests receiving, through certificate read-write interface, user certificate is sent to mobile memory.
In said method, in described authentication request, comprise user name;
The user certificate that mobile memory obtains from certificate storage device by certificate read-write interface is the user certificate corresponding with the user name comprising in described authentication request.
In said method, mobile memory obtains the user certificate corresponding with user name in authentication request in the following manner from certificate storage device:
Mobile memory reads user certificate corresponding with user name in certificate storage device; Or mobile memory reads to all user certificates of storing in certificate storage device in mobile memory, and selects corresponding user certificate by user name.
In said method, after mobile memory is to the user certificate authentication success getting, also comprise:
Mobile memory obtains access authority information corresponding to local this user who stores as current access rights.
In said method, before the user certificate getting is authenticated, mobile memory is also verified the legitimacy of certificate storage device in the following manner:
The following data that acceptance certificate storage device sends: certificate storage device is used its local signed data of initial data being signed and being generated with the corresponding private key of this user certificate that store, and described initial data;
Mobile memory is by using the corresponding PKI of this user certificate to verify the signed data receiving and described initial data, and the lawful owner who is whether this user certificate to this certificate storage device confirms.
In said method, before fileinfo display unit Transmit message information browse request, further comprising the steps of:
Mobile memory and fileinfo display unit are carried out key agreement, obtain the transmission security key for fileinfo is encrypted and is deciphered.
In said method, mobile memory receives after the fileinfo browse request of fileinfo display unit transmission, further comprising the steps of:
Mobile memory is analyzed this document information browse request, judges whether current access rights allow to carry out corresponding file access operation, if allow, carries out corresponding file access operation; If do not allow, to fileinfo display unit, return to the response message of forbidding carrying out corresponding file access operation.
In said method, at mobile memory, judge that current access rights are to allow to carry out after corresponding file access operation, further comprising the steps of:
Mobile memory judges that whether current file access operation needs to carry out password authentication, if desired, sends password authentication request to fileinfo display unit;
Mobile memory receives the password authentication of fileinfo display unit reply and replys; Password authentication comprises the corresponding file operation password of being inputted by fileinfo display unit by user in replying;
Mobile memory authenticates the file operation password comprising in password authentication response, authentication by after carry out again the described extraction fileinfo corresponding with this document information browse request and be sent to the operation that fileinfo display unit shows.
In said method, mobile memory is sent to fileinfo display unit by the fileinfo corresponding with this document information browse request extracting in the following manner and shows:
Mobile memory consults with the transmission security key setting in advance or with fileinfo display unit the transmission security key obtaining, and after the fileinfo corresponding with fileinfo browse request extracting is encrypted, then is sent to fileinfo display unit;
Fileinfo display unit receives after fileinfo, with transmission security key, it is decrypted, and the fileinfo after deciphering is shown on display screen.
Embodiment of the present invention also provides a kind of mobile memory, and this mobile memory comprises: main control module, data transmission module, memory module and certificate read-write interface; Wherein,
Described data transmission module is connected with described main control module, for connecting outside fileinfo display unit, makes to carry out between described main control module and fileinfo display unit the transmission of data;
Described memory module is connected with described main control module, for storing the fileinfo extracting for described main control module and the root certificate that user certificate is authenticated;
Described certificate read-write interface is connected with described main control module, for connecting certificate storage device, makes main control module obtain user certificate from the user certificate of certificate storage device storage;
Described main control module is connected with memory module with described data transmission module, certificate read-write interface, for obtaining user certificate by certificate read-write interface from the user certificate of certificate storage device storage; The root certificate that use is extracted from described memory module authenticates the user certificate getting, after authentication success, the fileinfo display unit that reception connects is through the fileinfo browse request of described data transmission module input, and extract after the fileinfo corresponding with this document information browse request from memory module, by described data transmission module, be sent to fileinfo display unit and show.
Above-mentioned mobile memory, before described main control module obtains user certificate by certificate read-write interface from the user certificate of certificate storage device storage,
Described main control module, also for receiving the authentication request through described data transmission module input by the fileinfo display unit after connecting.
Above-mentioned mobile memory, comprises cert store authenticate password in the authentication request of being inputted of described reception by fileinfo display unit through described data transmission module;
Described main control module, also for extracting the cert store authenticate password of authentication request, sends the certificate read requests that comprises cert store authenticate password to certificate storage device through certificate read-write interface; And after certificate storage device is to the cert store authenticate password authentication success in the certificate read requests receiving, receive the user certificate being sent by certificate storage device.
Above-mentioned mobile memory, comprises user name in the authentication request of being inputted of described reception by fileinfo display unit through described data transmission module;
Described main control module, also for obtaining the user certificate corresponding with the user name comprising described authentication request by certificate read-write interface from the user certificate of certificate storage device storage.
Above-mentioned mobile memory, before the user certificate getting is authenticated,
Described main control module, the following data that also send for acceptance certificate storage device: certificate storage device is used its local signed data of initial data being signed and being generated with the corresponding private key of this user certificate that store, and described initial data; And by using the corresponding PKI of this user certificate to verify the signed data receiving and described initial data, the lawful owner who is whether this user certificate to this certificate storage device confirms.
Above-mentioned mobile memory, after the user certificate authentication success to getting,
Described main control module, also for using access authority information corresponding to this user of described memory module storage as current access rights.
Above-mentioned mobile memory, before fileinfo display unit Transmit message information browse request,
Described main control module, also, for carrying out key agreement with fileinfo display unit, obtains the transmission security key for fileinfo is encrypted and is deciphered.
Above-mentioned mobile memory, after receiving the fileinfo browse request of fileinfo display unit transmission,
Described main control module, also for this document information browse request is analyzed, judges whether current access rights allow to carry out corresponding file access operation, if allow, carries out corresponding file access operation; If do not allow, to fileinfo display unit, return to the response message of forbidding carrying out corresponding file access operation.
Above-mentioned mobile memory, is to allow to carry out after corresponding file access operation in the current access rights of judgement,
Described main control module, also for judging that whether current file access operation needs to carry out password authentication, if desired, sends password authentication request to fileinfo display unit; In fileinfo display unit, receive after password authentication request, the password authentication that receives the reply of fileinfo display unit is replied, and password authentication comprises the corresponding file operation password of being inputted by fileinfo display unit by user in replying; And the file operation password comprising in password authentication response is authenticated, authentication by after carry out to extract again the fileinfo corresponding with this document information browse request and be sent to fileinfo display unit and show.
Above-mentioned mobile memory, when the fileinfo corresponding with this document information browse request extracting being sent to fileinfo display unit showing,
Described main control module, also consults for the transmission security key with setting in advance or with fileinfo display unit the transmission security key obtaining, and after the fileinfo corresponding with fileinfo browse request extracting is encrypted, then is sent to fileinfo display unit.
Embodiment of the present invention further provides a kind of access control system of mobile memory, and this system comprises:
Interconnective mobile memory and fileinfo display unit, wherein, described mobile memory adopts above-mentioned mobile memory;
With the certificate storage device being connected on the certificate read-write interface of described mobile memory.
As seen from the above technical solution provided by the invention, in the method for embodiment of the present invention, by the user certificate of being issued by believable CA of certificate read-write interface reading pre-stored from certificate storage device, and use root certificate to authenticate reading user certificate, authentication just allows user, by fileinfo display unit, mobile memory is carried out to corresponding file access operation by rear.Avoided the static password of current employing to carry out authenticating user identification, the poor problem of fail safe of the flash memory device access control causing.
Accompanying drawing explanation
In order to be illustrated more clearly in the technical scheme of the embodiment of the present invention, below the accompanying drawing of required use during embodiment is described is briefly described, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, do not paying under the prerequisite of creative work, can also obtain other accompanying drawings according to these accompanying drawings.
The access control method flow chart of the mobile memory that Fig. 1 provides for the embodiment of the present invention;
The schematic diagram of the mobile memory that Fig. 2 provides for the embodiment of the present invention;
The schematic diagram of the access control system of the mobile memory that Fig. 3 provides for the embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is only the present invention's part embodiment, rather than whole embodiment.Based on embodiments of the invention, those of ordinary skills, not making the every other embodiment obtaining under creative work prerequisite, belong to protection scope of the present invention.
Main points of the present invention are: for example, in mobile memory (USB flash disk) pre-stored one or more certificates (issuer certificate), the corresponding believable CA(Certificate Authority of each root certificate, and in mobile memory, be provided with certificate read-write interface (USB interface or IC-card interface) authentication center); Mobile memory and fileinfo display unit are (for example, PC or special-purpose mobile memory display unit, hereinafter to be referred as display unit) connect after, by certificate read-write interface from USB device (for example, USB KEY) certificate of being issued by above-mentioned believable CA (can be called user certificate) of reading pre-stored or in IC-card (being referred to as certificate storage device), and use root certificate to authenticate reading user certificate, authentication operates by the rear file access that just allows user, by display unit, mobile memory is carried out to corresponding level of security.
Below in conjunction with accompanying drawing, the embodiment of the present invention is described in further detail.
the first embodiment of the method
Fig. 1 is the access control method flow chart of mobile memory of the present invention.As shown in Figure 1, the method comprises the steps:
101, after mobile memory is connected with display unit, display unit shows user's authentication interface, to point out user to input user name;
In addition, alternatively, user can also be used for by the input of user's authentication interface the static password (can become cert store authenticate password) of certificate storage device authentication.
102, display unit sends authentication request to mobile memory;
In above-mentioned authentication request, can comprise user name, and cert store authenticate password (optional).
103, receive after the authentication request of display unit transmission, if comprise user name in authentication request, mobile memory extracts the user name wherein comprising;
104, if comprise cert store authenticate password in authentication request, mobile memory also should extract the cert store authenticate password comprising in authentication request;
105, mobile memory reads user certificate by certificate read-write interface from certificate storage device;
In this step, mobile memory can only read the user certificate of storing in certificate storage device (now this mobile memory can only belong to sole user, in certificate storage device, only store a corresponding user certificate), or mobile memory can only read user certificate corresponding with user name in certificate storage device (now this mobile memory can belong to a plurality of users, stores a plurality of user certificates corresponding to different user name in certificate storage device); The in the situation that of storing a plurality of user certificate in certificate storage device, also all user certificates of storing in certificate storage device all can be read in mobile memory, and select corresponding user certificate by user name.
While storing a plurality of user certificate in certificate storage device, for the ease of mobile memory, read/select corresponding user certificate, user needs the input user name identical with user's identification information of user certificate in user's authentication interface.
In order to improve fail safe, if comprise cert store authenticate password in authentication request, mobile memory, when reading user certificate, also should send to cert store authenticate password certificate storage device to authenticate.Specifically, this step can be divided into following sub-step:
105a, mobile memory sends certificate read requests to certificate storage device;
In certificate read requests, comprise user name and cert store authenticate password.
105b, certificate storage device receives after the certificate read requests of mobile memory transmission, and certificate memory authentication password is authenticated; If authentication success, carries out subsequent step; If authentification failure,, to the response message of mobile memory transmission authentification failure, this sub-step finishes.
Certificate storage device can be by comparing to carry out the authentication of cert store authenticate password by the cert store authenticate password comprising in the cert store authenticate password of this locality storage and certificate read requests.
In addition, if certificate storage device is supported multi-user, the cert store authenticate password that each user is corresponding different, certificate storage device also should be used the user name in certificate read requests in this locality, to search corresponding cert store authenticate password, and the cert store authenticate password comprising in itself and certificate read requests is compared.
105c, after authentication is passed through, certificate storage device extracts the corresponding user certificate of local storage according to the user name comprising in certificate read requests, and sends it to mobile memory;
In addition, legitimacy for certification storage device, prove the lawful owner that this certificate storage device is user certificate, when sending user certificate to mobile memory, certificate storage device also needs to use the local corresponding user's of this user certificate who stores private key to sign to one section of initial data, generate signed data, and this initial data is sent to together with user certificate to mobile memory with signed data.
106, mobile memory authenticates the user certificate reading, if certificate verification success is carried out next step, otherwise to display unit, sends the message of authentification failure, and this flow process finishes;
Above-mentioned verification process can be divided into following sub-step:
106a, mobile memory reads the issuer identification information in user certificate, and the issuer certificate corresponding according to this acquisition of information (being root certificate);
106b, mobile memory reads the PKI of this certificate from issuer certificate;
106c, mobile memory is used above-mentioned PKI to verify the certificate signature field of user certificate, if signature verification success shows certificate verification success, otherwise shows certificate verification failure.
In addition, except execution 106a~106c authenticates the legitimacy of user certificate, for the legitimacy of authentication certificate storage device, verify the lawful owner that this certificate storage device is user certificate, mobile memory can also be carried out following authentication operation:
106d, mobile memory extracts the PKI of this user certificate from user certificate;
106e, the signed data that the PKI of mobile memory user certificate sends certificate storage device is decrypted, and the initial data sending by data that deciphering is obtained and certificate storage device contrasts, if the two is consistent, certification storage device is the lawful owner of user certificate.
107, after certificate verification is passed through, mobile memory obtains the access authority information corresponding to this user of local storage, and using it as current access rights.
Access rights can be divided into a plurality of grades, different access permission level can corresponding different file and/or catalogue and/or subregion and/or different file operation (for example, file reading, revised file, deleted file, creates file, browse through folders, create file, Delete Folder etc.).
For example, access rights can be divided into three grades: senior, middle rank and rudimentary;
For access rights, be senior user, can carry out to the All Files in all catalogues (file) of all subregions all file access operations;
For access rights, be intermediate user, can the part or all of file in particular zones/catalogue (file) be read, retouching operation, and can create the file access operations such as file, browse through folders; But do not allow to carry out deleted file, the operations such as Delete Folder;
For access rights, be rudimentary user, can only carry out read operation to the partial document in particular zones/catalogue (file).
108, after certificate verification success, mobile memory sends authentication response to display unit, to notify display unit/user by authentication, can carry out the operations such as follow-up key agreement, browsing file;
109, mobile memory and display unit are carried out key agreement, obtain the transmission security key for fileinfo is encrypted and is deciphered.
Above-mentioned cipher key agreement process can adopt the Diffie-Hellman of ECDH(elliptic curve cryptosystem) algorithm realization, also can adopt other key agreement of the prior art/exchange algorithm to realize.
This step is optional step.
110, display unit is display file information browse operation interface on its display screen, for user's startup file information browse operation;
Fileinfo browse operation interface can be passage information, for example: " pressing the browse operation that starts to carry out fileinfo after X key ", the browse operation of startup file information after user presses specified button; Fileinfo browse operation interface can be also an icon, the browse operation of startup file information after user selects this icon.
If display unit is PC, above-mentioned fileinfo browse operation interface is generally the file browser that PC operating system provides, for example explorer.
111, receive after the fileinfo browsing instructions of user by input equipment inputs such as keyboards, display unit sends corresponding fileinfo browse request to mobile memory;
Above-mentioned fileinfo browsing instructions can be: browse the disk partition that comprises in disk, browse the file or folder that comprises in disk partition, display file information etc.
In above-mentioned fileinfo browse request, comprise: partition information, file path information, file name, data original position, information such as ED position (or data lengths).
Above-mentioned partition information is used to specify particular disk subregion or the root partition on mobile memory;
For example, for example, when mobile memory comprises a plurality of subregions when (, comprising subregion 1 and subregion 2), the sign that comprises subregion 1 in partition information represents to browse the file or folder in subregion 1; In partition information, comprising root partition sign represents to browse each disk partition (being subregion 1 and subregion 2) comprising in mobile memory.
File path information is used to specify the particular disk subregion of mobile memory or the file in root partition;
For example, file path information need to be browsed the file or folder in " sub-folder 2 " in " file 1 " in a certain disk partition or root partition for " file 1 sub-folder 2 " represents.
File name is used to specify the title of the specific file in a certain file path in the particular disk subregion of mobile memory or root partition;
Data original position is used to specify the data original position of a certain file that need to read;
ED position is used to specify the ED position of a certain file that need to read;
ED position also can be replaced by data length, and display unit is specified data original position and the data length of the file that need to read, and mobile memory is determined the ED position of the file that display unit need to read according to above-mentioned information.
112, receive after the fileinfo browse request of display unit transmission, mobile memory is analyzed this document information browse request, judges whether current access rights allow to carry out corresponding file access operation, if allowed, carry out next step; If do not allowed, to display unit, return to the response message of forbidding carrying out corresponding file access operation, this flow process finishes.
113, fileinfo corresponding to mobile memory extraction document information browse request;
Above-mentioned fileinfo can be: all or part of data of file can be also the attribute informations (for example, file name, file size etc.) of each file of comprising in a certain subregion or file.
114, the transmission security key of consulting in the transmission security key that mobile memory use sets in advance or step 109 to obtain is encrypted the fileinfo extracting;
This step is optional step.
115, mobile memory is sent to display unit by fileinfo.
116, display unit receives after fileinfo, if this document information is encrypted, uses transmission security key to be decrypted it, and the fileinfo of deciphering is presented on display screen; If fileinfo unencryption, is directly presented on display screen.
After this, when using the input equipments such as keyboard in display unit, user (for example carries out file operation, open file operation, page turn over operation, browse new disk partition, browse new folder), in the time of need to reading new fileinfo from mobile memory, display unit and mobile memory repeated execution of steps 111 are to step 116.
the second embodiment of the method
The difference of the second embodiment and the first embodiment is: in the first embodiment, mobile memory only carries out rights management by the user certificate reading; In the second embodiment, for specific file operation, for example File Open operation, can also require user to input corresponding file operation password; Above-mentioned file operation password can be static password, can be also dynamic password (for example, OTP password).Therefore between step 112~113, also need to increase following steps:
A: mobile memory judges whether current file access operation needs to carry out password authentication, if need to, perform step B;
The file access operation that need to carry out password authentication can be the file access operation of particular type, for example, all open file operation, also can be the specific file access operation of carrying out for specific file or folder (special object), for example, the open file operation of the file in particular file folder being carried out need to be carried out password authentication.
B: mobile memory sends password authentication request to display unit;
C: display unit prompting user inputs corresponding file operation password;
Above-mentioned file operation password can be the static password setting in advance, and can be also dynamic password (for example, OTP password).If employing dynamic password, user need to obtain password by token, needs the dynamic password maker corresponding with token is set, to carry out password authentication in mobile memory.
D: display unit is included in password authentication by the file operation password of user input and sends to mobile memory in replying;
E: mobile memory authenticates file operation password, authentication is by the follow-up file operation of rear execution.
first device embodiment
Fig. 2 is the schematic diagram of mobile memory of the present invention.As shown in Figure 2, this mobile memory comprises: main control module, data transmission module, memory module and certificate read-write interface; Wherein,
Described data transmission module is connected with described main control module, for connecting outside fileinfo display unit, makes to carry out between described main control module and fileinfo display unit the transmission of data;
Described memory module is connected with described main control module, for storing the fileinfo extracting for described main control module and the issuer certificate (being root certificate) that user certificate is authenticated;
Described certificate read-write interface is connected with described main control module, for connecting certificate storage device, makes main control module obtain user certificate from the user certificate of certificate storage device storage;
Described main control module is connected with memory module with described data transmission module, certificate read-write interface, for receiving the authentication request through described data transmission module input by fileinfo display unit, receive after authentication request, by certificate read-write interface, from the user certificate of certificate storage device storage, obtain user certificate; The user certificate getting is authenticated, after authentication success, receive fileinfo display unit through the fileinfo browse request of described data transmission module input, and extract after the fileinfo corresponding with this document information browse request from memory module, by described data transmission module, be sent to fileinfo display unit and show.
In above-mentioned mobile memory, in the authentication request of being inputted through described data transmission module by fileinfo display unit of described reception, comprise cert store authenticate password;
Described main control module, also for extracting the cert store authenticate password of authentication request, sends the certificate read requests that comprises cert store authenticate password to certificate storage device through certificate read-write interface; And after certificate storage device is to the cert store authenticate password authentication success in the certificate read requests receiving, receive the user certificate being sent by certificate storage device.
In above-mentioned mobile memory, in the authentication request of being inputted through described data transmission module by fileinfo display unit of described reception, comprise user name;
Described main control module, also for obtaining the user certificate corresponding with the user name comprising described authentication request by certificate read-write interface from the user certificate of certificate storage device storage.
In above-mentioned mobile memory, before the user certificate getting is authenticated,
Described main control module, the following data that also send for acceptance certificate storage device: certificate storage device is used its local signed data of initial data being signed and being generated with the corresponding private key of this user certificate that store, and described initial data; And by using the corresponding PKI of this user certificate to verify the signed data receiving and described initial data, the lawful owner who is whether this user certificate to this certificate storage device confirms.Can be specifically: the PKI that extracts this user certificate from user certificate; After extracting the PKI of this user certificate, the signed data that the PKI of user's certificate sends certificate storage device is decrypted, and the initial data of the signature use sending by data that deciphering is obtained and certificate storage device contrasts, if the two is consistent, confirm that certificate storage device is the lawful owner of user certificate.
In above-mentioned mobile memory, after the user certificate authentication success to getting,
Described main control module, also for using access authority information corresponding to this user of described memory module storage as current access rights.
In above-mentioned mobile memory, before fileinfo display unit Transmit message information browse request,
Described main control module, also, for carrying out key agreement with fileinfo display unit, obtains the transmission security key for fileinfo is encrypted and is deciphered.
Above-mentioned mobile memory, after receiving the fileinfo browse request of fileinfo display unit transmission,
Described main control module, also for this document information browse request is analyzed, judges whether current access rights allow to carry out corresponding file access operation, if allow, carries out corresponding file access operation; If do not allow, to fileinfo display unit, return to the response message of forbidding carrying out corresponding file access operation.
In above-mentioned mobile memory, in the current access rights of judgement, be to allow to carry out after corresponding file access operation,
Described main control module, also for judging that whether current file access operation needs to carry out password authentication, if desired, sends password authentication request to fileinfo display unit; In fileinfo display unit, receive after password authentication request, the password authentication that receives the reply of fileinfo display unit is replied, and password authentication comprises the corresponding file operation password of being inputted by fileinfo display unit by user in replying; And the file operation password comprising in password authentication response is authenticated, authentication by after carry out to extract again the fileinfo corresponding with this document information browse request and be sent to fileinfo display unit and show.
Above-mentioned mobile memory, when the fileinfo corresponding with this document information browse request extracting being sent to fileinfo display unit showing,
Described main control module, also consults for the transmission security key with setting in advance or with fileinfo display unit the transmission security key obtaining, and after the fileinfo corresponding with fileinfo browse request extracting is encrypted, then is sent to fileinfo display unit.
the first system embodiment
Fig. 3 is the access control system schematic diagram of mobile memory of the present invention.As shown in Figure 3, this system comprises: mobile memory, fileinfo display unit and certificate storage device; Wherein, mobile memory adopts the mobile memory providing in above-mentioned first device embodiment;
Mobile memory and fileinfo display unit interconnect, and certificate storage device is connected on the certificate read-write interface of mobile memory.
The above; be only the present invention's embodiment preferably, but protection scope of the present invention is not limited to this, is anyly familiar with in technical scope that those skilled in the art disclose in the present invention; the variation that can expect easily or replacement, within all should being encompassed in protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claims.
Claims (18)
1. an access control method for mobile memory, is characterized in that, the method comprises the following steps:
Mobile memory is connected with fileinfo display unit, after connecting, receives the authentication request that fileinfo display unit sends;
Mobile memory receives after described authentication request, by certificate read-write interface, from the user certificate of certificate storage device storage, obtains user certificate;
Mobile memory is used pre-stored root certificate to authenticate the user certificate getting, after authentication success, mobile memory receives the fileinfo browse request that connected fileinfo display unit sends, and the extraction fileinfo corresponding with this document information browse request is sent to fileinfo display unit and shows;
Wherein, in described authentication request, comprise cert store authenticate password;
Mobile memory obtains user certificate in the following manner from the user certificate of certificate storage device storage through certificate read-write interface:
Mobile memory extracts the cert store authenticate password in authentication request, sends the certificate read requests that comprises cert store authenticate password through certificate read-write interface to certificate storage device;
After certificate storage device is to the cert store authenticate password authentication success in the certificate read requests receiving, through certificate read-write interface, user certificate is sent to mobile memory;
Wherein, mobile memory is used pre-stored root certificate that the user certificate getting is authenticated and comprised:
Mobile memory reads the issuer identification information in user certificate, and obtains corresponding issuer certificate according to issuer identification information;
Mobile memory reads the PKI of this certificate from issuer certificate;
Mobile memory is used the PKI reading to verify the certificate signature field of user certificate, if signature verification success shows certificate verification success, otherwise shows certificate verification failure.
2. the access control method of mobile memory according to claim 1, is characterized in that,
In described authentication request, comprise user name;
The user certificate that mobile memory obtains from certificate storage device by certificate read-write interface is the user certificate corresponding with the user name comprising in described authentication request.
3. the access control method of mobile memory according to claim 2, is characterized in that,
Mobile memory obtains the user certificate corresponding with user name in authentication request in the following manner from certificate storage device:
Mobile memory reads user certificate corresponding with user name in certificate storage device; Or mobile memory reads to all user certificates of storing in certificate storage device in mobile memory, and selects corresponding user certificate by user name.
4. the access control method of mobile memory according to claim 2, is characterized in that,
After mobile memory is to the user certificate authentication success getting, also comprise:
Mobile memory obtains access authority information corresponding to local this user who stores as current access rights.
5. the access control method of mobile memory according to claim 1, is characterized in that,
Before the user certificate getting is authenticated, mobile memory is also verified the legitimacy of certificate storage device in the following manner:
The following data that acceptance certificate storage device sends: certificate storage device is used its local signed data of initial data being signed and being generated with the corresponding private key of this user certificate that store, and described initial data;
Mobile memory is by using the corresponding PKI of this user certificate to verify the signed data receiving and described initial data, and the lawful owner who is whether this user certificate to this certificate storage device confirms.
6. the access control method of mobile memory according to claim 1, is characterized in that,
Before fileinfo display unit Transmit message information browse request, further comprising the steps of:
Mobile memory and fileinfo display unit are carried out key agreement, obtain the transmission security key for fileinfo is encrypted and is deciphered.
7. the access control method of mobile memory according to claim 1, is characterized in that,
Mobile memory receives after the fileinfo browse request of fileinfo display unit transmission, further comprising the steps of:
Mobile memory is analyzed this document information browse request, judges whether current access rights allow to carry out corresponding file access operation, if allow, carries out corresponding file access operation; If do not allow, to fileinfo display unit, return to the response message of forbidding carrying out corresponding file access operation.
8. the access control method of mobile memory according to claim 7, is characterized in that,
At mobile memory, judge that current access rights are to allow to carry out after corresponding file access operation, further comprising the steps of:
Mobile memory judges that whether current file access operation needs to carry out password authentication, if desired, sends password authentication request to fileinfo display unit;
Mobile memory receives the password authentication of fileinfo display unit reply and replys; Password authentication comprises the corresponding file operation password of being inputted by fileinfo display unit by user in replying;
Mobile memory authenticates the file operation password comprising in password authentication response, authentication by after carry out again the described extraction fileinfo corresponding with this document information browse request and be sent to the operation that fileinfo display unit shows.
9. according to the access control method of the mobile memory described in claim 1 or 6, it is characterized in that,
Mobile memory is sent to fileinfo display unit by the fileinfo corresponding with this document information browse request extracting in the following manner and shows:
Mobile memory consults with the transmission security key setting in advance or with fileinfo display unit the transmission security key obtaining, and after the fileinfo corresponding with fileinfo browse request extracting is encrypted, then is sent to fileinfo display unit;
Fileinfo display unit receives after fileinfo, with transmission security key, it is decrypted, and the fileinfo after deciphering is shown on display screen.
10. a mobile memory, is characterized in that, this mobile memory comprises:
Main control module, data transmission module, memory module and certificate read-write interface; Wherein,
Described data transmission module is connected with described main control module, for connecting outside fileinfo display unit, makes to carry out between described main control module and fileinfo display unit the transmission of data;
Described memory module is connected with described main control module, for storing the fileinfo extracting for described main control module and the root certificate that user certificate is authenticated;
Described certificate read-write interface is connected with described main control module, for connecting certificate storage device, makes main control module obtain user certificate from the user certificate of certificate storage device storage;
Described main control module is connected with memory module with described data transmission module, certificate read-write interface, for obtaining user certificate by certificate read-write interface from the user certificate of certificate storage device storage; The root certificate that use is extracted from described memory module authenticates the user certificate getting, after authentication success, the fileinfo display unit that reception connects is through the fileinfo browse request of described data transmission module input, and extract after the fileinfo corresponding with this document information browse request from memory module, by described data transmission module, be sent to fileinfo display unit and show;
Before described main control module obtains user certificate by certificate read-write interface from the user certificate of certificate storage device storage, described main control module, also for receiving the authentication request through described data transmission module input by the fileinfo display unit after connecting;
Wherein, described reception comprises cert store authenticate password by fileinfo display unit in the authentication request of described data transmission module input;
Described main control module, also for extracting the cert store authenticate password of authentication request, sends the certificate read requests that comprises cert store authenticate password to certificate storage device through certificate read-write interface; And after certificate storage device is to the cert store authenticate password authentication success in the certificate read requests receiving, receive the user certificate being sent by certificate storage device;
Wherein, main control module is used the root certificate extracting from described memory module that the user certificate getting is authenticated and comprised:
Main control module reads the issuer identification information in user certificate, and obtains corresponding issuer certificate according to issuer identification information;
Main control module reads the PKI of this certificate from issuer certificate;
Main control module is used the PKI reading to verify the certificate signature field of user certificate, if signature verification success shows certificate verification success, otherwise shows certificate verification failure.
11. mobile memories according to claim 10, is characterized in that,
In the authentication request of being inputted through described data transmission module by fileinfo display unit of described reception, comprise user name;
Described main control module, also for obtaining the user certificate corresponding with the user name comprising described authentication request by certificate read-write interface from the user certificate of certificate storage device storage.
12. mobile memories according to claim 10, is characterized in that,
Before the user certificate getting is authenticated,
Described main control module, the following data that also send for acceptance certificate storage device: certificate storage device is used its local signed data of initial data being signed and being generated with the corresponding private key of this user certificate that store, and described initial data; And by using the corresponding PKI of this user certificate to verify the signed data receiving and described initial data, the lawful owner who is whether this user certificate to this certificate storage device confirms.
13. mobile memories according to claim 11, is characterized in that,
After the user certificate authentication success to getting,
Described main control module, also for using access authority information corresponding to this user of described memory module storage as current access rights.
14. mobile memories according to claim 10, is characterized in that,
Before fileinfo display unit Transmit message information browse request,
Described main control module, also, for carrying out key agreement with fileinfo display unit, obtains the transmission security key for fileinfo is encrypted and is deciphered.
15. mobile memories according to claim 10, is characterized in that,
After receiving the fileinfo browse request of fileinfo display unit transmission,
Described main control module, also for this document information browse request is analyzed, judges whether current access rights allow to carry out corresponding file access operation, if allow, carries out corresponding file access operation; If do not allow, to fileinfo display unit, return to the response message of forbidding carrying out corresponding file access operation.
16. mobile memories according to claim 15, is characterized in that,
In the current access rights of judgement, be to allow to carry out after corresponding file access operation,
Described main control module, also for judging that whether current file access operation needs to carry out password authentication, if desired, sends password authentication request to fileinfo display unit; In fileinfo display unit, receive after password authentication request, the password authentication that receives the reply of fileinfo display unit is replied, and password authentication comprises the corresponding file operation password of being inputted by fileinfo display unit by user in replying; And the file operation password comprising in password authentication response is authenticated, authentication by after carry out to extract again the fileinfo corresponding with this document information browse request and be sent to fileinfo display unit and show.
17. according to the mobile memory described in claim 10 or 14, it is characterized in that,
When the fileinfo corresponding with this document information browse request extracting being sent to fileinfo display unit showing,
Described main control module, also consults for the transmission security key with setting in advance or with fileinfo display unit the transmission security key obtaining, and after the fileinfo corresponding with fileinfo browse request extracting is encrypted, then is sent to fileinfo display unit.
The access control system of 18. 1 kinds of mobile memories, is characterized in that, this system comprises:
Interconnective mobile memory and fileinfo display unit, wherein, described mobile memory adopts the mobile memory described in the claims 10~17 any one; With the certificate storage device being connected on the certificate read-write interface of described mobile memory.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110337782.4A CN102368773B (en) | 2011-10-31 | 2011-10-31 | Access control method of mobile memory, mobile memory and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110337782.4A CN102368773B (en) | 2011-10-31 | 2011-10-31 | Access control method of mobile memory, mobile memory and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102368773A CN102368773A (en) | 2012-03-07 |
| CN102368773B true CN102368773B (en) | 2014-04-09 |
Family
ID=45761323
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110337782.4A Active CN102368773B (en) | 2011-10-31 | 2011-10-31 | Access control method of mobile memory, mobile memory and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102368773B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104573554A (en) * | 2014-12-30 | 2015-04-29 | 北京奇虎科技有限公司 | Method for loading safety key storage hardware and browser client device |
| CN105282738A (en) * | 2015-11-24 | 2016-01-27 | 苏州铭冠软件科技有限公司 | Security authentication method for mobile terminal |
| CN106897636A (en) * | 2017-02-28 | 2017-06-27 | 郑州云海信息技术有限公司 | A kind of mobile memory medium method for managing security based on API HOOK |
| CN112861156B (en) * | 2021-02-26 | 2022-12-13 | 上海升途智能系统有限公司 | Secure communication method and device for display data, electronic equipment and storage medium |
| CN113660091B (en) * | 2021-07-28 | 2023-09-15 | 北京宝兰德软件股份有限公司 | Request authentication method, device, equipment and readable storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101120352A (en) * | 2004-12-21 | 2008-02-06 | 桑迪士克股份有限公司 | Memory system with universal content control |
| CN101908960A (en) * | 2009-06-02 | 2010-12-08 | 上海科大智能科技股份有限公司 | Multiple security method of electronic file concerning security matters |
| CN102223364A (en) * | 2011-05-09 | 2011-10-19 | 飞天诚信科技股份有限公司 | Method and system for accessing e-book data |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7519596B2 (en) * | 2004-03-30 | 2009-04-14 | Microsoft Corporation | Globally trusted credentials leveraged for server access control |
-
2011
- 2011-10-31 CN CN201110337782.4A patent/CN102368773B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101120352A (en) * | 2004-12-21 | 2008-02-06 | 桑迪士克股份有限公司 | Memory system with universal content control |
| CN101908960A (en) * | 2009-06-02 | 2010-12-08 | 上海科大智能科技股份有限公司 | Multiple security method of electronic file concerning security matters |
| CN102223364A (en) * | 2011-05-09 | 2011-10-19 | 飞天诚信科技股份有限公司 | Method and system for accessing e-book data |
Non-Patent Citations (2)
| Title |
|---|
| 附图1,2,19. |
| 附图3. |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102368773A (en) | 2012-03-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20210344678A1 (en) | System for accessing data from multiple devices | |
| US11223948B2 (en) | Anonymous authentication and remote wireless token access | |
| US10142324B2 (en) | Method for reading attributes from an ID token | |
| EP2442601B1 (en) | Method and system for automatically logging in client | |
| EP4081921B1 (en) | Contactless card personal identification system | |
| US20110185181A1 (en) | Network authentication method and device for implementing the same | |
| KR20170134631A (en) | User authentication method and apparatus, and wearable device registration method and apparatus | |
| US9348768B2 (en) | Method for implementing encryption in storage card, and decryption method and device | |
| US20160036805A1 (en) | Network authentication method and device for implementing the same | |
| CN102368773B (en) | Access control method of mobile memory, mobile memory and system | |
| JP2022501872A (en) | Systems and methods for cryptographic authentication of non-contact cards | |
| CN101841418A (en) | Handheld multiple role electronic authenticator and service system thereof | |
| CN102368230A (en) | Mobile memory and access control method thereof as well as system | |
| El Madhoun et al. | A cloud-based secure authentication protocol for contactless-nfc payment | |
| US20230252451A1 (en) | Contactless card with multiple rotating security keys | |
| US20210014682A1 (en) | Methods and systems for securing and utilizing a personal date store on a mobile device | |
| KR20080112674A (en) | Apparatus, system, method and computer program recorded medium for authenticating internet service server and user by using portable storage with security function | |
| KR101792220B1 (en) | Method, mobile terminal, device and program for providing user authentication service of combining biometric authentication | |
| CN104835038A (en) | Networking payment device and networking payment method | |
| JP2022502891A (en) | Systems and methods for cryptographic authentication of non-contact cards | |
| KR101666591B1 (en) | One time password certifacation system and method | |
| CN102521164B (en) | Access control method of mobile memory, mobile memory and system | |
| KR20240024112A (en) | System and method for contactless card communication and multi-device key pair cryptographic authentication | |
| CN104113417A (en) | Dynamic password identity authentication method and system based on near field communication (NFC) | |
| CN102426635B (en) | Display device for file information, display method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C53 | Correction of patent for invention or patent application | ||
| CB02 | Change of applicant information |
Address after: 102211 Beijing city Changping District Baishan town 100 Ge Road No. 9 Building No. 2 hospital Applicant after: Tendyron Technology Co., Ltd. Address before: 100083, B, block 17, golden building, No. 1810 Qinghua East Road, Beijing, Haidian District Applicant before: Beijing Tendyron Technology Co., Ltd. |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |