CN102521164B - Access control method of mobile memory, mobile memory and system - Google Patents

Access control method of mobile memory, mobile memory and system Download PDF

Info

Publication number
CN102521164B
CN102521164B CN 201110337850 CN201110337850A CN102521164B CN 102521164 B CN102521164 B CN 102521164B CN 201110337850 CN201110337850 CN 201110337850 CN 201110337850 A CN201110337850 A CN 201110337850A CN 102521164 B CN102521164 B CN 102521164B
Authority
CN
China
Prior art keywords
file
information
authentication
file information
removable memory
Prior art date
Application number
CN 201110337850
Other languages
Chinese (zh)
Other versions
CN102521164A (en
Inventor
李东声
Original Assignee
天地融科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 天地融科技股份有限公司 filed Critical 天地融科技股份有限公司
Priority to CN 201110337850 priority Critical patent/CN102521164B/en
Publication of CN102521164A publication Critical patent/CN102521164A/en
Application granted granted Critical
Publication of CN102521164B publication Critical patent/CN102521164B/en

Links

Abstract

本发明公开了一种移动存储器的访问控制方法、移动存储器及系统,属信息安全领域。 The present invention discloses an access control method, a mobile system and a removable memory storage, is the field of information security. 该方法包括:移动存储器与文件信息显示装置连接后,接收文件信息显示装置发送的包含显示装置证书的认证请求;在接收到认证请求后,移动存储器对认证请求中包含的显示装置证书进行认证,认证成功后,移动存储器接收文件信息显示装置发送的文件信息浏览请求,并提取与文件信息浏览请求对应的文件信息发送至文件信息显示装置进行显示。 The method comprising: a removable memory to the file information display apparatus is connected, the authentication request comprising a device certificate display apparatus transmits the received file information display; after receiving the authentication request, a removable memory to the device certificate displaying the authentication request contains the authentication, after successful authentication, the removable memory receiving the file information display apparatus transmits the file information browsing request, the browser and extracts the file information corresponding to the request information to the document file information display device for display. 该方法可以解决现有的安全U盘使用静态的认证口令对使用者进行身份认证,安全性较差的问题。 This method can solve the existing security U disk to use static password authentication for user identity authentication, poor security issues. 提高了安全U盘访问控制的安全性。 Improve the safety of U disk access security control.

Description

移动存储器的访问控制方法、移动存储器及系统 Access control method of a mobile memory, removable memory system and

技术领域 FIELD

[0001] 本发明涉及信息安全领域,尤其涉及一种移动存储器的访问控制方法、移动存储器及系统。 [0001] The present invention relates to information security, and in particular, to a removable memory access control method, and a removable memory system.

背景技术 Background technique

[0002] 随着移动存储器,尤其是以USB为接口的移动存储器(以下简称为U盘)的迅速普及,存储在U盘中的文件的安全性问题日益受到关注。 [0002] With the removable memory, especially in USB mobile memory interface (hereinafter referred to as U disk) is rapidly growing popularity, more and more attention in the storage security problems U disk file.

[0003] 为了增强U盘的安全性,能够对U盘的文件访问操作进行控制的安全U盘已逐渐应用到军事、金融、商业等领域。 [0003] In order to enhance the security of U disk, U disk can file access operations for security U disk control has been gradually applied to the military, financial, business and other fields. 安全U盘进行访问控制的基本原理是,用户在对安全U盘中的文件进行访问前,需要通过计算机终端向安全U盘发送认证口令(以下简称为口令),安全U盘对口令进行认证,认证通过后才允许对安全U盘进行文件读写等操作。 The basic principles of security U disk access control is that the user before the security U disk file access, you need a computer terminal to send an authentication password security U disk (hereinafter referred to as a password), U disk security of password authentication, after certification of security by allowing U disk file read and write operations.

[0004] 现有的安全U盘使用静态的认证口令对使用者进行身份认证,安全性较差。 [0004] existing security U disk using a static password authentication for user identity authentication, security is poor.

发明内容 SUMMARY

[0005] 本发明实施方式提供一种移动存储器、移动存储器的访问控制方法及系统,可以解决现有的安全U盘使用静态的认证口令对使用者进行身份认证,安全性较差的问题。 [0005] The present invention provides an embodiment of a removable memory access control method and system of removable memory may be solved using the conventional U-static security authentication password for user authentication, poor security.

[0006] 为解决上述技术问题,本发明实施方式提供一种移动存储器的访问控制方法,该方法包括以下步骤: [0006] In order to solve the above technical problem embodiment of the present invention to provide a mobile memory access control method comprising the steps of:

[0007] 移动存储器与文件信息显示装置连接后,接收文件信息显示装置发送的包含显示装置证书的认证请求; [0007] removable memory to the file information display apparatus is connected, the authentication device certificate request comprising a display means displaying the file information transmitted from the receiver;

[0008] 在接收到认证请求后,移动存储器对认证请求中包含的显示装置证书进行认证,认证成功后,移动存储器接收文件信息显示装置发送的文件信息浏览请求,并提取与文件信息浏览请求对应的文件信息发送至文件信息显示装置进行显示。 [0008] Upon receiving the authentication request, a removable memory to the device certificate displaying the authentication request contains the authentication, authentication is successful, the file information browsing request transmitted from the removable memory receiving file information display, and extracts the file information browsing corresponding to the request the document file information display information to the display device.

[0009] 并且,移动存储器对显示装置证书认证成功后,向文件信息显示装置发送移动存储器证书; [0009] Then, when the removable memory device certificate authentication success of the display, the information display apparatus transmits the file to a removable storage certificate;

[0010] 文件信息显示装置在接收到所述移动存储器证书后,对所述移动存储器证书进行认证,认证成功后发送所述文件信息浏览请求。 [0010] the file information display apparatus after receiving the certificate removable memory, said removable memory certificates for authentication, transmits the file information browsing request after the authentication succeeds.

[0011] 并且,移动存储器接收到所述文件信息浏览请求后,对该文件信息浏览请求进行分析,判断当前的访问权限是否允许进行对应的文件访问操作,若允许,则执行后续操作;若不允许,则向文件信息显示装置返回禁止执行对应的文件访问操作的应答信息。 [0011] Then, after moving to the file memory receives information browsing request, the browser analyzes the request file information, determines whether the current access to the corresponding file to allow access operation, if allowed, subsequent operations are performed; if allowed, returns response information file means prohibits execution of the access operation corresponding to the file information is displayed.

[0012] 并且,在判断当前的访问权限为允许进行对应的文件访问操作后,还包括以下步骤: After [0012] Further, in the determination of the access rights corresponding to the current file to allow access operations, further comprising the step of:

[0013] 移动存储器判断当前的文件访问操作是否需要进行口令认证,若需要,则向文件信息显示装置发送口令认证请求; [0013] removable memory determines whether the current operation of the file access password authentication is performed, if necessary, password authentication apparatus transmits a request to the file information is displayed;

[0014] 接收到口令认证请求后,文件信息显示装置将用户通过文件信息显示装置输入的相应的文件操作口令包含在口令认证请求回复中发送给移动存储器; [0014] Upon receiving the password authentication request, the file information display apparatus displays information to the user via the file input means corresponding file password contained in the password authentication operation request reply to a removable memory;

[0015] 移动存储器接收到文件信息显示装置发送的口令认证请求回复后,对所述文件操作口令进行认证,认证通过后执行后续的文件访问操作。 After [0015] removable memory receiving the file information display apparatus transmits the password authentication request reply, the authentication password file operations, file access operation executed after the subsequent authentication.

[0016] 并且,在移动存储器对显示装置证书认证成功后,还包括: [0016] Then, after the mobile storage device certificate authentication success of the display, further comprising:

[0017] 移动存储器根据显示装置证书中的使用者标识信息,获取本地存储的该使用者对应的访问权限信息,并将其作为当前的访问权限。 [0017] The mobile user identification information storage display device certificate acquired locally stored access right information corresponding to the user, and as its current access.

[0018] 并且,通过以下方式将提取的与文件信息浏览请求对应的文件信息发送至文件信息显示装置进行显示: [0018] Then, the extracted information of the file by browsing way corresponding to the request file information to the file information display means displays:

[0019] 移动存储器用预先设置的传输密钥或与文件信息显示装置协商得到的传输密钥,对提取的与文件信息浏览请求对应的文件信息进行加密后,将加密后的文件信息发送至文件信息显示装置; [0019] removable memory by a transmission key or the preset key transmission means for negotiating with the obtained display information file, and the file of the extracted information browsing information corresponding to the request file is encrypted, the encrypted file is transmitted to the information files information display means;

[0020] 文件信息显示装置接收到文件信息后,使用对应的传输密钥对其进行解密,将解密后的文件信息在显示屏上进行显示。 After [0020] the file information display apparatus receiving the file information corresponding to the transmission key used to decrypt the decrypted file information is displayed on the display screen.

[0021] 并且,在文件信息显示装置发送所述文件信息浏览请求前,还包括以下步骤: [0021] The front information browsing device transmits the file in the file information display request, further comprising the step of:

[0022] 移动存储器与文件信息显示装置进行密钥协商,得到用于对文件信息进行加密和解密的传输密钥。 [0022] removable memory to the file information display device key agreement to give the file transmission key is used to encrypt and decrypt the information.

[0023] 本发明实施方式还提供一种移动存储器,该移动存储器包括: [0023] Embodiments of the invention further provides a removable storage, the removable memory comprises:

[0024] 主控模块、数据传输模块和存储模块; [0024] The main control module, data transmission module and a storage module;

[0025] 其中,所述数据传输模块与所述主控模块连接,用于连接外部的文件信息显示装置,使所述主控模块与文件信息显示装置之间进行数据的传输; [0025] wherein said data transmission module and the control module is connected, for connection to an external file information display apparatus, the display control module to the file information for data transmission between devices;

[0026] 所述存储模块与所述主控模块连接,用于存储供所述主控模块提取的文件信息和对认证请求进行认证用的颁发者证书; [0026] The storage module is connected with the main control module, for storing the file information for the main control module extracts the authentication request and the authentication issuer certificate;

[0027]所述主控模块与所述数据传输模块和存储模块连接,用于接收经所述数据传输模块连接的文件信息显示装置发送的包含显示装置证书的认证请求,对接收到的认证请求中包含的显示装置证书进行认证;认证成功后,通过所述数据传输模块接收文件信息显示装置发送的文件信息浏览请求,并从存储模块中提取与文件信息浏览请求对应的文件信息发送至文件信息显示装置进行显示。 [0027] The main control module is connected to the data transmission module and a storage module for a certificate authentication request display means comprises means for transmitting the received file information via the data transmission module is connected to a display, the received authentication request the display device contained in the certificate authentication; authentication is successful, the reception file information browsing request transmitted from the display apparatus through the data transmission module, and extracts the file information corresponding to the browse request file information to the file information from the storage module display means for display.

[0028] 并且,所述存储模块,还用于存储移动存储器证书; [0028] Further, the storage module is further configured to store certificate removable memory;

[0029] 所述主控模块,还用于在对显示装置证书认证成功后,向文件信息显示装置发送移动存储器证书;使文件信息显示装置在接收到所述移动存储器证书后,对所述移动存储器证书进行认证,认证成功后发送所述文件信息浏览请求。 [0029] The main control module is further configured to, after successful authentication of the certificate display apparatus, the display apparatus transmits the file information to the mobile storage certificate; make the file information to the mobile device after receiving the certificate memory of the mobile display memory certificates for authentication, transmits the file information browsing request after the authentication succeeds.

[0030] 10、根据权利要求8所述的移动存储器,其特征在于, [0030] 10. The removable memory according to claim 8, characterized in that,

[0031] 在接收到所述文件信息浏览请求后, [0031] After receiving the file information browsing request,

[0032] 所述主控模块,还用于对该文件信息浏览请求进行分析,判断当前的访问权限是否允许进行对应的文件访问操作,若允许,则执行后续操作;若不允许,则向文件信息显示装置返回禁止执行对应的文件访问操作的应答信息。 [0032] The main control module is further configured to analyze the document browsing request information, determines whether the current access to the corresponding file to allow access operation, if allowed, subsequent operations are performed; if not permitted, then the document means returns response information file prohibits execution of the access operation corresponding to information displayed.

[0033] 并且,在判断当前的访问权限为允许进行对应的文件访问操作后, [0033] Further, in the determination of the current access is permitted after the corresponding file access operations,

[0034] 所述主控模块,还用于判断当前的访问操作是否需要进行口令认证,若需要,向文件信息显示装置发送口令认证请求,并通过所述数据传输模块接收文件信息显示装置根据口令认证请求回复的口令认证应答,口令认证应答中包含由用户通过文件信息显示装置输入的相应的文件操作口令;对口令认证应答中包含的文件操作口令进行认证,认证通过后执行后续的文件访问操作。 [0034] The main control module is further configured to determine whether the current access password authentication operation, if necessary, password authentication apparatus transmits a request to display the file information, and receives the file information display apparatus through the data transmission module based on the password authentication request reply password authentication response password authentication response includes the corresponding file operation password inputted by the user profile information is displayed by; file operation password password authentication response contained in the authentication, perform subsequent file access operation after the authentication by .

[0035] 并且,与获取动态口令的令牌对应的动态口令生成模块,与所述主控模块连接,用于生成限定当前的访问操作的动态口令。 [0035] Then, the OTP token and access to the corresponding dynamic password generating module, connected with the master control module for generating a current access operation defining dynamic password.

[0036] 并且,将提取的与文件信息浏览请求对应的文件信息发送至文件信息显示装置进行显示之前, [0036] Then, the extracted file information and file information corresponding to a browsing request is sent to the display device prior to display information file,

[0037] 所述主控模块,还用于用预先设置的传输密钥或与文件信息显示装置协商得到的传输密钥,对提取的与文件信息浏览请求对应的文件信息进行加密后,将加密后的文件信息发送至文件信息显示装置。 [0037] The main control module is further for transmitting the negotiated key means with a preset transmission key or file information display, information corresponding to the file request to file the extracted information browsing is encrypted, the encrypted after the file information to the file information display apparatus.

[0038] 并且,在文件信息显示装置发送所述文件信息浏览请求前, [0038] Further, before the device transmits the file information in the file information display browsing request,

[0039] 所述主控模块,还用于与文件信息显示装置进行密钥协商,得到用于对文件信息进行加密和解密的传输密钥。 [0039] The main control module is further configured to the file information display device key agreement to obtain information for the file transmission key for encryption and decryption.

[0040] 本发明实施方式进一步提供一种移动存储器的访问控制系统,该系统包括: [0040] The embodiments of the present invention further provides a removable memory access control system comprising:

[0041] 相互连接的移动存储器和文件信息显示装置; [0041] removable memory and file information display device connected to each other;

[0042] 其中,所述移动存储器采用上述任一项所述的移动存储器。 [0042] wherein the removable memory using memory move any preceding claim.

[0043] 由上述本发明提供的技术方案可以看出,本发明实施方式提供的移动存储器的访问控制方法,可以由移动存储器对文件信息显示装置发送的包含显示装置证书的认证请求进行认证,在认证通过后,再根据用户通过文件信息显示装置发送的相应的文件信息浏览请求,提取与文件信息浏览请求对应的文件信息发送至文件信息显示装置进行显示。 [0043] provided by the technical solution of the present invention can be seen, the memory access control method of a mobile embodiment of the present invention provides, apparatus may comprise a certificate authentication request transmitted from the display device to authenticate the document information displayed by a removable memory, in after the authentication, and then sending the user by displaying the file information corresponding to the file information browsing device transmits a request, and extracts the file information corresponding to the browse request file information to the file information display device for display. 该方法可以解决现有的安全U盘使用静态的认证口令对使用者进行身份认证,安全性较差的问题。 This method can solve the existing security U disk to use static password authentication for user identity authentication, poor security issues. 提高了安全U盘访问控制的安全性。 Improve the safety of U disk access security control.

附图说明 BRIEF DESCRIPTION

[0044] 为了更清楚地说明本发明实施例的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域的普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他附图。 [0044] In order to more clearly illustrate the technical solutions in the embodiments of the present invention, briefly describes the accompanying drawings required for describing the embodiments used in the following embodiments will be apparent in the following description of the accompanying drawings are merely some embodiments of the present invention. embodiment, those of ordinary skill in the art is concerned, without creative efforts, other figures may also be obtained according to these drawings.

[0045] 图1为本发明实施例提供的移动存储器的访问控制方法的流程图; [0045] FIG. 1 is a flowchart of a removable memory access control method according to an embodiment of the present invention;

[0046] 图2为本发明实施例提供的移动存储器的结构示意图; [0046] FIG. 2 is a schematic configuration of removable memory according to an embodiment of the present invention;

[0047] 图3为本发明实施例提供的移动存储器的访问控制系统的结构示意图。 [0047] FIG. 3 is a schematic structure of an access control system of removable storage according to an embodiment of the present invention.

具体实施方式 Detailed ways

[0048] 下面结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。 [0048] Next, in conjunction with the present invention in the accompanying drawings, technical solutions of embodiments of the present invention are clearly and completely described, obviously, the described embodiments are merely part of embodiments of the present invention rather than all embodiments . 基于本发明的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明的保护范围。 Based on the embodiments of the present invention, all other embodiments of ordinary skill in the art without any creative effort shall fall within the scope of the present invention.

[0049] 下面将结合附图对本发明实施例作进一步地详细描述。 [0049] The accompanying drawings in conjunction with the following detailed description of embodiments of the present invention will be further implemented.

[0050] 本发明的要点在于:在移动存储器(例如U盘)中预先存储一个或多个根证书(颁发者证书),每一根证书对应一个可信的CA (Certificate Authority,认证中心);在文件信息显示装置(例如,个人电脑或专用的移动存储器显示装置,以下简称显示装置)中需要预先存储由上述可信的CA颁发的证书(可以称为显示装置证书或用户证书);在移动存储器与显示装置连接后,移动存储器通过对显示装置发送的显示装置证书进行认证后再进行后续的显示文件信息的操作,提高对移动存储器访问控制的安全性。 [0050] The gist of the present invention is: in a removable memory (e.g., U disk) or a plurality of previously stored root certificate (certificate issuer), each corresponding to a trusted root certificate of the CA (Certificate Authority, Authentication Center); file information display device (e.g., a personal computer or a dedicated memory of the mobile display device, hereinafter referred to as display device) needs to store beforehand a certificate issued by the trusted CA (may be referred to as a display device or the user certificate); mobile after the memory device is connected with the display, by displaying a removable memory device transmits the device certificate authentication and then the subsequent operation display file information to improve the security of access control to the removable memory.

[0051] 此外,为了实现移动存储器和显示装置之间的双向认证,移动存储器中还需要存储自身的证书(可以称为存储器证书),用于在与显示装置连接后发送给显示装置进行认证。 [0051] Further, in order to achieve mutual authentication between the mobile device and a display memory, removable memory also needs to store its own certificate (certificate can be referred to as memory) for a connection with the display device to the display device for authentication.

[0052] 第一方法实施例 Example [0052] The first method

[0053] 图1是本发明移动存储器的访问控制方法流程图。 [0053] FIG. 1 is an access control method of the present invention is a removable memory. FIG. 如图1所示,该方法包括如下步骤: As shown in FIG 1, the method comprising the steps of:

[0054] 101,移动存储器与显示装置连接后,显示装置向移动存储器发送认证请求; [0054] 101, the removable memory device is connected with the display, the display apparatus sends an authentication request to the removable memory;

[0055] 上述认证请求中包含该显示装置的证书。 [0055] The authentication request contains the certificate of the display device.

[0056] 上述显示装置证书可以由显示装置从其内置、或外接的存储模块中读取获得,并发送至移动存储器。 [0056] The display device may be a device certificate from the built-in display, or an external memory module reads obtained and sent to a removable memory.

[0057] 上述外接的存储模块可以是存储卡、智能卡、SIM卡等。 [0057] The external memory module may be a memory card, a smart card, SIM card or the like.

[0058] 102,移动存储器接收到显示装置发送的认证请求后,对其中包含的显示装置证书进行认证,如果证书认证成功,则执行下一步,否则向显示装置发送认证失败的消息,本方法结束; After [0058] 102, a removable memory device transmits the received authentication request display, wherein the display device comprises a certificate of authentication, certificate authentication, if successful, the next step is performed, otherwise the device sends an authentication failure message to the display, the method ends ;

[0059] 上述认证过程可以分为如下子步骤: [0059] The authentication process can be divided into the following sub-steps:

[0060] 102a,移动存储器读取显示装置证书中的颁发者标识信息,并根据该信息获取对应的颁发者证书; [0060] 102a, a removable memory read display device certificate issuer identification information, and acquires the corresponding certificate issuer based on the information;

[0061] 102b,移动存储器从颁发者证书中读取该证书的公钥; [0061] 102b, a removable memory read public key certificate from the issuer of the certificate;

[0062] 102c,移动存储器使用上述公钥对显示装置证书的证书签名字段进行验证,如果签名验证成功则表明证书认证成功,否则表明证书认证失败。 [0062] 102c, a removable memory device using the public key certificate of the certificate to verify the signature field is displayed, if the signature verification is successful indicates that the certificate authentication is successful, it indicates that the certificate or authentication fails.

[0063] 103,移动存储器根据显示装置证书中的使用者标识信息,获取本地存储的该使用者(用户)对应的访问权限信息,并将其作为当前的访问权限。 [0063] 103, the mobile user identification information according to a display memory device certificate, obtaining the local storage of the user (user) corresponding to the access right information, and as the current access.

[0064] 访问权限可以分为多个等级,不同的访问权限等级可以对应不同的文件、和/或目录、和/或分区、和/或不同的文件访问操作(例如,读取文件,修改文件,删除文件,创建文件,浏览文件夹,创建文件夹,删除文件夹等)。 [0064] The access can be divided into a plurality of levels, different levels of access rights may correspond to different files and / or directories, and / or partitions, and / or different file access operations (e.g., read files, modify files , delete files, create files, browse folders, create folders, delete folders, etc.).

[0065] 例如,可以将访问权限分为三级:高级、中级和低级; [0065] For example, access rights can be divided into three levels: high, medium and low;

[0066] 对于访问权限为高级的用户,可以对所有分区的所有目录(文件夹)中的所有文件进行所有的访问操作; [0066] For access to advanced user, you can access all the action on all files in all directories of all partitions (folder) in;

[0067] 对于访问权限为中级的用户,可以对特定分区/目录(文件夹)中的部分或全部文件进行读取、修改操作,并可以进行创建文件、浏览文件夹等访问操作;但不允许进行删除文件,删除文件夹等操作; [0067] For access to intermediate users, may be made to a specific partition / directory (folder) some or all of the file read, modify operation, and can create a file, browse folders and other access operations; but not delete files, delete folders and other operations;

[0068] 对于访问权限为低级的用户,只能对特定分区/目录(文件夹)中的部分文件进行读取操作。 [0068] For low-level access to a user, only a read operation on a particular partition / directory (folder) of the file.

[0069] 104,证书认证成功后,移动存储器向显示装置发送认证应答,以通知显示装置/用户已通过认证,可以进行后续的密钥协商、文件浏览等操作; [0069] 104, the certificate authentication is successful, a removable memory device transmits authentication response to the display, to notify the display device / user is authenticated, subsequent key agreement can, file browsing and other operations;

[0070] 可选地,上述认证应答中可以包含移动存储器的证书。 [0070] Optionally, the certificate authentication response may include removable storage.

[0071] 105,接收到移动存储器发送的认证应答后,显示装置对其中包含的移动存储器证书进行认证,如果证书认证成功则执行下一步,否则本方法结束; [0071] 105, after receiving the authentication response transmitted from the removable memory, a display device wherein the removable memory comprises the authentication certificate, the authentication is successful if the certificate is the next step, otherwise ending the method;

[0072] 上述认证过程可以分为如下子步骤: [0072] The authentication process can be divided into the following sub-steps:

[0073] 105a,显示装置读取移动存储器证书中的颁发者标识信息,并根据该信息获取对应的颁发者证书; [0073] 105a, the display device reads the removable memory certificate issuer identification information, and acquires the corresponding certificate issuer based on the information;

[0074] 105b,显示装置从颁发者证书中读取该证书的公钥; [0074] 105b, the display device reads the public key from the certificate issuer certificate;

[0075] 105c,显示装置使用上述公钥对移动存储器证书的证书签名字段进行验证,如果签名验证成功则表明证书认证成功,否则表明证书认证失败。 [0075] 105c, the display device using the public key certificate of the certificate signature field removable memory for verification, the signature verification is successful if the certificate indicates that the authentication is successful, it indicates that the certificate or authentication fails.

[0076] 当然,如果显示装置具备网络功能,显示装置也可以将移动存储器证书发送给特定的认证服务器进行认证。 [0076] Of course, if the display apparatus includes a network function, the display device may be a removable memory authentication certificate sent to a particular authentication server.

[0077] 本步骤为可选步骤。 [0077] This step is optional.

[0078] 106,移动存储器与显示装置进行密钥协商,得到用于对文件信息进行加密和解密的传输密钥。 [0078] 106, a removable memory and the display device key agreement to obtain information for the file transmission key for encryption and decryption.

[0079] 上述密钥协商过程可以采用E⑶H(椭圆曲线密码体制的Diffie-Hellman)算法实现,也可以采用现有技术中的其它密钥协商/交换算法实现。 [0079] The key negotiation process may be employed E⑶H (Elliptic Curve Cryptosystem Diffie-Hellman) algorithm, can also be employed other prior art key negotiation / exchange algorithm.

[0080] 本步骤为可选步骤。 [0080] This step is optional.

[0081] 107,显示装置在其显示屏上显示文件信息浏览操作界面,供用户启动文件信息浏览操作; [0081] 107, the display means displays on its display screen file information browsing interface for the user of the boot file browsing operation;

[0082] 文件信息浏览操作界面可以是一段文字信息,例如:“按下X键后开始进行文件信息的浏览操作”,当用户按下指定按键后启动文件信息的浏览操作;文件信息浏览操作界面也可以是一个图标,当用户选择该图标后启动文件信息的浏览操作。 [0082] File information browsing interface may be a text message, for example: "press X to start browsing the document information operation", when the user presses the button to start the designated file information browsing operation; file information browsing interface It may be an icon, when the user selects the icon of the boot file browsing operation.

[0083] 如果显示装置是个人电脑,上述文件信息浏览操作界面通常为个人电脑操作系统提供的文件浏览器,例如资源管理器。 [0083] If the display device is a personal computer, said document information browsing interface normally provided for the personal computer operating system file browser, for example, the resource manager.

[0084] 108,接收到用户通过键盘等输入设备输入的文件信息浏览指令后,显示装置向移动存储器发送相应的文件信息浏览请求; [0084] 108, receiving the user instruction input via the file browsing information input device such as a keyboard, the display apparatus transmits the corresponding information to the mobile storage file browse request;

[0085] 上述文件信息浏览指令可以是:浏览磁盘中包含的磁盘分区、浏览磁盘分区中包含的文件或文件夹、显示文件信息等。 [0085] The file information browsing instruction may be: partition disk contains the browser, browse files or folders contained in the disk partition, the file information displays.

[0086] 上述文件信息浏览请求中包含:分区信息,文件路径信息,文件名称,数据起始位置,数据结束位置(或数据长度)等信息。 [0086] The file information browsing request includes: partition information, file path information, the file name, the data start position, end position data (or data length) information.

[0087] 上述分区信息用于指定移动存储器上的特定磁盘分区或者根分区; [0087] The partition information is used to specify a particular disk or partition on a removable memory root partition;

[0088] 例如,当移动存储器包含多个分区(例如,包含分区I和分区2)时,分区信息中包含分区I的标识则表示需要浏览分区I中的文件或文件夹;分区信息中包含根分区标识则表示需要浏览移动存储器中包含的各磁盘分区(即分区I和分区2)。 [0088] For example, when the mobile memory comprises a plurality of partitions (e.g., comprising a partition 2 and partition I), the identification information contained in the partition of the partition I I indicates the need to browse the partition files or folders; root partition information includes you need to partition identification of each said partition contains a removable memory (i.e., partition 2 and partition I).

[0089] 文件路径信息用于指定移动存储器的特定磁盘分区或者根分区中的文件夹; [0089] file path information for designating a particular mobile storage disk partition or partitions of the root folder;

[0090] 例如,文件路径信息为“文件夹1\子文件夹2”表示需要浏览某一磁盘分区或根分区中“文件夹I”中的“子文件夹2”中的文件或文件夹。 [0090] For example, the file path information to "Folder 1 \ 2 subfolder" means you need a disk partition or the root partition "folder I" in the "sub-folder 2" in the file or folder.

[0091] 文件名称用于指定移动存储器的特定磁盘分区或者根分区中某一文件路径中的特定文件的名称; [0091] The file name specifies the name of the particular mobile storage root partition or partition specific file in a file path;

[0092] 数据起始位置用于指定需要读取的某一文件的数据起始位置; [0092] The data used to specify the starting position of a data file needs to be read starting position;

[0093] 数据结束位置用于指定需要读取的某一文件的数据结束位置; A data file [0093] data for specifying the end position of the end position to be read;

[0094] 数据结束位置也可以由数据长度代替,即显示装置指定需要读取的文件的数据起始位置和数据长度,移动存储器根据上述信息确定显示装置需要读取的文件的数据结束位置。 [0094] Data from the end position of the data length may also be replaced, i.e. the display data file specified to be read means and the data length of start position, end position of the removable memory information for determining the data file needs to be read in the display apparatus according to.

[0095] 109,接收到显示装置发送的文件信息浏览请求后,移动存储器对该文件信息浏览请求进行分析,判断当前的访问权限是否允许进行对应的访问操作,如果允许,则执行下一步;如果不允许,则向显示装置返回禁止执行对应的访问操作的应答信息,本方法结束。 [0095] 109, after receiving the file information browsing request transmitted from the display device, a removable memory to the file browsing request information is analyzed, determining whether the current access right corresponding to the access operation to allow, if allowed, the next step is executed; if is not allowed, then return to the display apparatus prohibits execution of response information corresponding to the access operation, the process ends.

[0096] 110,移动存储器提取文件信息浏览请求对应的文件信息; [0096] 110, a removable memory file to extract information browsing request information corresponding to the file;

[0097] 上述文件信息可以是:文件的全部或部分数据,也可以是某一分区或文件夹中包含的各文件的属性信息(例如,文件名称,文件大小等)。 [0097] The file information may be: all or part of the data file, or may be a partition or folder contains attribute information for each file (e.g., file name, file size, etc.).

[0098] 111,移动存储器使用预先设置的传输密钥或步骤105中协商得到的传输密钥对提取的文件信息进行加密; [0098] 111, or transmission key step of moving the transport key using a preset memory 105. negotiated on a file encrypting the extracted information;

[0099] 本步骤为可选步骤。 [0099] This step is optional.

[0100] 112,移动存储器将文件信息发送至显示装置。 [0100] 112, a removable memory sends the file information to the display device.

[0101] 113,显示装置接收到文件信息后,如果该文件信息已加密,则使用传输密钥对其进行解密,将解密的文件信息显示在显示屏上;如果文件信息未加密,则直接将其显示在显示屏上。 [0101] 113, the display device receives the information file, if the file information is encrypted, using the transport key to decrypt the decrypted file information on a display screen; if the file information is not encrypted, then directly which is displayed on the screen.

[0102] 此后,当用户使用显示装置中的键盘等输入设备进行文件访问操作(例如,打开文件操作、翻页操作、浏览新的磁盘分区、浏览新文件夹),需要从移动存储器中读取新的文件信息时,显示装置与移动存储器重复执行步骤108至步骤113。 [0102] Thereafter, when a device such as a keyboard input device for file access operations (e.g., opening a file operation, turning operation, browse new partition, new folder browser) user uses the display, needs to be read from the removable memory new file information, display means with a removable memory repeat steps 108 to step 113.

[0103] 第二方法实施例 Example [0103] A second method

[0104] 第二实施例与第一实施例的不同之处在于:第一实施例中移动存储器仅通过显示装置的证书进行权限管理;第二实施例中,对于特定的文件访问操作,例如文件打开操作,还要求用户输入对应的文件操作口令;上述文件操作口令可以是静态口令,也可以是动态口令(例如,OTP 口令)。 [0104] The second embodiment is different from the first embodiment in that: the removable memory in the first embodiment only by the certificate authority management device display; the second embodiment, the file access for a particular operation, such as file open operation, also require the user to enter a password corresponding to the file operation; and the password file operation may be static password, the password may be dynamic (e.g., the OTP password). 因此在步骤109〜110之间还需要增加如下步骤: Thus between the need to increase the step 109~110 further step of:

[0105] A:移动存储器判断当前的访问操作是否需要进行口令认证,如果需要则执行步骤B ; [0105] A: a removable memory access operation determines whether the current password is required for authentication, if necessary, executing step B;

[0106] 需要进行口令认证的访问操作可以是特定类型的访问操作,例如,所有的打开文件操作,也可以是针对特定文件或文件夹执行的特定的访问操作,例如,对特定文件夹中的文件执行的打开文件操作需要进行口令认证。 [0106] password is required for authentication access operations can be a specific type of access operation, for example, all of the open file operation, it can be for a particular access operation of a particular file or folder, for example, to a specific folder open the file to perform file operations require password authentication.

[0107] B:移动存储器向显示装置发送口令认证请求; [0107] B: a removable memory device transmits the password authentication request to the display;

[0108] C:显示装置提示用户输入相应的文件操作口令; [0108] C: prompt the user for the display device corresponding to the password file operations;

[0109] 上述文件操作口令可以是预先设置的静态口令,也可以是动态口令(例如,OTP 口令)。 [0109] the above-described static passwords password file operation may be set in advance, it may be a dynamic password (e.g., the OTP password). 如果采用动态口令,用户需要通过令牌获取口令,移动存储器中需要设置与令牌对应的动态口令生成器,以便进行口令认证。 If the dynamic password, the user password by the need to obtain a token, a removable memory corresponding token is necessary to provide a dynamic password generator, for password authentication.

[0110] D:显示装置将用户输入的文件操作口令包含在口令认证应答中发送给移动存储器; [0110] D: Display device operation file containing user-entered password to a password authentication removable memory in response;

[0111] E:移动存储器对文件操作口令进行认证,认证通过后执行后续的文件访问操作。 [0111] E: a removable memory for file operations password authentication, perform the subsequent operations after the file access authentication.

[0112] 第一装置实施例 [0112] The first embodiment of device

[0113] 图2是本发明移动存储器的结构示意图,如图2所示,该移动存储器包括:主控模块、数据传输模块和存储模块;其中, [0113] FIG. 2 is a structural diagram of the present invention, removable memory, shown in Figure 2, the removable memory comprising: a control module, data transmission module and a storage module; wherein,

[0114] 数据传输模块与主控模块连接,用于连接外部的文件信息显示装置,使主控模块与文件信息显示装置之间进行数据的传输; [0114] Data transmission module and the control module is connected, for connection to an external file information display apparatus, so that the main control module to the file information display apparatus for data transmission between;

[0115] 存储模块与所述主控模块连接,用于存储供所述主控模块提取的文件信息和对认证请求进行认证用的颁发者证书; [0115] memory module and the control module is connected to the master file for storing information extraction module and the authentication request to the authentication issuer certificate;

[0116]主控模块与所数据传输模块和存储模块连接,用于接收经所述数据传输模块连接的文件信息显示装置发送的包含显示装置证书的认证请求,对接收到的认证请求中包含的显示装置证书进行认证;认证成功后,通过所述数据传输模块接收文件信息显示装置发送的文件信息浏览请求,并从存储模块中提取与文件信息浏览请求对应的文件信息发送至文件信息显示装置进行显示。 [0116] The control module is connected to the data transmission module and a storage module, a certificate authentication request display means comprises means for transmitting the received file information via the data transmission module is connected to a display, the received authentication request contained the display device certificate authentication; authentication is successful, the reception file information browsing request transmitted from the display apparatus through the data transmission module, and extracts from the storage module to the file information corresponding to the browse request file information to the file information display apparatus display.

[0117] 上述移动存储器的存储模块,还用于存储移动存储器证书; [0117] The removable memory module memory, removable memory further configured to store the certificate;

[0118] 所述的主控模块还用于在对显示装置证书认证成功后,向文件信息显示装置发送移动存储器证书;使文件信息显示装置在接收到所述移动存储器证书后,对所述移动存储器证书进行认证,认证成功后发送所述文件信息浏览请求。 [0118] The main control module is further configured to, after successful authentication of the certificate display apparatus, the display apparatus transmits the file information to the mobile storage certificate; make the file information to the mobile device after receiving the certificate memory of the mobile display memory certificates for authentication, transmits the file information browsing request after the authentication succeeds.

[0119] 在接收用户通过文件信息显示装置发送的相应的文件信息浏览请求后,上述移动存储器的主控模块还用于对该文件信息浏览请求进行分析,判断当前的访问权限是否允许进行对应的文件访问操作,若允许,则执行后续操作;若不允许,则向文件信息显示装置返回禁止执行对应的文件访问操作的应答信息。 [0119] In the information display after receiving a user file corresponding to the file information browsing request transmitted from the removable memory control module is further configured to request the file information browsing analysis to determine whether the current access rights allowed by the corresponding file access operation, if allowed, subsequent operations are performed; if not permitted, prohibits execution means returns the file access operation corresponding to the response information to the file information is displayed.

[0120] 在判断当前的访问权限为允许进行对应的文件访问操作后,上述移动存储器的主控模块还用于判断当前的访问操作是否需要进行口令认证,若需要,向文件信息显示装置发送口令认证请求,并通过所述数据传输模块接收文件信息显示装置根据口令认证请求回复的口令认证应答,口令认证应答中包含由用户通过文件信息显示装置输入的相应的文件操作口令;对口令认证应答中包含的文件操作口令进行认证,认证通过后执行后续的文件访问操作。 After [0120] the determination of the current to allow access for the corresponding file access operations, the memory of the mobile main control module is further configured to determine whether the current access password authentication operation, if necessary, means for transmitting the password to the file information display the authentication request, and receives the file information display apparatus authentication response password authentication based on the password request reply, password authentication response includes the corresponding file operation password input by the user device file information displayed by the module through the data transmission; authentication password in response to file operation included in the password authentication, perform the subsequent operations after the file access authentication.

[0121] 上述移动存储器中还包括:与获取动态口令的令牌对应的动态口令生成模块,与所述主控模块连接,用于生成限定当前的访问操作的动态口令。 [0121] The removable memory further comprising: obtaining a dynamic password and a token corresponding to the dynamic password generation module, connected to the master module for generating a current access operation defining dynamic password.

[0122] 将提取的与文件信息浏览请求对应的文件信息发送至文件信息显示装置进行显示之前,上述移动存储器的主控模块还用于用预先设置的传输密钥或与文件信息显示装置协商得到的传输密钥,对提取的与文件信息浏览请求对应的文件信息进行加密后,将加密后的文件信息发送至文件信息显示装置。 [0122] The extracted information browsing request file corresponding to the file information is sent to the display device prior to display information file, the memory of the mobile main control module is further used for transmitting the key set in advance or to the file information display apparatus negotiated the transmission key, after the extracted file information and file information corresponding to the browse request is encrypted, the encrypted file information is sent to the file information display apparatus.

[0123] 在文件信息显示装置发送所述文件信息浏览请求前,上述移动存储器的主控模块还用于与文件信息显示装置进行密钥协商,得到用于对文件信息进行加密和解密的传输密钥。 [0123] In the information device before sending the document file information display browsing request, the memory of the mobile main control module is further configured to display device information with the file key negotiation, to obtain the file for transmission of secret information encrypting and decrypting key.

[0124] 第一系统实施例 [0124] system according to a first embodiment

[0125] 图3是本发明提供的移动存储器的访问控制系统的结构示意图。 [0125] FIG. 3 is a schematic diagram of a removable memory access control system of the present invention is provided. 如图3所示,该系统包括:相互连接的移动存储器和显示装置; As shown in FIG. 3, the system comprising: a removable memory connected to each other and a display device;

[0126] 其中,所述移动存储器采用上述第一装置实施例给出的移动存储器。 [0126] wherein said removable memory removable memory using the embodiment given in the first embodiment apparatus.

[0127] 综上所述,本发明实施例的移动存储器的访问控制方法,可以由移动存储器对显示装置发送的包含显示装置证书的认证请求进行认证,在认证通过后,再根据用户通过显示装置发送的相应的文件信息浏览请求,提取与文件信息浏览请求对应的文件信息发送至显示装置进行显示。 [0127] In summary, the memory access control method of a mobile according to an embodiment of the present invention may authenticate the certificate authentication request display means comprises a display device transmitted from the removable memory, after the authentication, then the user through the display means file information corresponding to the browse request, the browse request extracts the file information corresponding to the file information to the display device for display. 该方法可以解决现有的安全U盘使用静态的认证口令对使用者进行身份认证,安全性较差的问题。 This method can solve the existing security U disk to use static password authentication for user identity authentication, poor security issues. 提高了安全U盘访问控制的安全性。 Improve the safety of U disk access security control.

[0128] 以上所述,仅为本发明较佳的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明披露的技术范围内,可轻易想到的变化或替换,都应涵盖在本发明的保护范围之内。 [0128] The above are only the preferred specific embodiments of the invention, but the scope of the present invention is not limited thereto, any skilled in the art in the art within the technical scope disclosed in the present invention can be easily thought variations or replacements shall fall within the protection scope of the present invention. 因此,本发明的保护范围应该以权利要求书的保护范围为准。 Accordingly, the scope of the present invention, the scope of the claims should prevail.

Claims (13)

1.一种移动存储器的访问控制方法,其特征在于,该方法包括以下步骤: 移动存储器与文件信息显示装置连接后,接收文件信息显示装置发送的包含显示装置证书的认证请求,所述显示装置证书包括使用者标识信息; 在接收到认证请求后,移动存储器对认证请求中包含的显示装置证书进行认证,认证成功后,所述移动存储器根据所述显示装置证书中的使用者标识信息,获取该使用者对应的访问权限, 所述移动存储器获取所述访问权限后,向所述显示装置发送认证反馈信息,所述认证反馈信息中包括移动存储器证书,所述显示装置接收到所述移动存储器证书后,显示装置将所述移动存储器证书发送至认证服务器,所述认证服务器接收所述移动存储器证书并进行认证操作,认证成功后所述认证服务器向所述显示装置发送认证成功指令,所述显示装置接 Access control method for a removable memory, wherein the method comprises the steps of: a removable memory to the file information display apparatus is connected, the authentication device certificate request comprising a display device receiving the file information transmitted from a display device certificate includes user identification information; after receiving the authentication request, the memory of the mobile display device certificate authentication request contains the authentication is successful, the mobile user identification information storage means in accordance with the certificate of the display, obtaining after the user whose access right, the mobile acquires the memory access, the authentication device transmits to the display feedback information, the feedback information comprises authentication certificate removable memory, said removable memory means receiving said display When the certificate, the display device of the mobile storage certificate to the authentication server, the authentication server receives the authentication certificate and the removable memory operation, after successful authentication of the authentication server to the display device transmits the authentication success command, the display means connected 到所述认证成功指令后,所述文件信息显示装置显示文件信息浏览操作界面,供用户进行文件信息浏览操作,接收到用户输入的文件信息浏览指令后,向所述移动存储器发送文件信息浏览请求; 移动存储器接收文件信息显示装置发送的文件信息浏览请求,并根据获取的所述访问权限,提取与文件信息浏览请求对应的文件信息发送至文件信息显示装置进行显示。 After successful authentication to the instruction, the document file information display means displays information browsing interface for users to browse the file operation information, after receiving the file browsing instruction information input by the user, information browsing request to send the file to the removable memory ; file information display removable memory receiving browsing request apparatus transmits the file information and the access authority according to the acquired extract information file with the file information corresponding to a browsing request is sent to the display device the display information file.
2.根据权利要求1所述的移动存储器的访问控制方法,其特征在于, 移动存储器接收到所述文件信息浏览请求后,对该文件信息浏览请求进行分析,判断当前的访问权限是否允许进行对应的文件访问操作,若允许,则执行后续操作;若不允许,则向文件信息显示装置返回禁止执行对应的文件访问操作的应答信息。 The access control method according to claim 1 removable memory, wherein the removable memory receiving the file information browsing request, the browser analyzes the request file information, determines whether the current access is allowed for the corresponding file access operation, if allowed, subsequent operations are performed; if not allowed, returns response information means prohibits execution of the file access operation corresponding to the file information is displayed.
3.根据权利要求2所述的移动存储器的访问控制方法,其特征在于, 在判断当前的访问权限为允许进行对应的文件访问操作后,还包括以下步骤: 移动存储器判断当前的文件访问操作是否需要进行口令认证,若需要,则向文件信息显示装置发送口令认证请求; 接收到口令认证请求后,文件信息显示装置将用户通过文件信息显示装置输入的相应的文件操作口令包含在口令认证请求回复中发送给移动存储器; 移动存储器接收到文件信息显示装置发送的口令认证请求回复后,对所述文件操作口令进行认证,认证通过后执行后续的文件访问操作。 The access control method according to a removable memory as claimed in claim 2, wherein, in the determination of the current access is permitted after an access operation corresponding to the file, further comprising the steps of: moving the current memory is determined whether the file access operation password authentication is performed, if needed, means for sending a password authentication request is displayed to a file information; after receiving the password authentication request, the file information display apparatus to the user via the file information displays the appropriate file operation password inputting means comprises a request for a password authentication reply transmitted to a mobile storage; removable memory receiving the file information display apparatus password authentication reply transmitted the request, the file operation password authentication, perform the subsequent operations after the file access authentication.
4.根据权利要求1所述的移动存储器的访问控制方法,其特征在于, 在移动存储器对显示装置证书认证成功后,还包括: 移动存储器根据显示装置证书中的使用者标识信息,获取本地存储的该使用者对应的访问权限信息,并将其作为当前的访问权限。 The access control method according to claim 1 removable memory, wherein, after the display device certificate authentication is successful, further comprising a removable memory: mobile user identification information according to a display memory device certificate acquired local storage access authority information corresponding to the user, and as its current access.
5.根据权利要求1所述的移动存储器的访问控制方法,其特征在于, 通过以下方式将提取的与文件信息浏览请求对应的文件信息发送至文件信息显示装置进行显示: 移动存储器用预先设置的传输密钥或与文件信息显示装置协商得到的传输密钥,对提取的与文件信息浏览请求对应的文件信息进行加密后,将加密后的文件信息发送至文件信息显示装置; 文件信息显示装置接收到文件信息后,使用对应的传输密钥对其进行解密,将解密后的文件信息在显示屏上进行显示。 The access control method according to claim 1 removable memory, wherein the file information to the file information corresponding to the browse request extracted by the file information send to the display means displays: a removable memory with preset key transport or key file information display device of the negotiated transfer, after the extracted file information and file information corresponding to the browse request is encrypted, the encrypted file information is sent to the file information display apparatus; file information display device receives to the file information, using the corresponding transport key to decrypt the decrypted file information is displayed on the display screen.
6.根据权利要求5所述的移动存储器的访问控制方法,其特征在于, 在文件信息显示装置发送所述文件信息浏览请求前,还包括以下步骤: 移动存储器与文件信息显示装置进行密钥协商,得到用于对文件信息进行加密和解密的传输密钥。 6. A memory access control method of a mobile according to claim 5, characterized in that the front information browsing device transmits the request file in the file information display, further comprising the step of: moving the memory to the file information display device key agreement to obtain information for the file transmission key for encryption and decryption.
7.—种移动存储器,其特征在于,该移动存储器包括: 主控模块、数据传输模块和存储模块; 其中,所述数据传输模块与所述主控模块连接,用于连接外部的文件信息显示装置,使所述主控模块与文件信息显示装置之间进行数据的传输; 所述存储模块与所述主控模块连接,用于存储供所述主控模块提取的文件信息和对认证请求进行认证用的颁发者证书; 所述主控模块与所述数据传输模块和存储模块连接,用于接收经所述数据传输模块连接的文件信息显示装置发送的包含显示装置证书的认证请求,对接收到的认证请求中包含的显示装置证书进行认证,所述显示装置证书包括使用者标识信息;认证成功后,所述主控模块根据显示装置证书中的使用者标识信息,获取该使用者对应的访问权限;所述主控模块获取所述访问权限后,通过数据传输模块向所述 7.- kinds of removable memory, wherein the removable memory comprising: a control module, data transmission module and a storage module; wherein the data transmission module and the control module is connected, for connection to an external display information file means the transmission of data between the master module and the file information display means; a memory module and the control module is connected to the main control module for storing the extracted file information and request for authentication of certificate issuer authentication; the main control module is connected to the data transmission module and a storage module for a certificate authentication request display means comprises means for transmitting the received file information via the data transmission module is connected to a display, the received the certificate authentication request display means included in the authentication, the display device includes a user certificate identification information; authentication is successful, the main control module in accordance with user identification information of the display device certificate, obtaining the corresponding user access; after the main control module obtains the access to the module via the data transmission 显示装置发送认证反馈信息,所述认证反馈信息中包括移动存储器证书,所述移动存储器证书用于认证服务器对所述移动存储器进行身份认证;所述主控模块通过所述数据传输模块接收文件信息显示装置发送的文件信息浏览请求,并根据所述获取的访问权限从存储模块中提取与文件信息浏览请求对应的文件信息发送至文件信息显示装置进行显示。 The display device transmits the authentication feedback information, the feedback information comprises authentication certificate removable memory, said removable memory certificate server for authenticating the mobile authentication memory; the main control module receives the file information through the data transmission module file browsing request transmitted from the information display, and access rights in accordance with the acquired extracted from the storage module to the file information corresponding to the browse request file information to the file information display apparatus for displaying.
8.根据权利要求7所述的移动存储器,其特征在于, 在接收到所述文件信息浏览请求后, 所述主控模块,还用于对该文件信息浏览请求进行分析,判断当前的访问权限是否允许进行对应的文件访问操作,若允许,则执行后续操作;若不允许,则向文件信息显示装置返回禁止执行对应的文件访问操作的应答信息。 A removable memory according to claim 7, wherein, after receiving a request to browse the file information, the main control module is further configured to analyze the document browsing request information, determines whether the current access whether to allow access operation corresponding to the file, if allowed, subsequent operations are performed; if not permitted, prohibits execution means returns the file access operation corresponding to the response information to the file information is displayed.
9.根据权利要求8所述的移动存储器,其特征在于, 在判断当前的访问权限为允许进行对应的文件访问操作后, 所述主控模块,还用于判断当前的访问操作是否需要进行口令认证,若需要,向文件信息显示装置发送口令认证请求,并通过所述数据传输模块接收文件信息显示装置根据口令认证请求回复的口令认证应答,口令认证应答中包含由用户通过文件信息显示装置输入的相应的文件操作口令;对口令认证应答中包含的文件操作口令进行认证,认证通过后执行后续的文件访问操作。 9. The removable memory according to claim 8, wherein, in determining the access rights corresponding to the current file to allow access operation, the main control module is further configured to determine whether a current access operation for password authentication, if necessary, password authentication apparatus transmits a request to display the file information, and receives the file information display apparatus based on the password authentication password authentication reply response request through the data transmission module, password authentication response includes the input means by the user through display information file file operation corresponding to the password; password authentication password file operation included in the response to authenticate, perform the subsequent operation of the file access authentication.
10.根据权利要求9所述的移动存储器,其特征在于,还包括: 与获取动态口令的令牌对应的动态口令生成模块,与所述主控模块连接,用于生成限定当前的访问操作的动态口令。 10. The removable memory according to claim 9, characterized in that, further comprising: obtaining a dynamic password and a token corresponding to the dynamic password generation module, connected to the main control module, for generating a current access operation defining Dynamic password.
11.根据权利要求8所述的移动存储器,其特征在于, 将提取的与文件信息浏览请求对应的文件信息发送至文件信息显示装置进行显示之N /.刖, 所述主控模块,还用于用预先设置的传输密钥或与文件信息显示装置协商得到的传输密钥,对提取的与文件信息浏览请求对应的文件信息进行加密后,将加密后的文件信息发送至文件信息显示装置。 11. The removable memory according to claim 8, wherein the extracted information browsing request file corresponding to the file information to the file information display apparatus for displaying the N /. INTRODUCTION, the main control module is further use transmission key for use with pre-set or file information display device transport key negotiation obtained after the extracted file information and file information corresponding to the browse request is encrypted, the encrypted file information is sent to the file information display apparatus.
12.根据权利要求11所述的移动存储器,其特征在于, 在文件信息显示装置发送所述文件信息浏览请求前, 所述主控模块,还用于与文件信息显示装置进行密钥协商,得到用于对文件信息进行加密和解密的传输密钥。 A removable memory according to claim 11, characterized in that the display device before sending the file information browsing request, the main control module is further configured to display device information file in the file information key negotiation, to give for file transmission key information is encrypted and decrypted.
13.—种移动存储器的访问控制系统,其特征在于,该系统包括: 相互连接的移动存储器和文件信息显示装置; 其中,所述移动存储器采用上述权利要求7〜12任一项所述的移动存储器。 13.- kinds of removable memory access control system, characterized in that the system comprising: a mobile information file storage and display device connected to each other; wherein the removable memory using the mobile claim any one of claims 7~12 memory.
CN 201110337850 2011-10-31 2011-10-31 Access control method of mobile memory, mobile memory and system CN102521164B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 201110337850 CN102521164B (en) 2011-10-31 2011-10-31 Access control method of mobile memory, mobile memory and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 201110337850 CN102521164B (en) 2011-10-31 2011-10-31 Access control method of mobile memory, mobile memory and system

Publications (2)

Publication Number Publication Date
CN102521164A CN102521164A (en) 2012-06-27
CN102521164B true CN102521164B (en) 2014-12-03

Family

ID=46292093

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 201110337850 CN102521164B (en) 2011-10-31 2011-10-31 Access control method of mobile memory, mobile memory and system

Country Status (1)

Country Link
CN (1) CN102521164B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106790107A (en) * 2016-12-26 2017-05-31 郑州云海信息技术有限公司 A kind of access control method and server

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101120352A (en) * 2004-12-21 2008-02-06 桑迪士克股份有限公司;迪斯克雷蒂克斯科技公司 Memory system with universal content control
CN101714123A (en) * 2008-10-07 2010-05-26 谈剑锋 Document mobile memory device capable of ensuring information security and implementing method thereof
CN102223364A (en) * 2011-05-09 2011-10-19 飞天诚信科技股份有限公司 Method and system for accessing e-book data

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4112284B2 (en) * 2002-05-29 2008-07-02 富士通株式会社 Database access control method and database access control program

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101120352A (en) * 2004-12-21 2008-02-06 桑迪士克股份有限公司;迪斯克雷蒂克斯科技公司 Memory system with universal content control
CN101714123A (en) * 2008-10-07 2010-05-26 谈剑锋 Document mobile memory device capable of ensuring information security and implementing method thereof
CN102223364A (en) * 2011-05-09 2011-10-19 飞天诚信科技股份有限公司 Method and system for accessing e-book data

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
JP特开2003-345663A 2003.12.05 *

Also Published As

Publication number Publication date
CN102521164A (en) 2012-06-27

Similar Documents

Publication Publication Date Title
TWI600307B (en) Method and device for secure communications over a network using a hardware security engine
US9330245B2 (en) Cloud-based data backup and sync with secure local storage of access keys
DK2158717T3 (en) Remote authentication and transaction signature
US9191394B2 (en) Protecting user credentials from a computing device
US8769784B2 (en) Secure and efficient authentication using plug-in hardware compatible with desktops, laptops and/or smart mobile communication devices such as iPhones
US20140215589A1 (en) Method for generating a soft token, computer program product and service computer system
KR101878149B1 (en) Device, system, and method of secure entry and handling of passwords
CN101789934B (en) Method and system for online security trading
JP5529775B2 (en) Network authentication method and network authentication device for executing the network authentication method
US20070136599A1 (en) Information processing apparatus and control method thereof
AU2012363099B2 (en) Key management using quasi out of band authentication architecture
US20060136739A1 (en) Method and apparatus for generating one-time password on hand-held mobile device
CN101427510B (en) Digipass for the web-functional description
US8458776B2 (en) Low-latency peer session establishment
CN100464549C (en) Method for realizing data safety storing business
EP1658695A2 (en) Security token
CN103918292A (en) Authenticating a user of a system using near field communication
US8386795B2 (en) Information security device of Universal Serial Bus Human Interface Device class and data transmission method for same
CN101960762A (en) Systems and methods for performing wireless financial transactions
US7139918B2 (en) Multiple secure socket layer keyfiles for client login support
WO2008050792A1 (en) System, device, method and program for authenticating communication partner by means of electronic certificate including personal information
US8990565B2 (en) Method and system for automatically logging in a client
CN101222333B (en) Data transaction processing method and apparatus
US8074266B2 (en) Memory card, data exchange system, and data exchange method
US9338163B2 (en) Method using a single authentication device to authenticate a user to a service provider among a plurality of service providers and device for performing such a method

Legal Events

Date Code Title Description
C06 Publication
C10 Request of examination as to substance
C14 Granted