CN103051593A - Method and system for secure data ferry - Google Patents
Method and system for secure data ferry Download PDFInfo
- Publication number
- CN103051593A CN103051593A CN2011103083604A CN201110308360A CN103051593A CN 103051593 A CN103051593 A CN 103051593A CN 2011103083604 A CN2011103083604 A CN 2011103083604A CN 201110308360 A CN201110308360 A CN 201110308360A CN 103051593 A CN103051593 A CN 103051593A
- Authority
- CN
- China
- Prior art keywords
- main frame
- storage device
- concerning security
- security matters
- movable storage
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a method and a system for secure data ferry. The method comprises the following steps of registering a first mobile storage equipment which is used for data ferry between a classified host and a ferry machine to have a read-only function or a read-write function on the classified host, and registering the first mobile storage equipment to have the read-write function on the ferry machine, wherein the first mobile storage equipment is used for data ferry between the ferry machine and the classified host. The system comprises the classified host, the ferry machine and the first mobile storage equipment, wherein the classified host is used for registering the first mobile storage equipment on the classified host to have the read-only function or the read-write function, the ferry machine is used for registering the first mobile storage equipment to have the read-write function on the ferry machine; and the first mobile storage equipment is used for the data ferry between the ferry machine and the classified host. By adopting the technical scheme, the problem that confidential information is leaked because invalid mobile storage equipment copies data from the ferry machine or the classified host is precluded.
Description
Technical field
The present invention relates to field of data transmission, relate in particular to a kind of method and system of ferrying data safely.
Background technology
It is a kind of specially for movable storage device that ferry-boat is attacked, from the physically-isolated internal network in the Internet steal the attack means of data.Such as the consideration for information security of the important departments such as government bodies, army, bank, scientific research institution and concerning security matters unit, implement strict physical isolation between general that unit is self-built internal network and the Internet, movable storage device becomes the first-selected instrument of internal, external network off-line swap data.It is exactly to utilize movable storage device as " ferryboat " that ferry-boat is attacked, and indirectly reaches the purpose of stealing data from Intranet.
In order to guarantee intranet security, usually to copy into the data of Intranet from outer net and all will carry out wooden horse, checking and killing virus processing through Ferrying machine, just can copy on the concerning security matters main frame of Intranet.But, there are the following problems for existing ferry-boat process: the one, intersect at Ferrying machine or concerning security matters main frame and to divulge a secret, such as a movable storage device with after data copy is to the Ferrying machine, not deletion, another illegal movable storage device will be stayed data copy on the Ferrying machine to outer net, cause and divulge a secret; The 2nd, movable storage device is in case loss can cause leakage of data; The 3rd, the artificial log-on message that adds movable storage device from background data base can make illegal movable storage device be linked into the concerning security matters network and causes leakage of data.
Summary of the invention
The invention provides a kind of method and system of ferrying data safely, solve illegal movable storage device copies data on Ferrying machine or the concerning security matters main frame, cause the problem of divulging a secret.
For solving the problems of the technologies described above, the present invention by the following technical solutions:
A kind of method of ferrying data safely comprises:
To register at the concerning security matters main frame for the first movable storage device of data ferry-boat between concerning security matters main frame and the Ferrying machine and have read-only function or read-write capability, and register at Ferrying machine and have read-write capability;
Described the first movable storage device carries out the data ferry-boat between described Ferrying machine and described concerning security matters main frame.
Also comprise: will register at described Ferrying machine for the second movable storage device of data ferry-boat between Ferrying machine and the outer net and have read-write capability; The movable storage device of not registering at Ferrying machine has read-only function at described Ferrying machine.
When data are ferried outer net from the concerning security matters main frame, described the first movable storage device registered at the concerning security matters main frame have read-write capability; When data are ferried the concerning security matters main frame from outer net, described the first movable storage device registered at the concerning security matters main frame have read-only function.
Comprise in the process of on concerning security matters main frame and the Ferrying machine the first movable storage device being registered: on described concerning security matters main frame, the first movable storage device is registered first; On described Ferrying machine, the first movable storage device that succeeds in registration at described concerning security matters main frame is registered again.
The process of on described concerning security matters main frame the first movable storage device being registered comprises: described the first movable storage device is accessed described concerning security matters main frame; Concerning security matters host registration flag in the nonvolatile storage space of the creditable calculation modules of described the first movable storage device writes the sign-on ID of described concerning security matters main frame, and utilizes platform identity key (PIK) or the platform identity certificate (PEK certificate) of the creditable calculation modules of described concerning security matters main frame that the sign-on ID of described concerning security matters main frame is signed.
The process of on described Ferrying machine the first movable storage device that succeeds in registration at described concerning security matters main frame being registered comprises: described the first movable storage device is accessed described Ferrying machine; Detect the sign-on ID that whether writes the concerning security matters main frame in the nonvolatile storage space of described the first movable storage device; If write, the sign-on ID of then resolving described concerning security matters main frame is with PIK or the PEK of the creditable calculation modules that obtains described concerning security matters main frame; Utilize described PIK or PEK that the sign-on ID of described concerning security matters main frame is carried out signature verification; Checking writes the sign-on ID of described Ferrying machine by rear Ferrying machine sign-on ID position in the nonvolatile storage space of described the first movable storage device, and utilizes PIK or the PEK of the creditable calculation modules of described Ferrying machine that the sign-on ID of described Ferrying machine is signed.
The sign-on ID of resolving described concerning security matters main frame comprises with the PIK of the creditable calculation modules that obtains described concerning security matters main frame or the process of PEK: all PIK that in advance creditable calculation modules of concerning security matters main frame produced or PEK are kept on the described Ferrying machine with the form of tabulation; Resolve the sign-on ID of described concerning security matters main frame, from described tabulation, select the corresponding PIK of sign-on ID or the PEK of described concerning security matters main frame.
Also comprise the password that the login movable storage device is set, described password is kept in the creditable calculation modules of described movable storage device.
Described the first movable storage device is the data after encrypting through described Ferrying machine from the data that Ferrying machine copies, and the data copy after encrypting through described Ferrying machine is decrypted by described concerning security matters main frame to the concerning security matters main frame.
Described the first movable storage device is the data after encrypting through described concerning security matters main frame from the data that the concerning security matters main frame copies, and the data copy after encrypting through described concerning security matters main frame is decrypted by described Ferrying machine to Ferrying machine.
The log-on message of movable storage device is kept in concerning security matters main frame and the Ferrying machine creditable calculation modules separately.
A kind of system of ferrying data safely, described system comprise concerning security matters main frame, Ferrying machine and first movable storage device of ferrying for data between concerning security matters main frame and the Ferrying machine, wherein,
Described concerning security matters main frame has read-only function or read-write capability thereon for described the first movable storage device is registered;
Described Ferrying machine has read-write capability thereon for described the first movable storage device is registered;
Described the first movable storage device for data ferry-boat between concerning security matters main frame and the Ferrying machine is used for carrying out the data ferry-boat between described Ferrying machine and described concerning security matters main frame.
Comprise that also described Ferrying machine also has read-write capability for described the second movable storage device is registered for the second movable storage device of data ferry-boat between Ferrying machine and the outer net; The movable storage device of not registering at Ferrying machine has read-only function at described Ferrying machine.
Described movable storage device comprises creditable calculation modules, and described creditable calculation modules is used for preserving the password of the described movable storage device of login; Comprise password authentication module in described Ferrying machine and the concerning security matters main frame, described password authentication module is used for obtaining the password of described creditable calculation modules, and according to the outside input of described password authentification password.
Comprise creditable calculation modules in described Ferrying machine and the concerning security matters main frame, described creditable calculation modules is used for preserving the log-on message of movable storage device.
The invention provides a kind of method and system of ferrying data safely, to register at the concerning security matters main frame for the first movable storage device of data ferry-boat between concerning security matters main frame and the Ferrying machine and have read-only function or read-write capability, register at Ferrying machine and to have read-write capability, movable storage device after the registration carries out the data ferry-boat between Ferrying machine and concerning security matters main frame, unregistered movable storage device does not allow copies data on Ferrying machine and the concerning security matters main frame, stop illegal movable storage device copies data on Ferrying machine or the concerning security matters main frame, caused the problem of divulging a secret.
Further, on the concerning security matters main frame, the first movable storage device is registered first, on Ferrying machine, the first movable storage device that succeeds in registration at the concerning security matters main frame is registered again, the first movable storage device that only succeeds in registration at the concerning security matters main frame just can be finished registration at Ferrying machine, has further improved the fail safe of the first movable storage device.
Further, the password of login movable storage device (the first movable storage device and/or the second movable storage device) is set, the user is by this cryptographic acess movable storage device of input, and after stopping movable storage device and losing, other people steal the hidden danger of the data in this movable storage device.
Further, the first movable storage device is the data after encrypting through Ferrying machine from the data that Ferrying machine copies, and/or first the data that copy from the concerning security matters main frame of movable storage device be the data after encrypting through the concerning security matters main frame, after further stopping the loss of the first movable storage device, other people steal the hidden danger of the data in this first movable storage device.
Further, log-on message at the movable storage device that concerning security matters main frame, Ferrying machine succeed in registration is kept in concerning security matters main frame and the Ferrying machine creditable calculation modules separately, avoid in the prior art, log-on message is kept at background data base, the easy artificial log-on message that adds movable storage device from background data base causes illegal movable storage device to be linked into the concerning security matters network and causes the problem of leakage of data.Log-on message comprises the read-write properties of movable storage device, also can comprise the information such as user profile, hour of log-on, rights of using.
Description of drawings
Fig. 1 be in a kind of ferrying data safely method of the embodiment of the invention through Ferrying machine with data from the ferry flow chart of concerning security matters main frame of outer net;
Fig. 2 be in a kind of ferrying data safely method of the embodiment of the invention through Ferrying machine with data from the ferry flow chart of outer net of concerning security matters main frame;
Fig. 3 is the frame diagram of the system of a kind of ferrying data safely of the embodiment of the invention.
Embodiment
The method of a kind of ferrying data safely provided by the invention, mainly comprise: will register at the concerning security matters main frame for the first movable storage device of data ferry-boat between concerning security matters main frame and the Ferrying machine and have read-only function or read-write capability, and register at Ferrying machine and have read-write capability; This first movable storage device carries out the data ferry-boat between this Ferrying machine and this concerning security matters main frame.The method comprise through Ferrying machine with data from outer net ferry the process of concerning security matters main frame and through Ferrying machine with data from the ferry process of outer net of concerning security matters main frame, wherein, through Ferrying machine data are mainly comprised from the ferry process of concerning security matters main frame of outer net:
Step 1: the second movable storage device access Ferrying machine that is used for data ferry-boat between Ferrying machine and the outer net, with its data copy to Ferrying machine, the second movable storage device in this step can be registered or unregistered movable storage device on Ferrying machine, does not have read-only function at the movable storage device that Ferrying machine is registered at Ferrying machine;
Step 2: on concerning security matters main frame and the Ferrying machine registered for concerning security matters main frame and Ferrying machine between the first movable storage device access Ferrying machine of data ferry-boats, with the data copy on the Ferrying machine in this first movable storage device;
Step 3: this first movable storage device access concerning security matters main frame, with the data copy on it in the concerning security matters main frame.
Above-mentioned through Ferrying machine with data from outer net is ferried the process of concerning security matters main frame, be used between concerning security matters main frame and the Ferrying machine the first movable storage device of data ferry-boat and register at Ferrying machine in advance and have read-write capability, register at the concerning security matters main frame and have read-only function.
Through Ferrying machine data are mainly comprised from the ferry process of outer net of concerning security matters main frame:
Step 1: on concerning security matters main frame and the Ferrying machine registered for concerning security matters main frame and Ferrying machine between the first movable storage device access concerning security matters main frame of data ferry-boats, with the data copy on the concerning security matters main frame to this first movable storage device;
Step 2: this first movable storage device access Ferrying machine, with the data copy on it to this Ferrying machine;
Step 3: the second movable storage device that is used for data ferry-boat between Ferrying machine and the outer net that has read-write capability at registered one-tenth on the Ferrying machine accesses this Ferrying machine, and the data copy on this Ferrying machine is arrived self.
Through Ferrying machine with data from the concerning security matters main frame is ferried the process of outer net, be used between concerning security matters main frame and the Ferrying machine the first movable storage device of data ferry-boat and register at the concerning security matters main frame in advance and have read-write capability, register at Ferrying machine again and have read-write capability.
The below is described in further detail the method by reference to the accompanying drawings with specific embodiment.
Fig. 1 is that the process Ferrying machine please refer to Fig. 1 with the flow chart of outer net transfer of data to Intranet in a kind of ferrying data safely method of the embodiment of the invention:
S11, will register at the concerning security matters main frame for the first movable storage device of data ferry-boat between concerning security matters main frame and the Ferrying machine and have read-only function, and register at Ferrying machine again and have read-write capability, and the password of this movable storage device of login will be set.
The first movable storage device registered at the concerning security matters main frame have read-only function, represent that namely the first movable storage device can only be with the data copy of movable storage device self to the concerning security matters main frame, and can't be with the data copy on the concerning security matters main frame to self; The first movable storage device registered at Ferrying machine have read-write capability, represent that namely the first movable storage device can be with the data copy of movable storage device self to Ferrying machine, also can be with the data copy on the Ferrying machine to self.
The process that password is set can comprise: with the movable storage device initialization, it is the possessory password of creditable calculation modules in the movable storage device that password is set, and this password is kept in the creditable calculation modules of this movable storage device.Guarantee the fail safe of the login password of movable storage device by the fail safe of creditable calculation modules.
On the concerning security matters main frame this first movable storage device is registered first, on Ferrying machine the first movable storage device that succeeds in registration at the concerning security matters main frame is registered, detailed process can comprise:
First with the first movable storage device access concerning security matters main frame; Write the sign-on ID of this concerning security matters main frame in the concerning security matters host registration flag of the nonvolatile storage space of the creditable calculation modules of this first movable storage device, and utilize PIK or the PEK of the creditable calculation modules of this concerning security matters main frame that the sign-on ID of this concerning security matters main frame is signed, to finish the process of on the concerning security matters main frame, this first movable storage device being registered; Again with this first movable storage device access Ferrying machine; Detect the sign-on ID that whether writes the concerning security matters main frame in the nonvolatile storage space of this first movable storage device; If write, then resolve PIK or the PEK of sign-on ID to obtain the creditable calculation modules of this concerning security matters main frame on the Ferrying machine of this concerning security matters main frame; Utilize this PIK or PEK that the sign-on ID of this concerning security matters main frame is carried out signature verification; Checking is by the rear sign-on ID that Ferrying machine sign-on ID position in the nonvolatile storage space of this first movable storage device is write this Ferrying machine, and utilize PIK or the PEK of the creditable calculation modules of this Ferrying machine that the sign-on ID of this Ferrying machine is signed, to finish the process of on Ferrying machine, the first movable storage device that succeeds in registration at the concerning security matters main frame being registered.
Wherein, in the process of on the Ferrying machine the first movable storage device that succeeds in registration at the concerning security matters main frame being registered, the sign-on ID of resolving the concerning security matters main frame in the first movable storage device can comprise with the PIK of the creditable calculation modules that obtains the concerning security matters main frame or the method for PEK: all P IK that in advance creditable calculation modules of concerning security matters main frame produced or PEK are kept on the described Ferrying machine with the form of tabulation; Resolve the sign-on ID of this concerning security matters main frame, from this tabulation, select the corresponding PIK of sign-on ID or the PEK of this concerning security matters main frame.
Can by upgrading the sign-on ID of concerning security matters main frame in the first movable storage device, upgrade the read-only or read-write properties of movable storage device on the concerning security matters main frame; Can by upgrading the sign-on ID (for the second movable storage device, can adopt similar operations) of Ferrying machine in the first movable storage device, upgrade the read-only or read-write properties of the first movable storage device on Ferrying machine.
S12, be used for the second movable storage device access Ferrying machine of data ferry-boat between Ferrying machine and the outer net, after Ferrying machine is killed virus, is filtered the data in this second movable storage device, with its data copy to Ferrying machine.
The second movable storage device in this step can be registered or unregistered movable storage device on Ferrying machine, unregistered movable storage device has read-only function at Ferrying machine, represent that namely unregistered movable storage device can only be with the data copy of movable storage device self to Ferrying machine, and can't be with the data copy on the Ferrying machine to self.
S13, first movable storage device of ferrying for data between concerning security matters main frame and the Ferrying machine access Ferrying machine, in the Password Input frame that Ferrying machine ejects, input password, after password authentification is passed through, whether detect the first movable storage device that accesses registers on this Ferrying machine, if registered, certifying signature then is after signature verification is passed through, Ferrying machine is encrypted data, with the data copy after encrypting in this first movable storage device.
The process of certifying signature can comprise in this step: the sign-on ID of resolving Ferrying machine in the movable storage device to be obtaining corresponding PEK or PIK from the PIK of Ferrying machine this locality or PEK tabulation, according to this corresponding PEK or PIK the sign-on ID of this Ferrying machine carried out signature verification.
S14, first movable storage device of ferrying for data between concerning security matters main frame and the Ferrying machine access the concerning security matters main frame, in the Password Input frame that the concerning security matters main frame ejects, input password, after password authentification is passed through, whether detect the first movable storage device that accesses registers on this concerning security matters main frame, if registered, certifying signature then, after signature verification is passed through, with data copy to this concerning security matters main frame, the concerning security matters main frame is deciphered data, has finished through Ferrying machine data are transferred to process on the concerning security matters main frame the concerning security matters Intranet from outer net.
The process of certifying signature can comprise in this step: the sign-on ID of resolving concerning security matters main frame in the movable storage device to be obtaining corresponding PEK or PIK from the PIK of concerning security matters main frame this locality or PEK tabulation, according to this corresponding PEK or PIK the sign-on ID of this concerning security matters main frame carried out signature verification.
In the present embodiment, Ferrying machine can be computer independently, does not link to each other with any network, does not link to each other with any computer; Unregistered movable storage device has read-only function at Ferrying machine, after Ferrying machine is killed virus, is filtered the data on the unregistered movable storage device, copy on the Ferrying machine, unregistered movable storage device can't be gone out the data copy on the Ferrying machine, has avoided the problem of divulging a secret that occurs at Ferrying machine; Movable storage device (comprising the first movable storage device and/or the second movable storage device) is provided with login password, even if this device losses also is difficult to read the wherein data of storage; The data that movable storage device copies from Ferrying machine are the data after encrypting through Ferrying machine, therefore, guaranteed that further movable storage device is lost after, the fail safe of data; The log-on message of movable storage device on Ferrying machine and concerning security matters main frame leaves in Ferrying machine and the concerning security matters main frame creditable calculation modules separately, and having avoided the people is the log-on message of distorting movable storage device, causes the problem of the leakage of data in the concerning security matters network.In addition, the log-on message of movable storage device on Ferrying machine and concerning security matters main frame leaves in Ferrying machine and the concerning security matters main frame creditable calculation modules separately, also can deposit a local data base at Ferrying machine and concerning security matters main frame.
Fig. 2 be in a kind of ferrying data safely method of the embodiment of the invention through Ferrying machine with data from the ferry flow chart of outer net of concerning security matters main frame, please refer to Fig. 2:
S21, will register at the concerning security matters main frame for the first movable storage device of data ferry-boat between concerning security matters main frame and the Ferrying machine and have read-write capability, and register at Ferrying machine and have read-write capability, and the password of this movable storage device of login will be set.
The first movable storage device is registered at the concerning security matters main frame has read-write capability, represents that namely the first movable storage device can be with the data copy of movable storage device self to the concerning security matters main frame, also can be with the data copy on the concerning security matters main frame to self.
S22, first movable storage device of ferrying for data between concerning security matters main frame and the Ferrying machine access the concerning security matters main frame, in the Password Input frame that the concerning security matters main frame ejects, input password, after password authentification is passed through, whether detect the first movable storage device that accesses registers on this concerning security matters main frame, if registered, certifying signature then is after signature verification is passed through, copy needs in the first movable storage device data encryption, with the data copy after encrypting to this first movable storage device.
S23, first movable storage device of ferrying for data between concerning security matters main frame and the Ferrying machine access Ferrying machine, in the Password Input frame that Ferrying machine ejects, input password, after password authentification is passed through, whether detect the first movable storage device that accesses registers on this Ferrying machine, if registered, certifying signature then is after signature verification is passed through, to this Ferrying machine, Ferrying machine is decrypted data with data copy.
S24, second movable storage device of ferrying for data between Ferrying machine and the outer net access Ferrying machine, in the Password Input frame that Ferrying machine ejects, input password, after password authentification is passed through, whether detect the second movable storage device that accesses registers on this Ferrying machine, if registered, data copy is arrived this second movable storage device, this moment, whether data needed to encrypt, depend on whether this second movable storage device self has encryption and decryption functions, if self has encryption and decryption functions, then file is encrypted, if do not have, does not then need to encrypt.Both all can reach the function to the data protection.The former access to your password protection and data encryption duplicate protection, latter's protection movable storage device that accesses to your password.
In this step, for further guaranteeing data security, this second movable storage device has read-write capability at Ferrying machine time limit can be set, as this time limit is arranged to 5 minutes, after surpassing 5 minutes, this second movable storage device does not have read-write capability on this Ferrying machine, perhaps only have read-only function.
The present invention also comprises a kind of system of ferrying data safely, this system comprises concerning security matters main frame, Ferrying machine and is used for the first movable storage device of data ferry-boat between concerning security matters main frame and the Ferrying machine, wherein, the concerning security matters main frame is used for being used for data are ferried between concerning security matters main frame and the Ferrying machine the first movable storage device and registers at this concerning security matters main frame and have read-only function or read-write capability; Ferrying machine is used for being used for data are ferried between concerning security matters main frame and the Ferrying machine the first movable storage device and registers at this Ferrying machine and have read-write capability; First movable storage device that should be used for data ferry-boat between concerning security matters main frame and the Ferrying machine is used for carrying out the data ferry-boat between this Ferrying machine and this concerning security matters main frame.
Fig. 3 is the frame diagram of the system of a kind of ferrying data safely of the embodiment of the invention, please refer to Fig. 3:
A kind of system of ferrying data safely, this system comprises concerning security matters main frame 31, Ferrying machine 32, is used for the first movable storage device 33 of data ferry-boat between concerning security matters main frame and the Ferrying machine and is used for the second movable storage device 34 that data are ferried between Ferrying machine and the outer net, wherein
Respectively be provided with data virus killing module, registration management module, password authentication module, data encrypting and deciphering module and creditable calculation modules on concerning security matters main frame 31 and the Ferrying machine 32, wherein, data virus killings module is used for the data of the movable storage device of access concerning security matters main frame 31 or Ferrying machine 32 are killed virus; Whether the registration management module is registered at this concerning security matters main frame 31 or Ferrying machine 32 for detection of the movable storage device of access, be used for unregistered movable storage device is registered, and the log-on message that is used for the inquiry movable storage device, the registration management module in the concerning security matters main frame 31 specifically has read-only function or read-write capability for the first movable storage device 33 is registered; Registration management module in the Ferrying machine 32 specifically has read-write capability for the first movable storage device 33 is registered, and the second movable storage device 34 is registered have read-write capability; Password authentication module is used for obtaining the password of login movable storage device, and according to this password authentification user's input password; The data encrypting and deciphering module is used for the data that movable storage device is read or write at concerning security matters main frame 31 or Ferrying machine 32 are carried out encryption and decryption; Creditable calculation modules is used for preserving the log-on message of movable storage device; The first movable storage device 33 that is used for data ferry-boat between concerning security matters main frame and the Ferrying machine comprises creditable calculation modules, and creditable calculation modules is used for preserving the password of login the first movable storage device.
Further, the nonvolatile storage space that is used for the creditable calculation modules of the first movable storage device 33 of data ferry-boat between concerning security matters main frame and the Ferrying machine also is used for concerning security matters host registration flag and Ferrying machine sign-on ID position are set, and also can be used for preserving the signing messages of sign-on ID; Registration management module on concerning security matters main frame 31 and the Ferrying machine 32 is used for writing in this concerning security matters host registration flag the sign-on ID of concerning security matters main frame 31, writes the sign-on ID of Ferrying machine 32 in this Ferrying machine sign-on ID position; Creditable calculation modules on the concerning security matters main frame 31 is also for generation of PIK or PEK, so that the sign-on ID of this concerning security matters main frame 31 is signed; Creditable calculation modules on the Ferrying machine 32 is also for generation of PIK or PEK, so that the sign-on ID of this Ferrying machine 32 is signed.
Further, can also comprise data filtering module and Data Audit module on concerning security matters main frame 31 and the Ferrying machine 32, wherein, the data filtering module is used for filtering according to the data that preset rules is read or write at concerning security matters main frame 31 or Ferrying machine 32 movable storage device; The Data Audit module be used for to preserve and the inquiry movable storage device at concerning security matters main frame 31 or Ferrying machine 32 is read or the operation note of data writing.
Further, the second movable storage device 34 that is used for data ferry-boat between Ferrying machine and the outer net can have creditable calculation modules, also can not have creditable calculation modules, be used for the second movable storage device 34 of data ferry-boat between Ferrying machine and the outer net in for outer net that the data of Ferrying machine are ferried, need to register and arrange the authority that it has at Ferrying machine, the information of registration is kept in the local data base of Ferrying machine, when this second movable storage device is inserted on the Ferrying machine, Ferrying machine can differentiate to determine which kind of authority it has to this second movable storage device, and then the data filtering module is filtered the data manipulation above it carrying out according to its log-on message.
Above content is the further description of the present invention being done in conjunction with concrete execution mode, can not assert that implementation of the present invention is confined to these explanations.For the general technical staff of the technical field of the invention, without departing from the inventive concept of the premise, can also make some simple deduction or replace, all should be considered as belonging to protection scope of the present invention.
Claims (15)
1. the method for a ferrying data safely is characterized in that, comprising:
To register at the concerning security matters main frame for the first movable storage device of data ferry-boat between concerning security matters main frame and the Ferrying machine and have read-only function or read-write capability, and register at Ferrying machine and have read-write capability;
Described the first movable storage device carries out the data ferry-boat between described Ferrying machine and described concerning security matters main frame.
2. the method for claim 1 is characterized in that, also comprises: will register at described Ferrying machine for the second movable storage device of data ferry-boat between Ferrying machine and the outer net and have read-write capability; The movable storage device of not registering at Ferrying machine has read-only function at described Ferrying machine.
3. the method for claim 1 is characterized in that, when data are ferried outer net from the concerning security matters main frame, described the first movable storage device registered at the concerning security matters main frame has read-write capability; When data are ferried the concerning security matters main frame from outer net, described the first movable storage device registered at the concerning security matters main frame have read-only function.
4. the method for claim 1 is characterized in that, comprises in the process of on concerning security matters main frame and the Ferrying machine described the first movable storage device being registered: on described concerning security matters main frame described the first movable storage device is registered first; On described Ferrying machine, the first movable storage device that succeeds in registration at described concerning security matters main frame is registered again.
5. method as claimed in claim 4 is characterized in that, the process of on described concerning security matters main frame described the first movable storage device being registered comprises: described the first movable storage device is accessed described concerning security matters main frame; Concerning security matters host registration flag in the nonvolatile storage space of the creditable calculation modules of described the first movable storage device writes the sign-on ID of described concerning security matters main frame, and utilizes platform identity key or the platform identity certificate of the creditable calculation modules of described concerning security matters main frame that the sign-on ID of described concerning security matters main frame is signed.
6. method as claimed in claim 5 is characterized in that, the process of on described Ferrying machine the first movable storage device that succeeds in registration at described concerning security matters main frame being registered comprises: described the first movable storage device is accessed described Ferrying machine; Detect the sign-on ID that whether writes the concerning security matters main frame in the nonvolatile storage space of described the first movable storage device; If write, the sign-on ID of then resolving described concerning security matters main frame is with platform identity key or the platform identity certificate of the creditable calculation modules that obtains described concerning security matters main frame; Utilize described platform identity key or platform identity certificate that the sign-on ID of described concerning security matters main frame is carried out signature verification; Checking writes the sign-on ID of described Ferrying machine by rear Ferrying machine sign-on ID position in the nonvolatile storage space of described the first movable storage device, and utilizes platform identity key or the platform identity certificate of the creditable calculation modules of described Ferrying machine that the sign-on ID of described Ferrying machine is signed.
7. method as claimed in claim 6, it is characterized in that the sign-on ID of resolving described concerning security matters main frame comprises with the platform identity key of the creditable calculation modules that obtains described concerning security matters main frame or the process of platform identity certificate: all platform identity keys that in advance creditable calculation modules of concerning security matters main frame produced or platform identity certificate are kept on the described Ferrying machine with the form of tabulation; Resolve the sign-on ID of described concerning security matters main frame, from described tabulation, select the corresponding platform identity key of sign-on ID or the platform identity certificate of described concerning security matters main frame.
8. such as each described method of claim 1 to 7, it is characterized in that also comprise the password that the login movable storage device is set, described password is kept in the creditable calculation modules of described movable storage device.
9. such as each described method of claim 1 to 7, it is characterized in that, described the first movable storage device is the data after encrypting through described Ferrying machine from the data that Ferrying machine copies,, to the concerning security matters main frame, be decrypted by described concerning security matters main frame through the data copy after the described Ferrying machine encryption.
10. such as each described method of claim 1 to 7, it is characterized in that, described the first movable storage device is the data after encrypting through described concerning security matters main frame from the data that the concerning security matters main frame copies,, to Ferrying machine, be decrypted by described Ferrying machine through the data copy after the described concerning security matters main frame encryption.
11., it is characterized in that the log-on message of movable storage device is kept in concerning security matters main frame and the Ferrying machine creditable calculation modules separately such as each described method of claim 1 to 7.
12. the system of a ferrying data safely is characterized in that, described system comprises concerning security matters main frame, Ferrying machine and first movable storage device of ferrying for data between concerning security matters main frame and the Ferrying machine, wherein,
Described concerning security matters main frame has read-only function or read-write capability thereon for described the first movable storage device is registered;
Described Ferrying machine has read-write capability thereon for described the first movable storage device is registered;
Described the first movable storage device for data ferry-boat between concerning security matters main frame and the Ferrying machine is used for carrying out the data ferry-boat between described Ferrying machine and described concerning security matters main frame.
13. system as claimed in claim 12 is characterized in that, comprises that also described Ferrying machine also has read-write capability for described the second movable storage device is registered for the second movable storage device of data ferry-boat between Ferrying machine and the outer net; The movable storage device of not registering at Ferrying machine has read-only function at described Ferrying machine.
14. such as claim 12 or 13 described systems, it is characterized in that described movable storage device comprises creditable calculation modules, described creditable calculation modules is used for preserving the password of the described movable storage device of login; Comprise password authentication module in described Ferrying machine and the concerning security matters main frame, described password authentication module is used for obtaining the password of described creditable calculation modules, and according to the outside input of described password authentification password.
15. such as claim 12 or 13 described systems, it is characterized in that, comprise creditable calculation modules in described Ferrying machine and the concerning security matters main frame, described creditable calculation modules is used for preserving the log-on message of movable storage device.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110308360.4A CN103051593B (en) | 2011-10-12 | 2011-10-12 | A kind of method and system of ferrying data safely |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110308360.4A CN103051593B (en) | 2011-10-12 | 2011-10-12 | A kind of method and system of ferrying data safely |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103051593A true CN103051593A (en) | 2013-04-17 |
| CN103051593B CN103051593B (en) | 2016-09-14 |
Family
ID=48064097
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110308360.4A Active CN103051593B (en) | 2011-10-12 | 2011-10-12 | A kind of method and system of ferrying data safely |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103051593B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105243336A (en) * | 2015-09-30 | 2016-01-13 | 北京奇虎科技有限公司 | Data protection method and apparatus |
| CN106844254A (en) * | 2016-12-29 | 2017-06-13 | 武汉烽火众智数字技术有限责任公司 | Mobile memory medium switching device, data ferry-boat system and method |
| CN107371384A (en) * | 2015-02-13 | 2017-11-21 | 霍尼韦尔国际公司 | Risk management in the environment of the air gap |
| CN109753832A (en) * | 2017-11-08 | 2019-05-14 | 山东超越数控电子股份有限公司 | A kind of safe Ferrying machine system and its implementation |
| CN113344163A (en) * | 2021-05-24 | 2021-09-03 | 南通大学 | Mobile memory and method for realizing one-way data transmission based on NFC |
| CN117473573A (en) * | 2023-12-28 | 2024-01-30 | 山东华翼微电子技术股份有限公司 | SATA interface system and data security ferrying method |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040077332A1 (en) * | 2002-02-08 | 2004-04-22 | Dafna Ephraim | Management of pre-paid billing system for wireless communication |
| US20060168264A1 (en) * | 2003-03-10 | 2006-07-27 | Sony Corporation | Information processing device, information processing method, and computer program |
| CN101458744A (en) * | 2007-12-12 | 2009-06-17 | 上海爱信诺航芯电子科技有限公司 | Digital copyright management proxy system based on dependable computing concept |
| CN101458667A (en) * | 2009-01-10 | 2009-06-17 | 汤放鸣 | Electronic equipment with electronic security identification, information exchange flow direction control system and method based on electronic security identification and mobile memory |
| CN101504711A (en) * | 2009-03-26 | 2009-08-12 | 北京鼎普科技股份有限公司 | Movable storage device and method for controlling computer data downloading |
| CN101635018A (en) * | 2009-09-01 | 2010-01-27 | 中国软件与技术服务股份有限公司 | Method of safety ferriage of USB flash disk data |
| CN101940016A (en) * | 2008-02-07 | 2011-01-05 | 爱立信电话股份有限公司 | Method and system for mobile device credentialing |
| CN101997672A (en) * | 2009-08-14 | 2011-03-30 | 北京新风机械厂 | Information security transmission method and system |
| CN102063583A (en) * | 2010-09-16 | 2011-05-18 | 广州世安信息技术有限公司 | Data exchange method for mobile storage medium and device thereof |
| CN102170424A (en) * | 2010-12-13 | 2011-08-31 | 沈晖 | Mobile medium safety protection system based on three-level security architecture |
-
2011
- 2011-10-12 CN CN201110308360.4A patent/CN103051593B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040077332A1 (en) * | 2002-02-08 | 2004-04-22 | Dafna Ephraim | Management of pre-paid billing system for wireless communication |
| US20060168264A1 (en) * | 2003-03-10 | 2006-07-27 | Sony Corporation | Information processing device, information processing method, and computer program |
| CN101458744A (en) * | 2007-12-12 | 2009-06-17 | 上海爱信诺航芯电子科技有限公司 | Digital copyright management proxy system based on dependable computing concept |
| CN101940016A (en) * | 2008-02-07 | 2011-01-05 | 爱立信电话股份有限公司 | Method and system for mobile device credentialing |
| CN101458667A (en) * | 2009-01-10 | 2009-06-17 | 汤放鸣 | Electronic equipment with electronic security identification, information exchange flow direction control system and method based on electronic security identification and mobile memory |
| CN101504711A (en) * | 2009-03-26 | 2009-08-12 | 北京鼎普科技股份有限公司 | Movable storage device and method for controlling computer data downloading |
| CN101997672A (en) * | 2009-08-14 | 2011-03-30 | 北京新风机械厂 | Information security transmission method and system |
| CN101635018A (en) * | 2009-09-01 | 2010-01-27 | 中国软件与技术服务股份有限公司 | Method of safety ferriage of USB flash disk data |
| CN102063583A (en) * | 2010-09-16 | 2011-05-18 | 广州世安信息技术有限公司 | Data exchange method for mobile storage medium and device thereof |
| CN102170424A (en) * | 2010-12-13 | 2011-08-31 | 沈晖 | Mobile medium safety protection system based on three-level security architecture |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107371384A (en) * | 2015-02-13 | 2017-11-21 | 霍尼韦尔国际公司 | Risk management in the environment of the air gap |
| CN107371384B (en) * | 2015-02-13 | 2022-01-14 | 霍尼韦尔国际公司 | Risk management method, risk manager system, and machine-readable medium |
| CN105243336A (en) * | 2015-09-30 | 2016-01-13 | 北京奇虎科技有限公司 | Data protection method and apparatus |
| CN105243336B (en) * | 2015-09-30 | 2018-02-13 | 北京奇安信科技有限公司 | Data prevention method and device |
| CN106844254A (en) * | 2016-12-29 | 2017-06-13 | 武汉烽火众智数字技术有限责任公司 | Mobile memory medium switching device, data ferry-boat system and method |
| CN109753832A (en) * | 2017-11-08 | 2019-05-14 | 山东超越数控电子股份有限公司 | A kind of safe Ferrying machine system and its implementation |
| CN113344163A (en) * | 2021-05-24 | 2021-09-03 | 南通大学 | Mobile memory and method for realizing one-way data transmission based on NFC |
| CN117473573A (en) * | 2023-12-28 | 2024-01-30 | 山东华翼微电子技术股份有限公司 | SATA interface system and data security ferrying method |
| CN117473573B (en) * | 2023-12-28 | 2024-04-19 | 山东华翼微电子技术股份有限公司 | SATA interface system and data security ferrying method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103051593B (en) | 2016-09-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20210409221A1 (en) | Portable Biometric Identity on a Distributed Data Storage Layer | |
| RU2747947C2 (en) | Systems and methods of personal identification and verification | |
| US9521132B2 (en) | Secure data storage | |
| CN103946806B (en) | Devices, systems and methods for providing memory access control | |
| CN102138300B (en) | Message authentication code pre-computation with applications to secure memory | |
| CN109858265A (en) | A kind of encryption method, device and relevant device | |
| CN104333545B (en) | The method that cloud storage file data is encrypted | |
| CN107908574B (en) | Safety protection method for solid-state disk data storage | |
| CN103221961A (en) | Method and apparatus including architecture for protecting multi-ser sensitive code and data | |
| TW201112035A (en) | Support for secure objects in a computer system | |
| CN104239820A (en) | Secure storage device | |
| CN103051593A (en) | Method and system for secure data ferry | |
| CN107332671A (en) | A kind of safety mobile terminal system and method for secure transactions based on safety chip | |
| CN102236607B (en) | Data security protection method and data security protection device | |
| CN105740725A (en) | File protection method and system | |
| CN102024115B (en) | Computer with user security subsystem | |
| CN105740733B (en) | A kind of encryption mobile hard disk and its implementation | |
| US20230409700A1 (en) | Systems and methods for managing state | |
| US9262619B2 (en) | Computer system and method for protecting data from external threats | |
| CN201845340U (en) | Safety computer provided with user safety subsystem | |
| CN101795194A (en) | Method for protecting multi-digital certificate of intelligent card | |
| CN107609405A (en) | A kind of external security memory device and system level chip SOC | |
| WO2012050419A1 (en) | Method of performing secure documents with a security token on a trusted compartment | |
| Wang et al. | Research on a Data Ferrying Security Model for Portable Storage Device | |
| CN110059489A (en) | Safe electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |