CN102426555B - The access control method of a kind of mobile memory, mobile memory and system - Google Patents
The access control method of a kind of mobile memory, mobile memory and system Download PDFInfo
- Publication number
- CN102426555B CN102426555B CN201110337854.5A CN201110337854A CN102426555B CN 102426555 B CN102426555 B CN 102426555B CN 201110337854 A CN201110337854 A CN 201110337854A CN 102426555 B CN102426555 B CN 102426555B
- Authority
- CN
- China
- Prior art keywords
- certification
- mobile memory
- type
- file access
- current
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The invention discloses a kind of mobile memory, the access control method of mobile memory and system, wherein, the access control method of mobile memory comprises: mobile memory receives the authentication request of multiple auth type, and carries out certification; When mobile memory judges the current certification by the N type that presets, allow the file access operation that mobile memory is preset; N be more than or equal to 2 integer.The access control method of mobile memory of the present invention, mobile memory and system, by when mobile memory judges the current certification by the N type that presets, allow the file access operation that mobile memory is preset, improve the security of file access operation.
Description
Technical field
The present invention relates to field of information security technology, particularly relate to a kind of mobile memory, the access control method of mobile memory and system.
Background technology
Along with mobile memory, especially with USB (UniversalSerialBus, USB (universal serial bus)) be mobile memory (hereinafter referred to as USB flash disk) rapidly universal of interface, the safety issue being stored in the file in USB flash disk receives publicity day by day.
In order to strengthen the security of USB flash disk, the safe U disc that can control the file access operation of USB flash disk is applied to the fields such as military affairs, finance, business gradually.
Safe U disc conduct interviews control ultimate principle be, user is before conducting interviews to the file in safe U disc, need to send authenticate password (hereinafter referred to as password) by terminal to safe U disc, safe U disc carries out certification to password, and certification just allows user to carry out the operations such as file read-write to safe U disc by rear.
But existing safe U disc carries out authentication by means of only the authenticate password of static state to user, there is the defect that security is poor.
Summary of the invention
The object of this invention is to provide a kind of mobile memory, the access control method of mobile memory and system, improve the security of file access.
The object of the invention is to be achieved through the following technical solutions:
An access control method for mobile memory, comprising:
Mobile memory receives the authentication request of multiple auth type, and carries out certification;
When described mobile memory judges the current certification by the N type that presets, allow the file access operation that described mobile memory is preset;
Described mobile memory judges the current certification of N kind auth type whether by presetting in the following way: judge to be less than X, wherein M<N by the state value sum corresponding to the certification of any M type; Further, be more than or equal to X by the state value sum corresponding to any N kind or the certification of N type that presets, if so, then judge the certification that have passed the N kind auth type preset;
Described N be more than or equal to 2 integer.
A kind of mobile memory, comprises authentication ' unit and access control unit, wherein:
Described authentication ' unit, for receiving the authentication request of multiple auth type, and carries out certification;
Described access control unit, for when judging the current certification by the N type that presets, allow the file access operation that described mobile memory is preset, described access control unit judges the current certification of N kind auth type whether by presetting in the following way: judge to be less than X, wherein M<N by the state value sum corresponding to the certification of any M type; Further, be more than or equal to X by the state value sum corresponding to any N kind or the certification of N type that presets, if so, then judge the certification that have passed the N kind auth type preset;
Described N be more than or equal to 2 integer.
An access control system for mobile memory, comprises display device and mobile memory, wherein:
Described display device, for sending the authentication request of multiple auth type to described mobile memory;
Described mobile memory, for receiving the authentication request of the multiple auth type that described display device sends, and carry out certification, when described mobile memory judges the current certification by the N type that presets, allow file access operation that described mobile memory is preset, described N be more than or equal to 2 integer.
As seen from the above technical solution provided by the invention, the mobile memory that the embodiment of the present invention provides, the access control method of mobile memory and system, by when mobile memory judges the current certification by the N type that presets, allow the file access operation that mobile memory is preset, improve the security of file access operation.
Accompanying drawing explanation
In order to be illustrated more clearly in the technical scheme of the embodiment of the present invention, below the accompanying drawing used required in describing embodiment is briefly described, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawings can also be obtained according to these accompanying drawings.
The schematic flow sheet of the access control method of the mobile memory that Fig. 1 provides for the embodiment of the present invention.
The formation schematic diagram one of the mobile memory that Fig. 2 provides for the embodiment of the present invention.
The formation schematic diagram two of the mobile memory that Fig. 3 provides for the embodiment of the present invention.
The formation schematic diagram of the access control system of the mobile memory that Fig. 4 provides for the embodiment of the present invention.
The application scenarios schematic flow sheet one of the access control method of the mobile memory that Fig. 5 provides for the embodiment of the present invention.
The application scenarios schematic flow sheet two of the access control method of the mobile memory that Fig. 6 provides for the embodiment of the present invention.
The application scenarios schematic flow sheet three of the access control method of the mobile memory that Fig. 7 provides for the embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on embodiments of the invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to protection scope of the present invention.
Below in conjunction with accompanying drawing, the embodiment of the present invention is described in further detail.
As shown in Figure 1, the embodiment of the present invention provides a kind of access control method of mobile memory, comprising:
11, mobile memory receives the authentication request of multiple auth type, and carries out certification.
12, when mobile memory judges the current certification by the N type that presets, allow the file access operation that mobile memory is preset, described N be more than or equal to 2 integer.
In the access control method of embodiment of the present invention mobile memory, mobile memory can receiving and displaying device send authentication request, above-mentioned display device can comprise personal computer or special fileinfo display device etc.
As seen from the above technical solution provided by the invention, by when mobile memory judges the current certification by the N type that presets, allow the file access operation that mobile memory is preset, improve the security of file access operation.
Optionally, above-mentioned auth type can comprise: static password authentication, dynamic password authentication or certificate verification etc.
Optionally, in above-mentioned steps 12, mobile memory can judge the current certification of N type whether by presetting in the following way:
Judge whether the auth type number corresponding to the current certification passed through equals N, if so, then judge the certification that have passed the N kind auth type preset.
Exemplary, auth type comprises static password authentication, dynamic password authentication or certificate verification, when N equals 2, after judging the current certification by 2 types any in static password authentication, dynamic password authentication or certificate verification in above-mentioned steps 12, then judge the certification that have passed the 2 kinds of auth types preset, file access operation can be carried out to mobile memory.
Or optionally, in above-mentioned steps 12, mobile memory can judge the current certification of N kind auth type whether by presetting in the following way:
Judge that whether the auth type corresponding to the current certification passed through is consistent with the N kind auth type preset, if so, then judge the certification that have passed the N kind auth type preset.
Exemplary, auth type comprises static password authentication, dynamic password authentication or certificate verification, the 2 kinds of auth types preset are: when static password authentication and certificate verification, judge current by after the certification of static password authentication and certificate verification 2 type in above-mentioned steps 12, then judge the certification that have passed the 2 kinds of auth types preset, file access operation can be carried out to mobile memory.
Or optionally, in above-mentioned steps 12, mobile memory can judge the current certification of N kind auth type whether by presetting in the following way:
Judge in the auth type corresponding to the current certification passed through, whether to comprise the safety condition certification preset, if, then judge the certification that have passed the N kind auth type preset, described safety condition certification belongs to the one in described N kind auth type.
And by comprising in the precondition of described safety condition certification: by the preposition certification of N-1 kind, described preposition certification belongs to the one in described N kind auth type.
Exemplary, auth type comprises static password authentication, dynamic password authentication or certificate verification, N equals 2, preposition certification is static password authentication, when safety condition certification is certificate verification, judge in above-mentioned steps 12 to comprise certificate verification in the auth type corresponding to the current certification passed through, and mobile memory have passed the precondition of certificate verification, namely have passed static password authentication, then judge the certification that have passed the 2 kinds of auth types preset, file access operation can be carried out to mobile memory.
Or optionally, in above-mentioned steps 12, mobile memory can judge the current certification of N kind auth type whether by presetting in the following way:
Judge whether the current state value sum corresponding to dissimilar certification passed through is more than or equal to the safety certification conditional value X preset, if so, then judge the certification that have passed the N kind auth type preset;
Wherein, mobile memory can set by the state value corresponding to various types of certification in the following way:
X is less than, wherein M<N by the state value sum corresponding to the certification of any M type; Further, X is more than or equal to by the state value sum corresponding to any N kind or the certification of N type that presets.
Exemplary, auth type comprises static password authentication, dynamic password authentication or certificate verification etc., and N equals 3, when the safety certification conditional value X preset equals 3.If the state value of static password authentication equals 1, the state value of dynamic password authentication equals 1, when the state value of certificate verification equals 1, the state value sum corresponding to certification of the static password authentication preset by 3 kinds, dynamic password authentication and certificate verification equals X (i.e. 1+1+1=3), and time M=2 (M<N), be less than X (i.e. 1+1=2<3) by the state value sum corresponding to 2 kinds of certifications, then judge the certification that have passed the N kind auth type preset;
If the state value of static password authentication equals 2, the state value of dynamic password authentication equals 1, the state value of certificate verification equals 1, although, the static password authentication preset by 3 kinds, state value sum corresponding to the certification of dynamic password authentication and certificate verification is greater than X (i.e. 2+1+1=4>3), but, during M=2, state value sum corresponding to the certification of the static password authentication preset by 2 kinds and dynamic password authentication or static password authentication and certificate verification equals X (i.e. 1+2=3), the state value sum corresponding to certification not meeting M type is less than X, then can not judge the certification that have passed the N kind auth type preset.
Optionally, the access control method of embodiment of the present invention mobile memory, the file access operation preset in above-mentioned steps 12 can be for: the file access operation corresponding to current file access authority;
Wherein, the file access authority of current file access authority corresponding to the highest current level of security;
The highest current level of security is level of security that the mxm. in the level of security corresponding to the certification of the current N type passed through is corresponding.
Or, optionally, the access control method of embodiment of the present invention mobile memory, the file access operation preset in above-mentioned steps 12 can be for: the file access operation corresponding to current file access authority;
Wherein, current file access authority is the union of the file access authority of the certification difference correspondence of the current N type passed through.
As shown in Figure 2, corresponding to the access control method of the mobile memory of above-described embodiment, the embodiment of the present invention provides a kind of mobile memory, comprises authentication ' unit 21 and access control unit 22:
Authentication ' unit 21, for receiving the authentication request of multiple auth type, and carries out certification.
Access control unit 22, for when judging the current certification by the N type that presets, allows the file access operation preset described mobile memory, described N be more than or equal to 2 integer.
As seen from the above technical solution provided by the invention, by when mobile memory judges the current certification by the N type that presets, allow the file access operation that mobile memory is preset, improve the security of file access operation.
Optionally, auth type can comprise: static password authentication, dynamic password authentication or certificate verification etc.
Optionally, above-mentioned access control unit 22, specifically for judging whether the auth type number corresponding to the current certification passed through equals N, if so, then can judge the certification that have passed the N kind auth type preset.
Or, optionally, whether above-mentioned access control unit 22, can be consistent with the N kind auth type preset specifically for judging the auth type corresponding to the current certification passed through, if so, then the certification that have passed the N kind auth type preset is judged.
Or, optionally, above-mentioned access control unit 22, the safety condition certification preset whether can be comprised in auth type corresponding to the current certification passed through specifically for judging, if, then judge the certification that have passed the N kind auth type preset, described safety condition certification belongs to the one in described N kind auth type, by comprising in the precondition of described safety condition certification: by the preposition certification of N-1 kind, described preposition certification belongs to the one in described N kind auth type.
Or, optionally, above-mentioned access control unit 22, can specifically for judging whether the state value sum corresponding to the current dissimilar certification passed through is more than or equal to the safety certification conditional value X preset, if, then judge the certification that have passed the N kind auth type preset, wherein, described mobile memory sets by the state value corresponding to various types of certification in the following way, X is less than, wherein M<N by the state value sum corresponding to the certification of any M type; X is more than or equal to by the state value sum corresponding to any N kind or the certification of N type that presets.
Optionally, the above-mentioned file access operation preset can be for: the file access operation corresponding to current file access authority;
Wherein, the file access authority of described current file access authority corresponding to the highest current level of security;
Described the highest current level of security is level of security that the mxm. in the level of security corresponding to the certification of the current described N type passed through is corresponding.
Or optionally, the above-mentioned file access operation preset can be for: the file access operation corresponding to current file access authority;
Wherein, described current file access authority is the union of the file access authority of the certification difference correspondence of the current described N type passed through.
As shown in Figure 3, embodiment of the present invention mobile memory, can also comprise:
Preset unit 31, for pre-setting the certification of N type, N be more than or equal to 2 integer, pre-set safety condition certification and preposition certification, pre-set the state value corresponding to certification of safety certification conditional value X and N type, at least one in the file access operation preset.
Embodiment of the present invention mobile memory is corresponding with the access control method of above-described embodiment mobile memory, and therefore, the Similar content related to can be understood with reference to the access control method of above-described embodiment mobile memory, does not repeat them here.
As shown in Figure 4, the embodiment of the present invention provides a kind of access control system of mobile memory, comprises display device 41 and mobile memory 42:
Display device 41, for sending the authentication request of multiple auth type to described mobile memory 42.
Mobile memory 42, for the authentication request of the multiple auth type that receiving and displaying device 41 sends, and carry out certification, when mobile memory 42 judges the current certification by the N type that presets, allow file access operation that mobile memory 42 is preset, described N be more than or equal to 2 integer.。
In the access control system of embodiment of the present invention mobile memory, mobile memory can receiving and displaying device send authentication request, above-mentioned display device can comprise personal computer or special fileinfo display device etc.
As seen from the above technical solution provided by the invention, by when mobile memory judges the current certification by the N type that presets, allow the file access operation that mobile memory is preset, improve the security of file access operation.
In the access control system of embodiment of the present invention mobile memory, mobile memory is to be understood with reference to above-described embodiment mobile memory, does not repeat them here.
First embodiment of the method
As shown in Figure 5, in the present embodiment, the certification of each type that mobile memory recording user passes through, after user initiates file access operation request, the authentication state of mobile memory scanning user, when meeting the condition preset, allows it to carry out corresponding file access operation.
The method of the present embodiment comprises the steps:
51, after mobile memory is connected with display device, display device display user authentication interface, with the selection of pointing out user to carry out auth type, and inputs or selects corresponding password or certificate.
Above-mentioned display device can be personal computer or special fileinfo display device.
52, after user selectes auth type, authentication request is sent to mobile memory.
The auth type that user can select comprises: static password authentication, dynamic password authentication, certificate verification.
If selection static password authentication, user should input user name and static password usually, and wherein user is called option; If selection dynamic password authentication, the dynamic password that user usually should be inputted user name and be obtained by token device, token device is as, OTP (One-Timepassword, dynamic password) token, and wherein user is called option; If user selects certificate verification, user should input user name usually, and selects corresponding user certificate, and wherein user is called option.
According to the difference of the auth type adopted, can comprise in above-mentioned authentication request: the certificate of static password or dynamic password or this display device.
Alternatively, user name can also be comprised in above-mentioned authentication request.
Above-mentioned static password can be arranged in advance by the managerial personnel of mobile memory or user, display device can read and obtain from its built-in or external memory module, or input acquisition by user, and be included in authentication request and send to mobile memory.
Above-mentioned dynamic password can be obtained by special token device by user, and input and display device, the dynamic password that user inputs is included in authentication request and sends to mobile memory by display device.
Above-mentioned display device certificate can be read by display device and obtain from its built-in or external memory module, and is sent to mobile memory.
Above-mentioned external memory module can be storage card, smart card, SIM (SubscriberIdentityModule, client identification module) card etc.
In addition, in above-mentioned authentication request, auth type indication field can also be comprised, for identifying the auth type of current employing.
53, after mobile memory receives the authentication request of display device transmission, the identification of auth type is carried out.
If adopt the certification of static password mode, then jump to step 54; If adopt the certification of dynamic password mode, then jump to step 55, if adopt the certification of certificate mode, then jump to step 56.
Mobile memory can identify the auth type of current employing by the auth type indication field in authentication request.
If 54 adopt the certification of static password mode, the static password stored in the static password comprised in authentication request and its secure storage areas contrasts by mobile memory, if matched, then shows static password authentication success; Otherwise show static password authentication failure; Mobile memory record static password authentication state.
Above-mentioned static password authentication state can be: static password authentication success or static password authentication failure.The original state of above-mentioned authentication state can be: do not carry out static password authentication or static password authentication failure.
If comprise user name in authentication request, then mobile memory can obtain corresponding static password according to user name and contrasts from secure storage areas; If do not comprise user name in authentication request, then mobile memory can obtain multiple effective static password from secure storage areas, and contrast with the static password that comprises in authentication request respectively, as long as obtain from secure storage areas static password mates with the static password comprised in authentication request, then show static password authentication success.
Above-mentioned effective static password refers to, at least with a level of security or the static password corresponding with file access authority.
If 55 adopt the certifications of dynamic password mode, the dynamic password comprised in the current dynamic password that mobile memory is generated and authentication request contrasts, if both mate, then shows that dynamic password authentication successfully; Otherwise show dynamic password authentication failure; Mobile memory record dynamic password authentication state.
Above-mentioned dynamic password authentication state can be: dynamic password authentication success or dynamic password authentication failure.The original state of above-mentioned authentication state can be: do not carry out dynamic password authentication or dynamic password authentication failure.
In order to support dynamic password authentication, mobile memory as dynamic password server (such as, OTP server), need to arrange one or more dynamic password maker wherein, each dynamic password maker can be corresponding with one or more token (or user).
When being provided with multiple dynamic password maker in mobile memory, user obtains current dynamic password by token, input and display device, and after dynamic password is included in sends to mobile memory in authentication request, as long as the dynamic password that the dynamic password comprised in authentication request and one of them dynamic password maker generate matches, then show dynamic password authentication success.
In addition, when being provided with multiple dynamic password maker in mobile memory, each dynamic password maker is corresponding with a user, and when comprising user name in authentication request, user obtains current dynamic password by token, by user name and this dynamic password input and display device in the lump, and after user name and this dynamic password are included in send to mobile memory in authentication request, the dynamic password that mobile memory can generate according to the user name acquisition dynamic password maker corresponding with this user name comprised in authentication request, by it being carried out compared with the dynamic password comprised in authentication request the certification of dynamic password.
If 56 adopt the certification of certificate mode, mobile memory carries out certification to the certificate wherein comprised (hereinafter referred to as display device certificate), and records certificate verification state after receiving the authentication request of display device transmission;
Above-mentioned certificate verification state can be: certificate verification success or certificate verification failure.The original state of above-mentioned authentication state can be: do not carry out certificate verification or certificate verification failure.
Above-mentioned certification authentication process can be divided into following sub-step, comprising:
561, the issuer identification information in mobile memory reading displayed device certificate, and the issuer certificate corresponding according to this acquisition of information.
562, mobile memory reads the PKI of this certificate from issuer certificate.
563, mobile memory uses the certificate signature field of above-mentioned PKI to display device certificate to verify, if signature verification success, shows certificate verification success, otherwise shows certificate verification failure.
Obviously, in order to support the certification of certificate mode, need in mobile memory to store one or more certificates (issuer certificate), the corresponding believable CA (CertificateAuthority of each root certificate, authentication center), display device certificate is issued by above-mentioned CA.
57, after this authentication success, the authentication state of mobile memory to the auth type preset checks, if meet the safety certification condition preset, then current state is designated safe condition, allows to carry out corresponding file access operation; If do not met, then jump to step 52.
Above-mentioned safety certification condition can be one of following condition:
Condition one: by the certification of N type, auth type number N be preset be greater than 1 integer.
Such as: the value of the auth type number N preset is 2, user is by meeting safety certification condition after the certification of any two types.
Condition two: by the certification of multiple type preset.
Such as, the auth type preset is: static password authentication and certificate verification, then only have by just meeting safety certification condition after the certification of above-mentioned two types.
58, the file access authority that this user is current is determined in the polytype certification passed through according to user.
One of in the following way can determine the file access authority that user is current:
(1) mode one: the level of security that different auth types is corresponding different, and the file access authority that different level of securitys is corresponding different; Level of security the highest in various auth types user passed through is as current level of security; Using the file access authority corresponding to current level of security as the current file access authority of user.
In the present embodiment, level of security can be respectively from low to high:
Low-level security rank corresponding to static password authentication;
Intermediate level of security corresponding to dynamic password authentication;
Advanced security rank corresponding to certificate verification.
In the present embodiment, the file access authority that different level of securitys is corresponding different.File access authority can comprise different file operation types and/or file access operation object.
File access operation type can comprise: file attribute information is browsed, file reading, amendment file, and deleted file, creates file, creates file, Delete Folder etc.
Above-mentioned file attribute information is browsed and also can be called that browse through folders operates, and refers to that the file attribute information such as the file/Folder Name to the file or folder comprised in a certain disk partition or file, file type, date created, amendment date is browsed.
File access operation object can be divided into: disk partition, file, file.
Such as:
When level of security is senior, all accessing operations can be carried out to the All Files in all catalogues (file) of all subregions; Namely all types of file access operation can be carried out to all file access operation objects;
When level of security is middle rank, the All Files in all subregion/catalogues (file) can be read, retouching operation, and can the accessing operations such as establishment file, browse through folders be carried out; But do not allow to carry out deleted file, the operations such as Delete Folder; Namely the file access operation of some types can be carried out to all files accessing operation object;
When level of security is rudimentary, read operation can be carried out to all or part of file in partial-partition/catalogue (file), and can the accessing operations such as browse through folders be carried out; But do not allow file of modifying, deleted file, the operations such as Delete Folder; Namely the file access operation of some types can be carried out to partial document accessing operation object.
Or (2) mode two: the file access authority that different auth type is corresponding different, the union of the file access authority corresponding to dissimilar certification user passed through is as the current file access authority of user.
Such as, the file access authority that static password authentication is corresponding comprises: file A is carried out to file attribute information is browsed, the operation of file reading; File access authority corresponding to certificate verification comprises: carry out all file access operation to file B; The file access authority that then user is current, for carry out above-mentioned specific file access operation to file A, carries out all file access operation to file B.
59, mobile memory waits for that user sends file access operation request by display device to mobile memory.
510, after mobile memory receives the file access operation request of display device transmission, this request is analyzed, obtain the file access operation type corresponding to this request and file access operation object, and the file access authority current according to user judges whether to allow to perform this file access operation request; If allowed, then perform step 511; If do not allowed, then perform step 512.
511, if allow the request of execute file accessing operation, mobile memory performs corresponding file access operation, and to display device backspace file access result (such as, returning corresponding file data etc.), and jump to step 59.
512, if do not allow the request of execute file accessing operation, mobile memory returns the response message forbidding performing corresponding file access operation to display device, and jumps to step 59.
As seen from the above technical solution provided by the invention, adopt the file access operation of polytype certification to user to control by mobile memory simultaneously, only after user have passed polytype certification, just allow it to carry out corresponding file access operation, improve the security of access mobile memory.
Second embodiment of the method
As shown in Figure 6, in the present embodiment, safety certification condition is set as by a certain default auth type (being denoted as safety condition certification), and the precondition needed for the certification carrying out the type is set as the auth type (preposition certification) preset by another; Mobile memory is by judging whether to judge whether to carry out safety condition certification by preposition auth type; And by judging whether user judges whether to meet safety certification condition by safety condition certification.That is, in the present embodiment, user sequentially just must can carry out file read-write operations by the certification of specified type.
Below for static password be preposition certification, certificate verification is described for safety condition certification.
61, after mobile memory is connected with display device, display device display user authentication interface, with the selection of pointing out user to carry out auth type, and inputs or selects corresponding password or certificate.
62, after user selectes auth type, authentication request is sent to mobile memory.
The auth type that user can select comprises: static password authentication, dynamic password authentication, certificate verification.
63, after mobile memory receives the authentication request of display device transmission, the identification of auth type is carried out.
If adopt the certification of static password mode, then jump to step 64; If adopt the certification of dynamic password mode, then jump to step 65, if adopt the certification of certificate mode, then jump to step 66.
If 64 adopt the certification of static password mode, the static password stored in the static password comprised in authentication request and its secure storage areas contrasts by mobile memory, if matched, then shows static password authentication success; Otherwise show static password authentication failure; Mobile memory record static password authentication state.
Above-mentioned static password authentication state can be: static password authentication success or static password authentication failure.The original state of above-mentioned authentication state can be: do not carry out static password authentication or static password authentication failure.
If 65 adopt the certification of dynamic password mode, mobile memory is to the information of display device return authentication type error.
If 66 adopt the certification of certificate mode, mobile memory judges that whether user is by preposition certification (i.e. static password authentication), if not by preposition certification, then to the information of display device return authentication type error; If by preposition certification, then certification is carried out to the certificate comprised in the authentication request received (hereinafter referred to as display device certificate), and recorded certificate verification state.
Above-mentioned certificate verification state can be: certificate verification success or certificate verification failure.The original state of above-mentioned authentication state can be: do not carry out certificate verification or certificate verification failure.
67, after this authentication success, mobile memory judges whether to meet safety certification condition (namely whether passing through certificate verification), if meet safety certification condition, then current state is designated safe condition, allows to carry out corresponding file access operation; If do not met, then jump to step 62.
68, the file access authority of this user is determined according to the authority information preset.
69, mobile memory waits for that user sends file access operation request by display device to mobile memory.
610, after mobile memory receives the file access operation request of display device transmission, this request is analyzed, obtain the file access operation type corresponding to this request and file access operation object, and the file access authority current according to user judges whether to allow to perform this file access operation request; If allowed, then perform step 611; If do not allowed, then perform step 612.
If 611 allow the request of execute file accessing operation, mobile memory performs corresponding file access operation, and to display device backspace file access result (such as, returning corresponding file data etc.), and jump to step 609.
If 612 do not allow the request of execute file accessing operation, mobile memory returns the response message forbidding performing corresponding file access operation to display device, and jumps to step 609.
Optionally, this second embodiment also has multiple mapping mode, as:
(1) mode one: preposition certification can be one of polytype authentication mode, such as, preposition certification can be static password authentication or dynamic password authentication;
(2) mode two: also can entry condition be set to preposition certification, this entry condition can be the certification of another kind of type, such as, safety condition certification is certificate verification, the entry condition of safety condition certification is by dynamic password authentication, and the entry condition of dynamic password authentication is for passing through static password authentication.
As seen from the above technical solution provided by the invention, adopt the file access operation of polytype certification to user to control by mobile memory simultaneously, only after user have passed polytype certification, just allow it to carry out corresponding file access operation, improve the security of access mobile memory.
Third method embodiment
As shown in Figure 7, in the present embodiment, suppose total N kind auth type: AU1, AU2, AUN, for each auth type arrange one by state value Si (i=1 ... N), the current state value of each auth type of mobile memory record, when not passing through the certification of corresponding types, can be set to 0 by the state value of correspondence; After certification by the i-th type, mobile memory by the current state value of correspondence by 0 change into preset by state value Si.
In addition, mobile memory arranges safety certification conditional value X, and safety certification condition is set as: the current state value sum that each auth type is corresponding is more than or equal to X.
Below, with N=3, namely comprise three kinds of auth types altogether: static password authentication (AU1), dynamic password authentication (AU2) and certificate verification (AU3), S1=2, S2=3, S3=4 are that example is described the present embodiment.
71, after mobile memory is connected with display device, display device display user authentication interface, with the selection of pointing out user to carry out auth type, and inputs or selects corresponding password or certificate.
72, after user selectes auth type, authentication request is sent to mobile memory.
The auth type that user can select comprises: static password authentication, dynamic password authentication, certificate verification.
73, after mobile memory receives the authentication request of display device transmission, the identification of auth type is carried out; If adopt the certification of static password mode, then jump to step 74; If adopt the certification of dynamic password mode, then jump to step 75, if adopt the certification of certificate mode, then jump to step 76.
If 74 adopt the certification of static password mode, the static password stored in the static password comprised in authentication request and its secure storage areas contrasts by mobile memory, if matched, then shows static password authentication success; Otherwise show static password authentication failure; Static password authentication state value is changed to 2 by 0 by mobile memory.
If 75 adopt the certifications of dynamic password mode, the dynamic password comprised in the current dynamic password that mobile memory is generated and authentication request contrasts, if both mate, then shows that dynamic password authentication successfully; Otherwise show dynamic password authentication failure; Dynamic password authentication state value is changed to 3 by 0 by mobile memory.
If 76 adopt the certification of certificate mode, after mobile memory receives the authentication request of display device transmission, carry out certification to the certificate wherein comprised (hereinafter referred to as display device certificate), dynamic password authentication state value is changed to 4 by 0 by mobile memory.
77, after this authentication success, mobile memory judges whether according to the authentication state value of various auth type to meet the safety certification condition preset, if met, current state is designated safe condition, allows to carry out corresponding file access operation; If do not met, then jump to step 72;
Above-mentioned safety certification condition is: the accumulated value of the authentication state value of various auth type is more than or equal to safety certification conditional value X.
Such as, as safety certification conditional value X=5, as long as have passed any two kinds of certifications in three types, namely meet safety certification condition; As safety certification conditional value X=6, then two kinds of certifications by comprising certificate verification are needed just to meet safety certification condition.
Subsequent step is similar to step 58 ~ 512 of above-described embodiment, does not repeat them here.
As seen from the above technical solution provided by the invention, adopt the file access operation of polytype certification to user to control by mobile memory simultaneously, only after user have passed polytype certification, just allow it to carry out corresponding file access operation, improve the security of access mobile memory.
In several embodiments that the application provides, should be understood that, disclosed system, apparatus and method, can realize by another way.Such as, device embodiment described above is only schematic, such as, the division of described unit, be only a kind of logic function to divide, actual can have other dividing mode when realizing, such as multiple unit or assembly can in conjunction with or another system can be integrated into, or some features can be ignored, or do not perform.Another point, shown or discussed coupling each other or direct-coupling or communication connection can be by some interfaces, and the indirect coupling of device or unit or communication connection can be electrical, machinery or other form.
The described unit illustrated as separating component or can may not be and physically separates, and the parts as unit display can be or may not be physical location, namely can be positioned at a place, or also can be distributed in multiple network element.Some or all of unit wherein can be selected according to the actual needs to realize the object of the present embodiment scheme.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, also can be that the independent physics of unit exists, also can two or more unit in a unit integrated.Above-mentioned integrated unit both can adopt the form of hardware to realize, and the form of SFU software functional unit also can be adopted to realize.
If described integrated unit using the form of SFU software functional unit realize and as independently production marketing or use time, can be stored in a computer read/write memory medium.Based on such understanding, the part that technical scheme of the present invention contributes to prior art in essence in other words or all or part of of this technical scheme can embody with the form of software product, this computer software product is stored in a storage medium, comprising some instructions in order to make a computer equipment (can be personal computer, server, or the network equipment etc.) perform all or part of step of method described in each embodiment of the present invention.And aforesaid storage medium comprises: USB flash disk, portable hard drive, ROM (read-only memory) (ROM, Read-OnlyMemory), random access memory (RAM, RandomAccessMemory), magnetic disc or CD etc. various can be program code stored medium.
The above; be only the present invention's preferably embodiment, but protection scope of the present invention is not limited thereto, is anyly familiar with those skilled in the art in the technical scope that the present invention discloses; the change that can expect easily or replacement, all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection domain of claims.
Claims (6)
1. an access control method for mobile memory, is characterized in that, comprising:
Mobile memory receives the authentication request of multiple auth type, and carries out certification;
When described mobile memory judges the current certification by the N type that presets, allow the file access operation that described mobile memory is preset;
Described mobile memory judges the current certification of N kind auth type whether by presetting in the following way: judge to be less than X by the state value sum corresponding to the certification of any M type, wherein M<N, X are default safety certification value; Further, be more than or equal to X by the state value sum corresponding to any N kind or the certification of N type that presets, if so, then judge the certification that have passed the N kind auth type preset; Described N be more than or equal to 2 integer.
2. according to the access control method described in claim 1, it is characterized in that, described auth type comprises: static password authentication, dynamic password authentication or certificate verification.
3. access control method according to claim 1, is characterized in that, described in the file access operation that presets be the file access operation corresponding to current file access authority;
Wherein, the file access authority of described current file access authority corresponding to the highest current level of security;
Described the highest current level of security is level of security that the mxm. in the level of security corresponding to the certification of the current described N type passed through is corresponding.
4. access control method according to claim 1, is characterized in that, described in the file access operation that presets be the file access operation corresponding to current file access authority;
Wherein, described current file access authority is the union of the file access authority of the certification difference correspondence of the current described N type passed through.
5. a mobile memory, is characterized in that, comprises authentication ' unit and access control unit, wherein:
Described authentication ' unit, for receiving the authentication request of multiple auth type, and carries out certification, and authentication output result;
Described access control unit, authentication result for exporting according to described authentication ' unit judges the current certification of N type whether by presetting, when judging the current certification by the N type that presets, allow the file access operation that described mobile memory is preset, described access control unit judges the current certification of N kind auth type whether by presetting in the following way: judge to be less than X by the state value sum corresponding to the certification of any M type, wherein M<N, X is default safety certification value, further, be more than or equal to X by the state value sum corresponding to any N kind or the certification of N type that presets, if so, then judge the certification that have passed the N kind auth type preset,
Described N be more than or equal to 2 integer.
6. an access control system for mobile memory, is characterized in that, comprises display device and as above-mentioned mobile memory according to claim 5, wherein:
Described display device, for sending the authentication request of multiple auth type to described mobile memory;
Described mobile memory, for receiving the authentication request of the multiple auth type that described display device sends, and carry out certification, when described mobile memory judges the current certification by the N type that presets, allow file access operation that described mobile memory is preset, described N be more than or equal to 2 integer.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110337854.5A CN102426555B (en) | 2011-10-31 | 2011-10-31 | The access control method of a kind of mobile memory, mobile memory and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110337854.5A CN102426555B (en) | 2011-10-31 | 2011-10-31 | The access control method of a kind of mobile memory, mobile memory and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102426555A CN102426555A (en) | 2012-04-25 |
| CN102426555B true CN102426555B (en) | 2015-12-02 |
Family
ID=45960543
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110337854.5A Active CN102426555B (en) | 2011-10-31 | 2011-10-31 | The access control method of a kind of mobile memory, mobile memory and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102426555B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107623662B (en) * | 2016-07-15 | 2021-06-01 | 阿里巴巴集团控股有限公司 | Access control method, device and system |
| CN111783074A (en) * | 2020-07-31 | 2020-10-16 | 广东电网有限责任公司梅州供电局 | Access control method and device of mobile memory, electronic equipment and storage medium |
| CN113609538B (en) * | 2021-07-09 | 2024-03-08 | 国网福建省电力有限公司电力科学研究院 | Access control method, device and equipment for mobile storage medium and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN201518127U (en) * | 2009-10-13 | 2010-06-30 | 航天信息股份有限公司 | Encrypted mobile memory based on password authentication |
| CN101908960A (en) * | 2009-06-02 | 2010-12-08 | 上海科大智能科技股份有限公司 | Multiple security method of electronic file concerning security matters |
| CN102223364A (en) * | 2011-05-09 | 2011-10-19 | 飞天诚信科技股份有限公司 | Method and system for accessing e-book data |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TW200512658A (en) * | 2003-09-19 | 2005-04-01 | Hui Lin | Authentication process for data storage application and IC card authentication hardware |
-
2011
- 2011-10-31 CN CN201110337854.5A patent/CN102426555B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101908960A (en) * | 2009-06-02 | 2010-12-08 | 上海科大智能科技股份有限公司 | Multiple security method of electronic file concerning security matters |
| CN201518127U (en) * | 2009-10-13 | 2010-06-30 | 航天信息股份有限公司 | Encrypted mobile memory based on password authentication |
| CN102223364A (en) * | 2011-05-09 | 2011-10-19 | 飞天诚信科技股份有限公司 | Method and system for accessing e-book data |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102426555A (en) | 2012-04-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105335278A (en) | Testing method and device | |
| CN104424492A (en) | Method and device for processing data based on two-dimensional codes | |
| CN104678771A (en) | Control method and control system for household electrical appliance | |
| CN112966253B (en) | Third party application integration login method, login device and platform | |
| CN102546530A (en) | Method, device and ERP (enterprise resource planning) system for user identity and permission validation | |
| CN102368230A (en) | Mobile memory and access control method thereof as well as system | |
| CN104468510A (en) | Service access method, device and system | |
| CN103399865A (en) | Method and device for multi-media file generation | |
| CN102426555B (en) | The access control method of a kind of mobile memory, mobile memory and system | |
| CN102387150B (en) | Access control method and system of mobile memory and mobile memory | |
| CN109560895A (en) | Data transmission method and device | |
| CN109767359A (en) | Endorsement method, device, equipment and storage medium based on fingerprint recognition | |
| US20130204929A1 (en) | Information Generation System And Method Therefor | |
| CN102368773B (en) | Access control method of mobile memory, mobile memory and system | |
| CN117836794A (en) | System and method for near field contactless card communication and password authentication | |
| US9614899B1 (en) | System and method for user contributed website scripts | |
| CN103777847A (en) | Physical sign collection interactive method and physical sign collection terminal | |
| CN110750496A (en) | File copying method, system, equipment and computer readable storage medium | |
| CN110555682A (en) | multi-channel implementation method based on alliance chain | |
| CN105373622A (en) | Information processing method and device | |
| CN111478886B (en) | Traffic guidance and claim settlement service data processing method, device and client | |
| CN102521164B (en) | Access control method of mobile memory, mobile memory and system | |
| CN107294766A (en) | A kind of method and system of centralized management | |
| CN105389295A (en) | Data processing method and system for card personalization | |
| CN109618211A (en) | Short-sighted channel tool edit methods and Related product |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C53 | Correction of patent for invention or patent application | ||
| CB02 | Change of applicant information |
Address after: 102211 Beijing city Changping District Baishan town 100 Ge Road No. 9 Building No. 2 hospital Applicant after: Tendyron Technology Co., Ltd. Address before: 100083, B, block 17, golden building, No. 1810 Qinghua East Road, Beijing, Haidian District Applicant before: Beijing Tendyron Technology Co., Ltd. |
|
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |