CN102426555A - Mobile memory, and access control method and system thereof - Google Patents
Mobile memory, and access control method and system thereof Download PDFInfo
- Publication number
- CN102426555A CN102426555A CN2011103378545A CN201110337854A CN102426555A CN 102426555 A CN102426555 A CN 102426555A CN 2011103378545 A CN2011103378545 A CN 2011103378545A CN 201110337854 A CN201110337854 A CN 201110337854A CN 102426555 A CN102426555 A CN 102426555A
- Authority
- CN
- China
- Prior art keywords
- authentication
- predefined
- mobile memory
- type
- current
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention discloses a mobile memory, and an access control method and system thereof. The access control method of the mobile memory comprises the following steps: receiving multiple authentication types of authentication requests by a mobile memory, and carrying out authentication; and when the mobile memory determines that N types of preset authentication have been passed currently, allowing to carry out the preset file access operation on the mobile memory, wherein N is a whole number greater than or equal to 2. When the mobile memory determines that N types of preset authentication have been passed currently, the preset file access operation on the mobile memory is allowed, thereby enhancing the file access operation security.
Description
Technical field
The present invention relates to field of information security technology, relate in particular to the access control method and the system of a kind of mobile memory, mobile memory.
Background technology
Along with mobile memory, especially to popularize for the rapid of the mobile memory of interface (being designated hereinafter simply as USB flash disk) with USB (Universal Serial Bus, USB), the safety of files problem that is stored in the USB flash disk receives publicity day by day.
In order to strengthen the security of USB flash disk, can be applied to fields such as military affairs, finance, commerce gradually to the safe U disc that the file access operation of USB flash disk is controlled.
Safe U disc conduct interviews control ultimate principle be; The user is before conducting interviews to the file in the safe U disc; Need send authenticate password (being designated hereinafter simply as password) to safe U disc through terminal; Safe U disc carries out authentication to password, authentication through after just allow the user safe U disc to be carried out operations such as file read-write.
But existing safe U disc only carries out authentication through the authenticate password of static state to the user, has the relatively poor defective of security.
Summary of the invention
The access control method and the system that the purpose of this invention is to provide a kind of mobile memory, mobile memory, the security of raising file access.
The objective of the invention is to realize through following technical scheme:
A kind of access control method of mobile memory comprises:
Mobile memory receives the authentication request of multiple auth type, and carries out authentication;
When said mobile memory is judged current authentication through predefined N type, allow that said mobile memory is carried out predefined file access and operate;
Said N is the integer more than or equal to 2.
A kind of mobile memory comprises authentication ' unit and access control unit, wherein:
Said authentication ' unit is used to receive the authentication request of multiple auth type, and carries out authentication;
Said access control unit is used for when judging current authentication through predefined N type, allowing that said mobile memory is carried out predefined file access and operating, and said N is the integer more than or equal to 2.
A kind of access control system of mobile memory comprises display device and mobile memory, wherein:
Said display device, the authentication request that is used to send multiple auth type is to said mobile memory;
Said mobile memory; Be used to receive the authentication request of the multiple auth type that said display device sends; And carry out authentication; When said mobile memory is judged current authentication through predefined N type, allow that said mobile memory is carried out predefined file access and operate, said N is the integer more than or equal to 2.
Technical scheme by the invention described above provides can be found out; The mobile memory that the embodiment of the invention provides, the access control method of mobile memory and system; When judging current authentication through predefined N type when mobile memory; Permission is carried out predefined file access operation to mobile memory, improves the security of file access operation.
Description of drawings
In order to be illustrated more clearly in the technical scheme of the embodiment of the invention; The accompanying drawing of required use is done to introduce simply in will describing embodiment below; Obviously, the accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skill in the art; Under the prerequisite of not paying creative work, can also obtain other accompanying drawings according to these accompanying drawings.
The schematic flow sheet of the access control method of the mobile memory that Fig. 1 provides for the embodiment of the invention.
The formation synoptic diagram one of the mobile memory that Fig. 2 provides for the embodiment of the invention.
The formation synoptic diagram two of the mobile memory that Fig. 3 provides for the embodiment of the invention.
The formation synoptic diagram of the access control system of the mobile memory that Fig. 4 provides for the embodiment of the invention.
The application scenarios schematic flow sheet one of the access control method of the mobile memory that Fig. 5 provides for the embodiment of the invention.
The application scenarios schematic flow sheet two of the access control method of the mobile memory that Fig. 6 provides for the embodiment of the invention.
The application scenarios schematic flow sheet three of the access control method of the mobile memory that Fig. 7 provides for the embodiment of the invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is carried out clear, intactly description, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on embodiments of the invention, those of ordinary skills belong to protection scope of the present invention not making the every other embodiment that is obtained under the creative work prerequisite.
To combine accompanying drawing that the embodiment of the invention is done to describe in detail further below.
As shown in Figure 1, the embodiment of the invention provides a kind of access control method of mobile memory, comprising:
11, mobile memory receives the authentication request of multiple auth type, and carries out authentication.
12, when mobile memory is judged current authentication through predefined N type, allow that mobile memory is carried out predefined file access and operate, said N is the integer more than or equal to 2.
In the access control method of embodiment of the invention mobile memory, the authentication request that mobile memory can receiving and displaying device sends, above-mentioned display device can comprise personal computer or special-purpose fileinfo display device etc.
Technical scheme by the invention described above provides can be found out; When judging current authentication through predefined N type when mobile memory; Permission is carried out predefined file access operation to mobile memory, improves the security of file access operation.
Optional, above-mentioned auth type can comprise: static password authentication, dynamic password authentication or certificate verification etc.
Optional, mobile memory can adopt following mode to judge the current whether authentication through predefined N type in the above-mentioned steps 12:
Judge whether the pairing auth type number of the current authentication of having passed through equals N, if then judge the authentication of having passed through predefined N kind auth type.
Exemplary; Auth type comprises static password authentication, dynamic password authentication or certificate verification; N equals at 2 o'clock; Judgement is current in the above-mentioned steps 12 then judges the authentication of having passed through predefined 2 kinds of auth types through after the authentication any 2 types in static password authentication, dynamic password authentication or the certificate verification, can carry out the file access operation to mobile memory.
Perhaps, optional, mobile memory can adopt following mode to judge the current whether authentication through predefined N kind auth type in the above-mentioned steps 12:
Judge whether the pairing auth type of the current authentication of having passed through is consistent with predefined N kind auth type, if then judge the authentication of having passed through predefined N kind auth type.
Exemplary; Auth type comprises static password authentication, dynamic password authentication or certificate verification; Predefined 2 kinds of auth types are: when static password authentication and certificate verification; After judging current authentication through 2 types of static password authentication and certificate verifications in the above-mentioned steps 12, then judge the authentication of having passed through predefined 2 kinds of auth types, can carry out file access to mobile memory and operate.
Perhaps, optional, mobile memory can adopt following mode to judge the current whether authentication through predefined N kind auth type in the above-mentioned steps 12:
Judge in the pairing auth type of the current authentication of having passed through and whether comprise predefined safety condition authentication; If; Then judge the authentication passed through predefined N kind auth type, said safety condition authentication belongs to a kind of in the said N kind auth type.
And comprise in the precondition through said safety condition authentication: through the preposition authentication of N-1 kind, said preposition authentication belongs to a kind of in the said N kind auth type.
Exemplary; Auth type comprises static password authentication, dynamic password authentication or certificate verification, and N equals 2, and preposition authentication is a static password authentication; When the safety condition authentication is certificate verification; Judge in the above-mentioned steps 12 in the pairing auth type of the current authentication of having passed through to comprise certificate verification, and mobile memory passes through the precondition of certificate verification, promptly passed through static password authentication; Then judge the authentication of having passed through predefined 2 kinds of auth types, can carry out the file access operation mobile memory.
Perhaps, optional, mobile memory can adopt following mode to judge the current whether authentication through predefined N kind auth type in the above-mentioned steps 12:
Whether judge the pairing state value sum of the current dissimilar authentication of having passed through more than or equal to predefined safety certification conditional value X, if then judge the authentication of having passed through predefined N kind auth type;
Wherein, mobile memory can adopt following mode to set through the pairing state value of various types of authentications:
Through the pairing state value sum of any M type authentication less than X, M<N wherein; And the pairing state value sum of authentication through any N kind or predefined N type is more than or equal to X.
Exemplary, auth type comprises static password authentication, dynamic password authentication or certificate verification etc., and N equals 3, and predefined safety certification conditional value X equals at 3 o'clock.If the state value of static password authentication equals 1; The state value of dynamic password authentication equals 1; The state value of certificate verification equals at 1 o'clock, equals X (being 1+1+1=3) through the pairing state value sum of the authentication of 3 kinds of predefined static password authentication, dynamic password authentication and certificate verifications, and M=2 is (during M<N); Less than X (being 1+1=2<3), then judge the authentication of having passed through predefined N kind auth type through 2 kinds of pairing state value sums of authentication;
If the state value of static password authentication equals 2; The state value of dynamic password authentication equals 1, and the state value of certificate verification equals 1, though; Through the pairing state value sum of the authentication of 3 kinds of predefined static password authentication, dynamic password authentication and certificate verifications greater than X (being 2+1+1=4>3); But during M=2, the pairing state value sum of authentication through 2 kinds of predefined static password authentication and dynamic password authentication or static password authentication and certificate verification equals X (being 1+2=3); The pairing state value sum of authentication that does not satisfy M type then is no judge of the authentication of having passed through predefined N kind auth type less than X.
Optional, the access control method of embodiment of the invention mobile memory, predefined file access operation can be current file access authority pairing file access operation in the above-mentioned steps 12;
Wherein, current file access authority is the current pairing file access authority of the highest level of security;
The highest current level of security is: the level of security that the mxm. in the current N that passes through type the pairing level of security of authentication is corresponding.
Perhaps, optional, the access control method of embodiment of the invention mobile memory, predefined file access operation can be current file access authority pairing file access operation in the above-mentioned steps 12;
Wherein, current file access authority is the union of the current N that passes through type authentication difference corresponding file access rights.
As shown in Figure 2, corresponding to the access control method of the mobile memory of the foregoing description, the embodiment of the invention provides a kind of mobile memory, comprises authentication ' unit 21 and access control unit 22:
Authentication ' unit 21 is used to receive the authentication request of multiple auth type, and carries out authentication.
Technical scheme by the invention described above provides can be found out; When judging current authentication through predefined N type when mobile memory; Permission is carried out predefined file access operation to mobile memory, improves the security of file access operation.
Optional, auth type can comprise: static password authentication, dynamic password authentication or certificate verification etc.
Optional, above-mentioned access control unit 22 can be used to specifically judge whether the pairing auth type number of the current authentication of having passed through equals N, if then judge the authentication of having passed through predefined N kind auth type.
Perhaps; Optional, above-mentioned access control unit 22 can be used to specifically judge whether the pairing auth type of the current authentication of having passed through is consistent with predefined N kind auth type; If then judge the authentication of having passed through predefined N kind auth type.
Perhaps; Optional; Above-mentioned access control unit 22 can be used for specifically judging whether the pairing auth type of the current authentication of having passed through comprises predefined safety condition authentication, if; Then judge the authentication of having passed through predefined N kind auth type; Said safety condition authentication belongs to a kind of in the said N kind auth type, comprises in the precondition through said safety condition authentication: through the preposition authentication of N-1 kind, said preposition authentication belongs to a kind of in the said N kind auth type.
Perhaps; Optional, above-mentioned access control unit 22 can be used to specifically judge that whether the pairing state value sum of the current dissimilar authentication of having passed through is more than or equal to predefined safety certification conditional value X; If; Then judge the authentication of having passed through predefined N kind auth type, wherein, said mobile memory adopts following mode to set through the pairing state value of various types of authentications; Through the pairing state value sum of any M type authentication less than X, M<N wherein; The pairing state value sum of authentication through any N kind or predefined N type is more than or equal to X.
Optional, above-mentioned predefined file access operation can be current file access authority pairing file access operation;
Wherein, said current file access authority is the current pairing file access authority of the highest level of security;
Said the highest current level of security is: the level of security that the mxm. in the pairing level of security of authentication of current said N type of passing through is corresponding.
Perhaps, optional, above-mentioned predefined file access operation can be current file access authority pairing file access operation;
Wherein, the said current file access authority authentication that is current said N type of passing through the union of corresponding file access rights respectively.
As shown in Figure 3, embodiment of the invention mobile memory can also comprise:
Preset unit 31; Be used for being provided with in advance N type authentication; N is the integer more than or equal to 2; Safety condition authentication and preposition authentication are set in advance, safety certification conditional value X and N type the pairing state value of authentication is set in advance, at least a in the predefined file access operation.
Embodiment of the invention mobile memory is corresponding with the access control method of the foregoing description mobile memory, and therefore, the similar content that relates to can be able to reference to the access control method of the foregoing description mobile memory understand, and repeats no more at this.
As shown in Figure 4, the embodiment of the invention provides a kind of access control system of mobile memory, comprises display device 41 and mobile memory 42:
In the access control system of embodiment of the invention mobile memory, the authentication request that mobile memory can receiving and displaying device sends, above-mentioned display device can comprise personal computer or special-purpose fileinfo display device etc.
Technical scheme by the invention described above provides can be found out; When judging current authentication through predefined N type when mobile memory; Permission is carried out predefined file access operation to mobile memory, improves the security of file access operation.
Mobile memory repeats no more at this to be able to understanding with reference to the foregoing description mobile memory in the access control system of embodiment of the invention mobile memory.
The first method embodiment
As shown in Figure 5, in the present embodiment, the authentication of the each type that the mobile memory recording user passes through; After the user initiates the file access operation requests; Mobile memory scanning user's authentication state when satisfying predetermined conditions, allows it to carry out corresponding file access operation.
The method of present embodiment comprises the steps:
51, mobile memory is with after display device is connected, and display device explicit user authentication interface is carried out the selection of auth type with the prompting user, and input or select corresponding password or certificate.
Above-mentioned display device can be personal computer or special-purpose fileinfo display device.
52, behind the selected auth type of user, send authentication request to mobile memory.
The auth type that the user can select comprises: static password authentication, dynamic password authentication, certificate verification.
If the selection static password authentication, the user should input user name and static password usually, wherein user's option by name; If the selection dynamic password authentication, the dynamic password that the user should input user name and obtain through token device usually, token device is like, OTP (One-Time password, dynamic password) token, wherein user's option by name; If the user selects certificate verification, the user should input user name usually, and selects corresponding user certificate, wherein user's option by name.
Difference according to the auth type that adopts can comprise in the above-mentioned authentication request: the certificate of static password or dynamic password or this display device.
Alternatively, can also comprise user name in the above-mentioned authentication request.
Above-mentioned static password can be provided with by the managerial personnel or the user of mobile memory in advance; Display device can read acquisition from its built-in or external memory module; Perhaps import acquisition, and it is included in sends to mobile memory in the authentication request through the user.
Above-mentioned dynamic password can be obtained through special-purpose token device by the user, and input and display device, and the dynamic password that display device is imported the user is included in and sends to mobile memory in the authentication request.
Above-mentioned display device certificate can read acquisition by display device from its built-in or external memory module, and is sent to mobile memory.
Above-mentioned external memory module can be storage card, smart card, SIM (Subscriber Identity Module, client identification module) card etc.
In addition, can also comprise the auth type indication field in the above-mentioned authentication request, be used to identify the auth type of current employing.
53, after mobile memory receives the authentication request of display device transmission, carry out the identification of auth type.
If adopt the authentication of static password mode, then jump to step 54; If adopt the authentication of dynamic password mode, then jump to step 55, if adopt the authentication of certificate mode, then jump to step 56.
Mobile memory can be discerned the auth type of current employing through the auth type indication field in the authentication request.
If 54 adopt the authentication of static password mode, mobile memory compares the static password of storing in the static password that comprises in the authentication request and its secure storage areas, if be complementary, then shows the static password authentication success; Otherwise show the static password authentication failure; Mobile memory record static password authentication state.
Above-mentioned static password authentication state can be: static password authentication success or static password authentication failure.The original state of above-mentioned authentication state can be: do not carry out the failure of static password authentication or static password authentication.
If comprise user name in the authentication request, then mobile memory can obtain corresponding static password according to user name and compares from secure storage areas; If do not comprise user name in the authentication request; Then mobile memory can obtain a plurality of effective static passwords from secure storage areas; And respectively with authentication request in the static password that comprises compare; As long as the static password coupling that comprises in the static password that from secure storage areas, obtains and the authentication request shows that then static password authentication successfully.
Above-mentioned effective static password is meant, at least with a level of security or with the corresponding static password of file access authority.
If 55 adopt the authentications of dynamic password mode, mobile memory compares the dynamic password that comprises in the present dynamic password of its generation and the authentication request, if both couplings show that then dynamic password authentication successfully; Otherwise show the dynamic password authentication failure; Mobile memory record dynamic password authentication state.
Above-mentioned dynamic password authentication state can be: dynamic password authentication success or dynamic password authentication failure.The original state of above-mentioned authentication state can be: do not carry out the failure of dynamic password authentication or dynamic password authentication.
In order to support dynamic password authentication; Mobile memory as the dynamic password server (for example; The OTP server), one or more dynamic password makers need be set therein, each dynamic password maker can be corresponding with one or more tokens (or user).
When being provided with a plurality of dynamic password maker in the mobile memory; The user obtains the present dynamic password through token; Input and display device; And with dynamic password be included in send to mobile memory in the authentication request after, as long as the dynamic password that comprises is complementary with the dynamic password that one of them dynamic password maker generates in the authentication request, show that then dynamic password authentication is successfully.
In addition; In mobile memory, be provided with a plurality of dynamic password makers; Each dynamic password maker is corresponding with a user, and when comprising user name in the authentication request, the user obtains the present dynamic password through token; With user name and this dynamic password input and display device in the lump; And with user name and this dynamic password be included in send to mobile memory in the authentication request after, mobile memory can obtain the dynamic password that generates with the corresponding dynamic password maker of this user name according to the user name that comprises in the authentication request, through with its with authentication request in the dynamic password that comprises compare and carry out the authentication of dynamic password.
If 56 adopt the authentications of certificate mode, after mobile memory receives the authentication request that display device sends, the certificate that wherein comprises (below be called the display device certificate) is carried out authentication, and record certificate verification state;
Above-mentioned certificate verification state can be: certificate verification success or certificate verification failure.The original state of above-mentioned authentication state can be: do not carry out certificate verification or certificate verification failure.
Above-mentioned certificate verification process can be divided into following substep, comprising:
561, the issuer identification information in the mobile memory reading displayed device certificate, and obtain corresponding issuer certificate according to this information.
562, mobile memory reads the PKI of this certificate from the issuer certificate.
563, mobile memory uses above-mentioned PKI that the certificate signature field of display device certificate is verified, shows the certificate verification success if signature verification is successful, otherwise shows the certificate verification failure.
Obviously; In order to support the authentication of certificate mode, need storage one or more certificates (issuer certificate) in the mobile memory, corresponding believable CA (the Certificate Authority of each root certificate; Authentication center), the display device certificate is issued by above-mentioned CA.
57, behind this authentication success, mobile memory is checked the authentication state of predefined auth type, if satisfy predefined safety certification condition, then current state is designated safe condition, allows to carry out corresponding file access operation; If do not satisfy, then jump to step 52.
Above-mentioned safety certification condition can be one of following condition:
Condition one: it is predefined greater than 1 integer that N is counted in the authentication through N type, auth type.
For example: the value that predefined auth type is counted N is 2, and the user satisfies the safety certification condition after through any two types authentication.
Condition two: the authentication through a plurality of predefined types.
For example, predefined auth type is: static password authentication and certificate verification, then have only through just satisfying the safety certification condition after the above-mentioned two types authentication.
58, the file access authority that this user is current is confirmed in polytype authentication of passing through according to the user.
Can adopt one of following mode to confirm the current file access authority of user:
(1) mode one: the corresponding different security rank of different auth types, and the corresponding different files access rights of different security rank; Level of security the highest in the various auth types that the user has been passed through is as current level of security; With the pairing file access authority of current level of security as the current file access authority of user.
In the present embodiment, level of security can be respectively from low to high:
The pairing rudimentary level of security of static password authentication;
The pairing intermediate level of security of dynamic password authentication;
The pairing advanced security rank of certificate verification.
In the present embodiment, the corresponding different files access rights of different security rank.The file access authority can comprise different files action type and/or file access operand.
The file access action type can comprise: file attribute information is browsed, and reads file, revised file, and deleted file is created file, creates file, deleted file folder etc.
Above-mentioned file attribute information is browsed and also can be called browser document folder operation, is meant that file attribute informations such as file/Folder Name to the file or folder that is comprised in a certain disk partition or the file, file type, date created, modification date browse.
The file access operand can be divided into: disk partition, file, file.
For example:
When level of security when being senior, can carry out all accessing operations to the All Files in all catalogues (file) of all subregions; Promptly can carry out all types of file access operations to all file access operands;
When level of security is when middle rank, can the All Files in all subregion/catalogues (file) be read, retouching operation, and can create accessing operations such as file, browser document folder; But do not allow to carry out operations such as deleted file, deleted file folder; Promptly can carry out the file access operation of part type to all files accessing operation object;
When level of security when being rudimentary, can carry out read operation to all or part of file in part subregion/catalogue (file), and can carry out accessing operations such as browser document folder; But do not allow the file of making amendment, deleted file, operations such as deleted file folder; Promptly can carry out the file access operation of part type to partial document accessing operation object.
Perhaps, (2) mode two: the corresponding different files access rights of different auth type, the union of the pairing file access authority of dissimilar authentications that the user has been passed through is as the current file access authority of user.
For example, static password authentication corresponding file access rights comprise: file A is carried out the operation that file was browsed, read to file attribute information; Certificate verification corresponding file access rights comprise: file B is carried out all file access operations; Then the current file access authority of user is operated for file A being carried out above-mentioned specific file access, and file B is carried out all file access operations.
59, mobile memory waits for that the user sends the file access operation requests through display device to mobile memory.
510; After mobile memory receives the file access operation requests of display device transmission; This request is analyzed; Obtain to ask pairing file access action type and file access operand, and judge whether to allow to carry out the request of this document accessing operation according to the current file access authority of user; If allow, then execution in step 511; If do not allow, then execution in step 512.
511, if allow the request of execute file accessing operation, mobile memory is carried out the corresponding file accessing operation, and to display device backspace file access result (for example, returning corresponding file data etc.), and jump to step 59.
512, if do not allow the request of execute file accessing operation, mobile memory returns the response message of forbidding carrying out the corresponding file accessing operation to display device, and jumps to step 59.
Technical scheme by the invention described above provides can be found out; Adopt polytype authentication that user's file access operation is controlled simultaneously through mobile memory; Only after the user has passed through polytype authentication; Just allow it to carry out corresponding file access operation, the security that improves the visit mobile memory.
The second method embodiment
As shown in Figure 6, in the present embodiment, for through a certain preset auth type (note is done the safety condition authentication), and the required precondition of authentication that will carry out the type is set at the auth type of presetting through another (preposition authentication) with the safety certification condition enactment; Mobile memory judges whether to carry out the safety condition authentication through preposition auth type through judging whether; And whether judge whether to satisfy the safety certification condition through the safety condition authentication through judges.That is to say that in the present embodiment, the user must just can carry out the file read-write operation through the authentication of specified type in regular turn.
Below be that preposition authentication, certificate verification are that the safety condition authentication is that example describes with static password.
61, mobile memory is with after display device is connected, and display device explicit user authentication interface is carried out the selection of auth type with the prompting user, and input or select corresponding password or certificate.
62, behind the selected auth type of user, send authentication request to mobile memory.
The auth type that the user can select comprises: static password authentication, dynamic password authentication, certificate verification.
63, after mobile memory receives the authentication request of display device transmission, carry out the identification of auth type.
If adopt the authentication of static password mode, then jump to step 64; If adopt the authentication of dynamic password mode, then jump to step 65, if adopt the authentication of certificate mode, then jump to step 66.
If 64 adopt the authentication of static password mode, mobile memory compares the static password of storing in the static password that comprises in the authentication request and its secure storage areas, if be complementary, then shows the static password authentication success; Otherwise show the static password authentication failure; Mobile memory record static password authentication state.
Above-mentioned static password authentication state can be: static password authentication success or static password authentication failure.The original state of above-mentioned authentication state can be: do not carry out the failure of static password authentication or static password authentication.
If 65 adopt the authentication of dynamic password mode, mobile memory is to the information of display device return authentication type error.
If 66 adopt the authentications of certificate mode, whether the mobile memory judges through preposition authentication (being static password authentication), if not through preposition authentication, then to the information of display device return authentication type error; If through preposition authentication, then the certificate that comprises in the authentication request that receives (below be called the display device certificate) is carried out authentication, and record certificate verification state.
Above-mentioned certificate verification state can be: certificate verification success or certificate verification failure.The original state of above-mentioned authentication state can be: do not carry out certificate verification or certificate verification failure.
67, behind this authentication success, mobile memory judges whether to satisfy safety certification condition (promptly whether through certificate verification), if satisfy the safety certification condition, then current state is designated safe condition, allows to carry out corresponding file access operation; If do not satisfy, then jump to step 62.
68, confirm this user's file access authority according to predefined authority information.
69, mobile memory waits for that the user sends the file access operation requests through display device to mobile memory.
610, after mobile memory receives the file access operation requests of display device transmission; This request is analyzed; Obtain to ask pairing file access action type and file access operand, and judge whether to allow to carry out the request of this document accessing operation according to the current file access authority of user; If allow, then execution in step 611; If do not allow, then execution in step 612.
If 611 allow the request of execute file accessing operation, mobile memory is carried out the corresponding file accessing operation, and to display device backspace file access result (for example, returning corresponding file data etc.), and jump to step 609.
If 612 do not allow the request of execute file accessing operation, mobile memory returns the response message of forbidding carrying out the corresponding file accessing operation to display device, and jumps to step 609.
Optional, this second embodiment also has multiple mapping mode, as:
(1) mode one: preposition authentication can be one of polytype authentication mode, and for example, preposition authentication can be static password authentication or dynamic password authentication;
(2) mode two: also entry condition can be set to preposition authentication; This entry condition can be the authentication of another kind of type; For example; The safety condition authentication is certificate verification, and the entry condition of safety condition authentication is through dynamic password authentication, and the entry condition of dynamic password authentication is for passing through static password authentication.
Technical scheme by the invention described above provides can be found out; Adopt polytype authentication that user's file access operation is controlled simultaneously through mobile memory; Only after the user has passed through polytype authentication; Just allow it to carry out corresponding file access operation, the security that improves the visit mobile memory.
Third party's method embodiment
As shown in Figure 7, in the present embodiment, suppose total N kind auth type: AU1; AU2 ..., AUN; For each auth type be provided with one through state value Si (i=1 ..., N); The current state value of each auth type of mobile memory record, not during the authentication through corresponding types, state value that can correspondence is set to 0; After i type authentication, mobile memory changes into the current state value of correspondence predefined through state value Si by 0.
In addition, mobile memory is provided with safety certification conditional value X, and with the safety certification condition enactment is: the current state value sum of each auth type correspondence is more than or equal to X.
Below, with N=3, promptly comprise three kinds of auth types altogether: static password authentication (AU1), dynamic password authentication (AU2) and certificate verification (AU3), S1=2, S2=3, S3=4 are that example describes present embodiment.
71, mobile memory is with after display device is connected, and display device explicit user authentication interface is carried out the selection of auth type with the prompting user, and input or select corresponding password or certificate.
72, behind the selected auth type of user, send authentication request to mobile memory.
The auth type that the user can select comprises: static password authentication, dynamic password authentication, certificate verification.
73, after mobile memory receives the authentication request of display device transmission, carry out the identification of auth type; If adopt the authentication of static password mode, then jump to step 74; If adopt the authentication of dynamic password mode, then jump to step 75, if adopt the authentication of certificate mode, then jump to step 76.
If 74 adopt the authentication of static password mode, mobile memory compares the static password of storing in the static password that comprises in the authentication request and its secure storage areas, if be complementary, then shows the static password authentication success; Otherwise show the static password authentication failure; Mobile memory changes to 2 with the static password authentication state value by 0.
If 75 adopt the authentications of dynamic password mode, mobile memory compares the dynamic password that comprises in the present dynamic password of its generation and the authentication request, if both couplings show that then dynamic password authentication successfully; Otherwise show the dynamic password authentication failure; Mobile memory changes to 3 with the dynamic password authentication state value by 0.
If 76 adopt the authentications of certificate mode, after mobile memory receives the authentication request that display device sends, the certificate that wherein comprises (below be called the display device certificate) is carried out authentication, mobile memory changes to 4 with the dynamic password authentication state value by 0.
77, behind this authentication success, mobile memory judges whether to satisfy predefined safety certification condition according to the authentication state value of various auth types, if satisfy then current state is designated safe condition, allows to carry out corresponding file access operation; If do not satisfy, then jump to step 72;
Above-mentioned safety certification condition is: the accumulated value of the authentication state value of various auth types is more than or equal to safety certification conditional value X.
For example, when safety certification conditional value X=5, as long as the safety certification condition is promptly satisfied in any two kinds of authentications in having passed through three types; When safety certification conditional value X=6, then need just satisfy the safety certification condition through two kinds of authentications that comprise certificate verification.
Subsequent step is similar with step 58~512 of the foregoing description, repeats no more at this.
Technical scheme by the invention described above provides can be found out; Adopt polytype authentication that user's file access operation is controlled simultaneously through mobile memory; Only after the user has passed through polytype authentication; Just allow it to carry out corresponding file access operation, the security that improves the visit mobile memory.
In several embodiment that the application provided, should be understood that, the system that is disclosed, apparatus and method can realize through other mode.For example, device embodiment described above only is schematically, for example; The division of said unit; Only be that a kind of logic function is divided, during actual the realization other dividing mode can be arranged, for example a plurality of unit or assembly can combine or can be integrated into another system; Or some characteristics can ignore, or do not carry out.Another point, the coupling each other that shows or discuss or directly coupling or communication to connect can be through some interfaces, the indirect coupling of device or unit or communication connect, and can be electrically, machinery or other form.
Said unit as separating component explanation can or can not be physically to separate also, and the parts that show as the unit can be or can not be physical locations also, promptly can be positioned at a place, perhaps also can be distributed on a plurality of NEs.Can realize the purpose of present embodiment scheme according to the needs selection some or all of unit wherein of reality.
In addition, each functional unit in each embodiment of the present invention can be integrated in the processing unit, also can be that the independent physics in each unit exists, and also can be integrated in the unit two or more unit.Above-mentioned integrated unit both can adopt the form of hardware to realize, also can adopt the form of SFU software functional unit to realize.
If said integrated unit is realized with the form of SFU software functional unit and during as independently production marketing or use, can be stored in the computer read/write memory medium.Based on such understanding; Part or all or part of of this technical scheme that technical scheme of the present invention contributes to prior art in essence in other words can come out with the embodied of software product; This computer software product is stored in the storage medium; Comprise some instructions with so that computer equipment (can be personal computer, server, the perhaps network equipment etc.) carry out all or part of step of the said method of each embodiment of the present invention.And aforesaid storage medium comprises: various media that can be program code stored such as USB flash disk, portable hard drive, ROM (read-only memory) (ROM, Read-Only Memory), RAS (RAM, Random Access Memory), magnetic disc or CD.
The above; Be merely the preferable embodiment of the present invention, but protection scope of the present invention is not limited thereto, any technician who is familiar with the present technique field is in the technical scope that the present invention discloses; The variation that can expect easily or replacement all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection domain of claims.
Claims (11)
1. the access control method of a mobile memory is characterized in that, comprising:
Mobile memory receives the authentication request of multiple auth type, and carries out authentication;
When said mobile memory is judged current authentication through predefined N type, allow that said mobile memory is carried out predefined file access and operate;
Said N is the integer more than or equal to 2.
2. access control method according to claim 1 is characterized in that, said mobile memory adopts following mode to judge the current whether authentication through predefined N type:
Judge whether the pairing auth type number of the current authentication of having passed through equals N, if then judge the authentication of having passed through predefined N kind auth type.
3. access control method according to claim 1 is characterized in that, said mobile memory adopts following mode to judge the current whether authentication through predefined N kind auth type:
Judge whether the pairing auth type of the current authentication of having passed through is consistent with predefined N kind auth type, if then judge the authentication of having passed through predefined N kind auth type.
4. access control method according to claim 1 is characterized in that, said mobile memory adopts following mode to judge the current whether authentication through predefined N kind auth type:
Judge in the pairing auth type of the current authentication of having passed through and whether comprise predefined safety condition authentication; If; Then judge the authentication passed through predefined N kind auth type, said safety condition authentication belongs to a kind of in the said N kind auth type;
Comprise in the precondition through said safety condition authentication: through the preposition authentication of N-1 kind, said preposition authentication belongs to a kind of in the said N kind auth type.
5. access control method according to claim 1; It is characterized in that; Said mobile memory adopts following mode to judge the current whether authentication through predefined N kind auth type: judge that whether the pairing state value sum of the current dissimilar authentication of having passed through is more than or equal to predefined safety certification conditional value X; If then judge the authentication of having passed through predefined N kind auth type;
Wherein, said mobile memory adopts following mode to set through the pairing state value of various types of authentications:
Through the pairing state value sum of any M type authentication less than X, M<N wherein; The pairing state value sum of authentication through any N kind or predefined N type is more than or equal to X.
6. according to the described access control method of arbitrary claim among the claim 1-5, it is characterized in that said auth type comprises: static password authentication, dynamic password authentication or certificate verification.
7. access control method according to claim 1 is characterized in that, said predefined file access is operating as: the pairing file access operation of current file access authority;
Wherein, said current file access authority is the current pairing file access authority of the highest level of security;
Said the highest current level of security is: the level of security that the mxm. in the pairing level of security of authentication of current said N type of passing through is corresponding.
8. access control method according to claim 1 is characterized in that, said predefined file access is operating as: the pairing file access operation of current file access authority;
Wherein, the said current file access authority authentication that is current said N type of passing through the union of corresponding file access rights respectively.
9. a mobile memory is characterized in that, comprises authentication ' unit and access control unit, wherein:
Said authentication ' unit is used to receive the authentication request of multiple auth type, and carries out authentication, and the authentication output result;
Said access control unit; Be used for judging the current whether authentication through predefined N type according to the authentication result of said authentication ' unit output; When judging current authentication through predefined N type; Permission is carried out predefined file access operation to said mobile memory, and said N is the integer more than or equal to 2.
10. mobile memory according to claim 9 is characterized in that,
Said access control unit adopts following mode to judge the current whether authentication through predefined N type: judge whether the pairing auth type number of the current authentication of having passed through equals N; If then judge the authentication of having passed through predefined N kind auth type; Perhaps,
Said access control unit adopts following mode to judge the current whether authentication through predefined N type: judge whether the pairing auth type of the current authentication of having passed through is consistent with predefined N kind auth type; If then judge the authentication of having passed through predefined N kind auth type; Perhaps,
Said access control unit adopts following mode to judge the current whether authentication through predefined N type: judge in the pairing auth type of the current authentication of having passed through whether comprise predefined safety condition authentication; If; Then judge the authentication of having passed through predefined N kind auth type; Said safety condition authentication belongs to a kind of in the said N kind auth type; Comprise in the precondition through said safety condition authentication: through the preposition authentication of N-1 kind, said preposition authentication belongs to a kind of in the said N kind auth type; Perhaps,
Said access control unit adopts following mode to judge the current whether authentication through predefined N type: judge that whether the pairing state value sum of the current dissimilar authentication of having passed through is more than or equal to predefined safety certification conditional value X; If; Then judge the authentication of having passed through predefined N kind auth type; Wherein, Said mobile memory adopts following mode to set through the pairing state value of various types of authentications, through the pairing state value sum of any M type authentication less than X, M<N wherein; The pairing state value sum of authentication through any N kind or predefined N type is more than or equal to X.
11. the access control system of a mobile memory is characterized in that, comprise display device and as above-mentioned claim 9 or 10 described mobile memories, wherein:
Said display device, the authentication request that is used to send multiple auth type is to said mobile memory;
Said mobile memory; Be used to receive the authentication request of the multiple auth type that said display device sends; And carry out authentication; When said mobile memory is judged current authentication through predefined N type, allow that said mobile memory is carried out predefined file access and operate, said N is the integer more than or equal to 2.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110337854.5A CN102426555B (en) | 2011-10-31 | 2011-10-31 | The access control method of a kind of mobile memory, mobile memory and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110337854.5A CN102426555B (en) | 2011-10-31 | 2011-10-31 | The access control method of a kind of mobile memory, mobile memory and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102426555A true CN102426555A (en) | 2012-04-25 |
| CN102426555B CN102426555B (en) | 2015-12-02 |
Family
ID=45960543
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110337854.5A Active CN102426555B (en) | 2011-10-31 | 2011-10-31 | The access control method of a kind of mobile memory, mobile memory and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102426555B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107623662A (en) * | 2016-07-15 | 2018-01-23 | 阿里巴巴集团控股有限公司 | The control method of access, device and system |
| CN111783074A (en) * | 2020-07-31 | 2020-10-16 | 广东电网有限责任公司梅州供电局 | Access control method and device of mobile memory, electronic equipment and storage medium |
| CN113609538A (en) * | 2021-07-09 | 2021-11-05 | 国网福建省电力有限公司电力科学研究院 | Access control method, device and equipment for mobile storage medium and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050066199A1 (en) * | 2003-09-19 | 2005-03-24 | Hui Lin | Identification process of application of data storage and identification hardware with IC card |
| CN201518127U (en) * | 2009-10-13 | 2010-06-30 | 航天信息股份有限公司 | Encrypted mobile memory based on password authentication |
| CN101908960A (en) * | 2009-06-02 | 2010-12-08 | 上海科大智能科技股份有限公司 | Multiple security method of electronic file concerning security matters |
| CN102223364A (en) * | 2011-05-09 | 2011-10-19 | 飞天诚信科技股份有限公司 | Method and system for accessing e-book data |
-
2011
- 2011-10-31 CN CN201110337854.5A patent/CN102426555B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050066199A1 (en) * | 2003-09-19 | 2005-03-24 | Hui Lin | Identification process of application of data storage and identification hardware with IC card |
| CN101908960A (en) * | 2009-06-02 | 2010-12-08 | 上海科大智能科技股份有限公司 | Multiple security method of electronic file concerning security matters |
| CN201518127U (en) * | 2009-10-13 | 2010-06-30 | 航天信息股份有限公司 | Encrypted mobile memory based on password authentication |
| CN102223364A (en) * | 2011-05-09 | 2011-10-19 | 飞天诚信科技股份有限公司 | Method and system for accessing e-book data |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107623662A (en) * | 2016-07-15 | 2018-01-23 | 阿里巴巴集团控股有限公司 | The control method of access, device and system |
| CN111783074A (en) * | 2020-07-31 | 2020-10-16 | 广东电网有限责任公司梅州供电局 | Access control method and device of mobile memory, electronic equipment and storage medium |
| CN113609538A (en) * | 2021-07-09 | 2021-11-05 | 国网福建省电力有限公司电力科学研究院 | Access control method, device and equipment for mobile storage medium and storage medium |
| CN113609538B (en) * | 2021-07-09 | 2024-03-08 | 国网福建省电力有限公司电力科学研究院 | Access control method, device and equipment for mobile storage medium and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102426555B (en) | 2015-12-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| AU2021201221B2 (en) | Distributed, decentralized data aggregation | |
| US20240095820A1 (en) | Externally held account discovery and aggregation | |
| US8839383B2 (en) | Authentification broker for the securities industry | |
| CN105141614B (en) | A kind of access right control method and device of movable storage device | |
| CN102368230A (en) | Mobile memory and access control method thereof as well as system | |
| KR20210066795A (en) | System and method for cryptographic authentication of contactless card | |
| AU2020260481B2 (en) | Account verification | |
| CN102387150B (en) | Access control method and system of mobile memory and mobile memory | |
| CN112738021A (en) | Single sign-on method, terminal, application server, authentication server and medium | |
| CN102426555A (en) | Mobile memory, and access control method and system thereof | |
| CN102368773B (en) | Access control method of mobile memory, mobile memory and system | |
| US20130204929A1 (en) | Information Generation System And Method Therefor | |
| EP3882839A1 (en) | Account verification | |
| CN105574425B (en) | Access the method and device of storage data | |
| CN102521164B (en) | Access control method of mobile memory, mobile memory and system | |
| KR20230048331A (en) | System and method for controlling secure data transmission via URL | |
| US20230376936A1 (en) | Configuring applications on a device using a contactless card | |
| US11893587B2 (en) | System for enhanced authentication using non-fungible tokens (NFTs) | |
| US20230368179A1 (en) | System and method for providing temporary virtual payment card | |
| da Fonte | Host Card Emulation with Tokenisation: Security Risk Assessments | |
| CN112907374A (en) | Signature verification method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C53 | Correction of patent of invention or patent application | ||
| CB02 | Change of applicant information |
Address after: 102211 Beijing city Changping District Baishan town 100 Ge Road No. 9 Building No. 2 hospital Applicant after: Tendyron Technology Co., Ltd. Address before: 100083, B, block 17, golden building, No. 1810 Qinghua East Road, Beijing, Haidian District Applicant before: Beijing Tendyron Technology Co., Ltd. |
|
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |