CN103051593B - A kind of method and system of ferrying data safely - Google Patents
A kind of method and system of ferrying data safely Download PDFInfo
- Publication number
- CN103051593B CN103051593B CN201110308360.4A CN201110308360A CN103051593B CN 103051593 B CN103051593 B CN 103051593B CN 201110308360 A CN201110308360 A CN 201110308360A CN 103051593 B CN103051593 B CN 103051593B
- Authority
- CN
- China
- Prior art keywords
- main frame
- concerning security
- security matters
- storage device
- movable storage
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The present invention discloses the method and system of a kind of ferrying data safely, the method includes registering the first movable storage device being used for the ferry-boat of data between concerning security matters main frame and Ferrying machine on concerning security matters main frame have read-only function or read-write capability, registering on Ferrying machine and have read-write capability, this first movable storage device carries out data ferry-boat between Ferrying machine and concerning security matters main frame;This system includes concerning security matters main frame, Ferrying machine and the first movable storage device, wherein, concerning security matters main frame has read-only function or read-write capability thereon for being registered by the first movable storage device, described Ferrying machine has read-write capability thereon for being registered by the first movable storage device, and the first movable storage device is for carrying out data ferry-boat between Ferrying machine and concerning security matters main frame.The present invention, by above technical scheme, has stopped illegal movable storage device and has copied data from Ferrying machine or concerning security matters main frame, caused the problem divulged a secret.
Description
Technical field
The present invention relates to field of data transmission, particularly relate to the method and system of a kind of ferrying data safely.
Background technology
Ferry-boat attack is that one is specifically designed for movable storage device, from internal network physically-isolated with the Internet
In steal the attack means of data.Such as important departments such as government bodies, army, bank, scientific research institutions with relate to
Close unit is for the consideration of information security, typically tight by implementing between internal network self-built for unit and the Internet
The physical isolation of lattice, movable storage device becomes the first-selected instrument of internal, external network off-line exchange data.Ferry-boat is attacked
Hit and utilize movable storage device as " ferryboat " exactly, indirectly reach to steal the purpose of data from Intranet.
In order to ensure intranet security, generally from outer net copy into Intranet data will through Ferrying machine carry out wooden horse,
Checking and killing virus processes, and just can copy on the concerning security matters main frame of Intranet.But, existing ferry-boat process exists as follows
Problem: one is to intersect to divulge a secret, as data are copied to by a movable storage device on Ferrying machine or concerning security matters main frame
After on Ferrying machine, not deleting, another illegal movable storage device will be left in the data copy on Ferrying machine
To outer net, cause and divulge a secret;Two is that movable storage device is once lost, and can cause leakage of data;Three is artificial
The log-on message adding movable storage device from background data base, illegal movable storage device can be made to access
Leakage of data is caused to concerning security matters network.
Summary of the invention
The present invention provides the method and system of a kind of ferrying data safely, solves illegal movable storage device from pendulum
Cross copy data on machine or concerning security matters main frame, cause the problem divulged a secret.
For solve above-mentioned technical problem, the present invention by the following technical solutions:
A kind of method of ferrying data safely, including:
The first movable storage device of the ferry-boat of data between concerning security matters main frame and Ferrying machine will be used at concerning security matters main frame
Register and there is read-only function or read-write capability, Ferrying machine is registered there is read-write capability;
Described first movable storage device carries out data ferry-boat between described Ferrying machine and described concerning security matters main frame.
Also include: the second movable storage device of the ferry-boat of data between Ferrying machine and outer net will be used at described pendulum
Cross to register on machine and there is read-write capability;The movable storage device do not registered on Ferrying machine is at described Ferrying machine
On there is read-only function.
Described first movable storage device, when outer net ferried by concerning security matters main frame, is noted on concerning security matters main frame by data
Volume becomes to have read-write capability;Data are when outer net ferries concerning security matters main frame, by described first movable storage device
Concerning security matters main frame is registered there is read-only function.
The process registered the first movable storage device on concerning security matters main frame and Ferrying machine includes: first in institute
State and on concerning security matters main frame, the first movable storage device is registered;Again in described concerning security matters on described Ferrying machine
The first movable storage device succeeded in registration on main frame is registered.
The process registered the first movable storage device on described concerning security matters main frame includes: by described first
Movable storage device accesses described concerning security matters main frame;Creditable calculation modules at described first movable storage device
The concerning security matters host registration flag of nonvolatile storage space writes the sign-on ID of described concerning security matters main frame, and profit
With platform identity key (PIK) or the platform identity certificate (PEK of the creditable calculation modules of described concerning security matters main frame
Certificate) sign-on ID of described concerning security matters main frame is signed.
The first movable storage device succeeded in registration on described concerning security matters main frame is noted by described Ferrying machine
The process of volume includes: described first movable storage device is accessed described Ferrying machine;Detect described first to move
Whether the nonvolatile storage space of storage device writes the sign-on ID of concerning security matters main frame;If written into, then
Resolve the sign-on ID of described concerning security matters main frame with obtain the creditable calculation modules of described concerning security matters main frame PIK or
PEK;Utilize described PIK or PEK that the sign-on ID of described concerning security matters main frame is carried out signature verification;It is verified
After in the nonvolatile storage space of described first movable storage device Ferrying machine sign-on ID position write institute
State the sign-on ID of Ferrying machine, and utilize PIK or PEK of creditable calculation modules of described Ferrying machine to described
The sign-on ID of Ferrying machine is signed.
Resolve the sign-on ID of described concerning security matters main frame to obtain the PIK of the creditable calculation modules of described concerning security matters main frame
Or the process of PEK includes: all PIK or the PEK in advance creditable calculation modules of concerning security matters main frame produced with
The form of list is saved on described Ferrying machine;Resolve the sign-on ID of described concerning security matters main frame, from described list
Corresponding PIK or PEK of sign-on ID of middle selection described concerning security matters main frame.
Also including arranging the password logging in movable storage device, described password is saved in described movable storage device
Creditable calculation modules in.
Described first movable storage device is after described Ferrying machine is encrypted from the data of copy Ferrying machine
Data, after the data after described Ferrying machine is encrypted are copied to concerning security matters main frame, are entered by described concerning security matters main frame
Row deciphering.
The data that described first movable storage device copies from concerning security matters main frame are to encrypt through described concerning security matters main frame
After data, through described concerning security matters main frame encrypt after data be copied to Ferrying machine after, by described Ferrying machine
It is decrypted.
The log-on message of movable storage device is saved in concerning security matters main frame and the respective creditable calculation modules of Ferrying machine
In.
The system of a kind of ferrying data safely, described system includes concerning security matters main frame, Ferrying machine and for concerning security matters master
First movable storage device of data ferry-boat between machine and Ferrying machine, wherein,
Described concerning security matters main frame for described first movable storage device registered have thereon read-only function or
Read-write capability;
Described Ferrying machine has read-write capability thereon for being registered by described first movable storage device;
Described the first movable storage device ferried for data between concerning security matters main frame and Ferrying machine is for described
Data ferry-boat is carried out between Ferrying machine and described concerning security matters main frame.
Also include for the second movable storage device of data ferry-boat, described Ferrying machine between Ferrying machine and outer net
It is additionally operable to register described second movable storage device that there is read-write capability;The not shifting of registration on Ferrying machine
Dynamic storage device has read-only function on described Ferrying machine.
Described movable storage device includes that creditable calculation modules, described creditable calculation modules are used for preserving login institute
State the password of movable storage device;Described Ferrying machine and concerning security matters main frame include password authentication module, described close
Code authentication module is for obtaining the password in described creditable calculation modules and outside defeated according to described password authentification
Enter password.
Described Ferrying machine and concerning security matters main frame include that creditable calculation modules, described creditable calculation modules are used for preserving
The log-on message of movable storage device.
The present invention provides the method and system of a kind of ferrying data safely, will be used for concerning security matters main frame and Ferrying machine it
Between data ferry-boat the first movable storage device register on concerning security matters main frame have read-only function or read-write merit
Can, Ferrying machine to be registered there is read-write capability, the movable storage device after registration is in Ferrying machine and concerning security matters
Carrying out data ferry-boat between main frame, unregistered movable storage device does not allow from Ferrying machine and concerning security matters main frame
Copy data, have stopped illegal movable storage device and have copied data from Ferrying machine or concerning security matters main frame, caused and let out
Close problem.
Further, first on concerning security matters main frame, the first movable storage device is registered, more right on Ferrying machine
The first movable storage device succeeded in registration on concerning security matters main frame is registered, and only registers on concerning security matters main frame
Successful first movable storage device just can complete registration on Ferrying machine, further increases first and moves
The safety of storage device.
Further, (the first movable storage device and/or second moves storage and sets to arrange login movable storage device
Standby) password, user by inputting this cryptographic acess movable storage device, stop movable storage device lose
After, other people steal the hidden danger of the data in this movable storage device.
Further, the first movable storage device is after Ferrying machine is encrypted from the data of copy Ferrying machine
Data, and/or the first movable storage device from concerning security matters main frame copy data be through concerning security matters main frame encryption after
Data, stop further first movable storage device lose after, other people steal this first movable storage device
In the hidden danger of data.
Further, the log-on message of the movable storage device succeeded in registration on concerning security matters main frame, Ferrying machine preserves
In the respective creditable calculation modules of concerning security matters main frame and Ferrying machine, it is to avoid in prior art, log-on message is protected
There is background data base, the most artificial log-on message adding movable storage device from background data base,
The problem causing illegal movable storage device to be linked into concerning security matters network and to cause leakage of data.Log-on message includes
The read-write properties of movable storage device, may also include the information such as user profile, hour of log-on, use authority.
Accompanying drawing explanation
Fig. 1 is data to be put from outer net through Ferrying machine in embodiment of the present invention one ferrying data safely method
Cross the flow chart of concerning security matters main frame;
Fig. 2 be in embodiment of the present invention one ferrying data safely method through Ferrying machine by data from concerning security matters master
Machine is ferried the flow chart of outer net;
Fig. 3 is the frame diagram of the system of a kind of ferrying data safely of the embodiment of the present invention.
Detailed description of the invention
The method of a kind of ferrying data safely that the present invention provides, specifically includes that and will be used for concerning security matters main frame and pendulum
Cross the first movable storage device of the ferry-boat of data between machine to register on concerning security matters main frame there is read-only function or reading
Write function, Ferrying machine is registered there is read-write capability;This first movable storage device at this Ferrying machine and
Data ferry-boat is carried out between this concerning security matters main frame.The method includes data being ferried to from outer net through Ferrying machine relating to
The process of close main frame and the process of outer net of data being ferried to from concerning security matters main frame through Ferrying machine, wherein, pass through
Data are specifically included that by Ferrying machine from the ferry process of concerning security matters main frame of outer net
Step one: access Ferrying machine for the second movable storage device of data ferry-boat between Ferrying machine and outer net,
Its data are copied on Ferrying machine, the second movable storage device in this step can be on Ferrying machine
Registration or unregistered movable storage device, the movable storage device do not registered on Ferrying machine is on Ferrying machine
There is read-only function;
Step 2: registered for data between concerning security matters main frame and Ferrying machine on concerning security matters main frame and Ferrying machine
First movable storage device of ferry-boat accesses Ferrying machine, the data on Ferrying machine copies to this and first moves and deposit
In storage equipment;
Step 3: this first movable storage device accesses concerning security matters main frame, copies data thereon to concerning security matters master
In machine.
Above-mentioned through Ferrying machine by data during outer net ferries concerning security matters main frame, for concerning security matters main frame with
Between Ferrying machine, the first movable storage device of data ferry-boat is registered on Ferrying machine in advance and is had read-write merit
Can, concerning security matters main frame is registered there is read-only function.
Through Ferrying machine, data are specifically included that from the ferry process of outer net of concerning security matters main frame
Step one: registered for data between concerning security matters main frame and Ferrying machine on concerning security matters main frame and Ferrying machine
First movable storage device of ferry-boat accesses concerning security matters main frame, and the data on concerning security matters main frame copy to this first shifting
In dynamic storage device;
Step 2: this first movable storage device accesses Ferrying machine, copies data thereon to this Ferrying machine
On;
Step 3: on Ferrying machine registered one-tenth have read-write capability for data between Ferrying machine and outer net
Second movable storage device of ferry-boat accesses this Ferrying machine, copies the data on this Ferrying machine to self.
Through Ferrying machine by data during outer net ferried by concerning security matters main frame, for concerning security matters main frame and ferry-boat
Between machine, the first movable storage device of data ferry-boat is registered on concerning security matters main frame in advance and is had read-write capability,
Register on Ferrying machine again and there is read-write capability.
Combine accompanying drawing with specific embodiment below the method is described in further detail.
Fig. 1 is to be transmitted by outer network data through Ferrying machine in embodiment of the present invention one ferrying data safely method
To the flow chart of Intranet, refer to Fig. 1:
S11, the first movable storage device of the ferry-boat of data between concerning security matters main frame and Ferrying machine will be used for concerning security matters master
Register on machine and there is read-only function, then register on Ferrying machine there is read-write capability, and login is set should
The password of movable storage device.
First movable storage device is registered on concerning security matters main frame there is read-only function, i.e. represent that first moves
The data of movable storage device self can only be copied on concerning security matters main frame by storage device, and cannot be by concerning security matters master
Data on machine copy self to;First movable storage device is registered on Ferrying machine there is read-write capability,
I.e. represent that the data of movable storage device self can be copied on Ferrying machine, also by the first movable storage device
The data on Ferrying machine can be copied to self.
The process arranging password may include that movable storage device initialization, arranges password for mobile storage
The possessory password of creditable calculation modules in equipment, and this password is saved in the credible of this movable storage device
In computing module.The peace of the login password of movable storage device is ensured by the safety of creditable calculation modules
Quan Xing.
First on concerning security matters main frame, this first movable storage device is registered, then in concerning security matters on Ferrying machine
The first movable storage device succeeded in registration on main frame is registered, and detailed process may include that
First the first movable storage device is accessed concerning security matters main frame;Trust computing at this first movable storage device
The concerning security matters host registration flag of the nonvolatile storage space of module writes the sign-on ID of this concerning security matters main frame,
And utilize PIK or PEK of the creditable calculation modules of this concerning security matters main frame that the sign-on ID of this concerning security matters main frame is carried out
Signature, to complete the process registered this first movable storage device on concerning security matters main frame;Again by this
One movable storage device accesses Ferrying machine;Detect in the nonvolatile storage space of this first movable storage device
Whether write the sign-on ID of concerning security matters main frame;If written into, then resolve the sign-on ID of this concerning security matters main frame to obtain
Take PIK or PEK of the creditable calculation modules of this concerning security matters main frame on Ferrying machine;Utilize this PIK or PEK that this is related to
The sign-on ID of close main frame carries out signature verification;Non-volatile to this first movable storage device after being verified
Ferrying machine sign-on ID position in property memory space writes the sign-on ID of this Ferrying machine, and utilizes this Ferrying machine
PIK or PEK of creditable calculation modules the sign-on ID of this Ferrying machine is signed, to complete in ferry-boat
The process on machine, the first movable storage device succeeded in registration on concerning security matters main frame registered.
Wherein, the first movable storage device succeeded in registration on concerning security matters main frame is registered by Ferrying machine
During, resolve the sign-on ID of the concerning security matters main frame in the first movable storage device to obtain concerning security matters main frame
The method of PIK or PEK of creditable calculation modules may include that creditable calculation modules by concerning security matters main frame in advance
All P IK or PEK produced are saved on described Ferrying machine in the form of a list;Resolve this concerning security matters main frame
Sign-on ID, selects corresponding PIK or PEK of sign-on ID of this concerning security matters main frame from this list.
Mobile storage can be updated by updating the sign-on ID of concerning security matters main frame in the first movable storage device
The equipment read-only or read-write properties on concerning security matters main frame;Can ferry by updating in the first movable storage device
The sign-on ID (for the second movable storage device, can use similar operations) of machine, updates the first shifting
The dynamic storage device read-only or read-write properties on Ferrying machine.
S12, the second movable storage device access Ferrying machine ferried for data between Ferrying machine and outer net, pendulum
After data in this second movable storage device are killed virus, filtered by the machine that crosses, copy its data to ferry-boat
On machine.
The second movable storage device in this step can be that registered or unregistered movement is deposited on Ferrying machine
Storage equipment, unregistered movable storage device has read-only function on Ferrying machine, i.e. represents unregistered shifting
The data of movable storage device self can only be copied on Ferrying machine by dynamic storage device, and cannot be by Ferrying machine
On data copy self to.
S13, the first movable storage device access ferry-boat ferried for data between concerning security matters main frame and Ferrying machine
Machine, inputs password in the Password Input frame that Ferrying machine ejects, and after password authentification is passed through, detection is accessed
First movable storage device has the most been registered on this Ferrying machine, if registered, then verifies signature,
Signature verification is by afterwards, and data are encrypted by Ferrying machine, and the data after encryption copy to this first shifting
In dynamic storage device.
This step being verified, the process of signature may include that and resolves the registration mark of Ferrying machine in movable storage device
Know so that PIK or the PEK list local from Ferrying machine to obtain corresponding PEK or PIK, corresponding according to this
PEK or PIK carries out signature verification to the sign-on ID of this Ferrying machine.
S14, the first movable storage device access concerning security matters master ferried for data between concerning security matters main frame and Ferrying machine
Machine, inputs password in the Password Input frame that concerning security matters main frame ejects, and after password authentification is passed through, detection is accessed
The first movable storage device whether registered on this concerning security matters main frame, if registered, then verify signature,
Data, by afterwards, are copied on this concerning security matters main frame by signature verification, and concerning security matters main frame, to data deciphering, completes
Through Ferrying machine by data process on the concerning security matters main frame that outer net is transferred to concerning security matters Intranet.
This step being verified, the process of signature may include that and resolves the registration of concerning security matters main frame in movable storage device
Identify so that PIK or the PEK list local from concerning security matters main frame to obtain corresponding PEK or PIK, corresponding according to this
PEK or PIK the sign-on ID of this concerning security matters main frame is carried out signature verification.
In the present embodiment, Ferrying machine can be an independent computer, is not connected with any network, not with any
Computer is connected;Unregistered movable storage device has read-only function on Ferrying machine, and Ferrying machine is to unregistered
Movable storage device on data carry out killing virus, filter after, copy on Ferrying machine, unregistered movement
Data on Ferrying machine cannot copy away by storage device, it is to avoid the problem of divulging a secret occurred on Ferrying machine;
It is close that movable storage device (including the first movable storage device and/or the second movable storage device) is provided with login
Code, even if this device losses, it is also difficult to read the data wherein stored;Movable storage device is from Ferrying machine
The data of copy are the data after Ferrying machine is encrypted, and therefore, further ensure movable storage device and lose
After mistake, the safety of data;Movable storage device log-on message on Ferrying machine and concerning security matters main frame leaves in
In Ferrying machine and the respective creditable calculation modules of concerning security matters main frame, it is to avoid artificially distort the note of movable storage device
Volume information, the problem causing leakage of data in concerning security matters network.It addition, movable storage device at Ferrying machine and
While log-on message on concerning security matters main frame leaves Ferrying machine and the respective creditable calculation modules of concerning security matters main frame in,
Can also deposit a at Ferrying machine and the local data base of concerning security matters main frame.
Fig. 2 be in embodiment of the present invention one ferrying data safely method through Ferrying machine by data from concerning security matters master
Machine is ferried the flow chart of outer net, refer to Fig. 2:
S21, the first movable storage device of the ferry-boat of data between concerning security matters main frame and Ferrying machine will be used for concerning security matters master
Register on machine and there is read-write capability, Ferrying machine is registered there is read-write capability, and this shifting of login is set
The password of dynamic storage device.
First movable storage device is registered on concerning security matters main frame has read-write capability, i.e. expression first is moved and deposited
The data of movable storage device self can be copied on concerning security matters main frame by storage equipment, it is also possible to by concerning security matters main frame
On data copy self to.
S22, the first movable storage device access concerning security matters master ferried for data between concerning security matters main frame and Ferrying machine
Machine, inputs password in the Password Input frame that concerning security matters main frame ejects, and after password authentification is passed through, detection is accessed
The first movable storage device whether registered on this concerning security matters main frame, if registered, then verify signature,
Signature verification is by afterwards, it would be desirable to copy the data encryption in the first movable storage device to, after encrypting
Data copy on this first movable storage device.
S23, the first movable storage device access ferry-boat ferried for data between concerning security matters main frame and Ferrying machine
Machine, inputs password in the Password Input frame that Ferrying machine ejects, and after password authentification is passed through, detection is accessed
First movable storage device has the most been registered on this Ferrying machine, if registered, then verifies signature,
Data, by afterwards, are copied to this Ferrying machine by signature verification, and data are decrypted by Ferrying machine.
S24, the second movable storage device access Ferrying machine ferried for data between Ferrying machine and outer net,
The Password Input frame that Ferrying machine ejects inputs password, after password authentification is passed through, the second shifting that detection is accessed
Whether dynamic storage device has been registered on this Ferrying machine, if registered, data copy to this and second moves
Storage device, now data are the need of encryption, depend on whether this second movable storage device self has and add
Deciphering function, if self has encryption and decryption functions, is then encrypted file, if it is not, need not
Encryption.Both of which can reach the function to data protection.The former uses cryptoguard and data encryption dual
Protection, the latter uses cryptoguard movable storage device.
In this step, for being further ensured that data safety, this second movable storage device can be set at Ferrying machine
On there is time limit of read-write capability, as being arranged to 5 minutes in this time limit, after 5 minutes, this is second years old
Movable storage device does not have read-write capability on this Ferrying machine, or only has read-only function.
Present invention additionally comprises the system of a kind of ferrying data safely, this system include concerning security matters main frame, Ferrying machine and
For the first movable storage device of data ferry-boat between concerning security matters main frame and Ferrying machine, wherein, concerning security matters main frame is used
Register in the first movable storage device that this is used for the ferry-boat of data between concerning security matters main frame and Ferrying machine and relate at this
There is on close main frame read-only function or read-write capability;Ferrying machine for by this be used for concerning security matters main frame and Ferrying machine it
Between the first movable storage device of data ferry-boat register, on this Ferrying machine, there is read-write capability;This is used for relating to
Between close main frame and Ferrying machine, the first movable storage device of data ferry-boat is for this Ferrying machine and these concerning security matters master
Data ferry-boat is carried out between machine.
Fig. 3 is the frame diagram of the system of a kind of ferrying data safely of the embodiment of the present invention, refer to Fig. 3:
A kind of system of ferrying data safely, this system include concerning security matters main frame 31, Ferrying machine 32, for concerning security matters
Between main frame and Ferrying machine data ferry-boat the first movable storage device 33 and between Ferrying machine and outer net number
According to the second movable storage device 34 of ferry-boat, wherein,
Data virus killing module, registration management module, password it is each provided with on concerning security matters main frame 31 and Ferrying machine 32
Authentication module, data encrypting and deciphering module and creditable calculation modules, wherein, data virus killing module is for access
Data in the movable storage device of concerning security matters main frame 31 or Ferrying machine 32 are killed virus;Registration management module is used
The movable storage device accessed in detection is the most registered on this concerning security matters main frame 31 or Ferrying machine 32, uses
In unregistered movable storage device is registered, and for inquiring about the log-on message of movable storage device,
Registration management module in concerning security matters main frame 31 has only specifically for being registered by the first movable storage device 33
Read function or read-write capability;Registration management module in Ferrying machine 32 is specifically for by the first movable storage device
33 register and have read-write capability, are registered by the second movable storage device 34 and have read-write capability;Password is tested
Card module is used for obtaining the password logging in movable storage device, and according to the input password of this password authentification user;
Data encrypting and deciphering module is for reading to movable storage device or write on concerning security matters main frame 31 or Ferrying machine 32
Data carry out encryption and decryption;Creditable calculation modules is for preserving the log-on message of movable storage device;For concerning security matters
Between main frame and Ferrying machine, the first movable storage device 33 of data ferry-boat includes creditable calculation modules, credible meter
Calculate module for preserving the password logging in the first movable storage device.
Further, between concerning security matters main frame and Ferrying machine data ferry-boat the first movable storage device 33 can
The nonvolatile storage space of letter computing module is additionally operable to arrange concerning security matters host registration flag and Ferrying machine registration
Flag, it may also be used for preserve the signing messages of sign-on ID;Note on concerning security matters main frame 31 and Ferrying machine 32
Volume management module is for writing the sign-on ID of concerning security matters main frame 31 in this concerning security matters host registration flag, at this
The sign-on ID of Ferrying machine 32 is write on Ferrying machine sign-on ID position;Trust computing mould on concerning security matters main frame 31
Block is additionally operable to produce PIK or PEK, signs with the sign-on ID to this concerning security matters main frame 31;Ferrying machine 32
On creditable calculation modules be additionally operable to produce PIK or PEK, sign with the sign-on ID to this Ferrying machine 32
Name.
Further, concerning security matters main frame 31 and Ferrying machine 32 can also include data filtering module and Data Audit
Module, wherein, data filtering module for according to preset rules to movable storage device at concerning security matters main frame 31 or
The data read on Ferrying machine 32 or write filter;Data Audit module is for preserving and inquire about mobile depositing
Storage equipment reads or writes the operation note of data on concerning security matters main frame 31 or Ferrying machine 32.
Further, can have for the second movable storage device 34 of data ferry-boat between Ferrying machine and outer net
Creditable calculation modules, it is also possible to do not have creditable calculation modules, ferries for data between Ferrying machine and outer net
The second movable storage device 34 for the data of Ferrying machine are ferried to outer net when, need in ferry-boat
Carrying out on machine registering and arrange its authority having, the information of registration is saved in the local data base of Ferrying machine,
The when that this second movable storage device being inserted on Ferrying machine, Ferrying machine can be to this second movable storage device
Carrying out differentiating to determine which kind of authority it has, then data filtering module is right to carry out according to its log-on message
The operation of its data above is filtered.
Above content is to combine specific embodiment further description made for the present invention, it is impossible to recognize
Determine the present invention be embodied as be confined to these explanations.Ordinary skill for the technical field of the invention
For personnel, without departing from the inventive concept of the premise, it is also possible to make some simple deduction or replace,
All should be considered as belonging to protection scope of the present invention.
Claims (12)
1. the method for a ferrying data safely, it is characterised in that including:
The first movable storage device of the ferry-boat of data between concerning security matters main frame and Ferrying machine will be used at concerning security matters main frame
Register and there is read-only function or read-write capability, Ferrying machine is registered there is read-write capability;Described relating to
The process on close main frame and Ferrying machine registered described first movable storage device includes: by described first
Movable storage device accesses described concerning security matters main frame;Creditable calculation modules at described first movable storage device
The concerning security matters host registration flag of nonvolatile storage space writes the sign-on ID of described concerning security matters main frame, and profit
Platform identity key or platform identity certificate with the creditable calculation modules of described concerning security matters main frame are to described concerning security matters master
The sign-on ID of machine is signed;Described first movable storage device is accessed described Ferrying machine;Detection is described
Whether the nonvolatile storage space of the first movable storage device writes the sign-on ID of concerning security matters main frame;If
Write, then resolve the sign-on ID of described concerning security matters main frame to obtain the creditable calculation modules of described concerning security matters main frame
Platform identity key or platform identity certificate;Utilize described platform identity key or platform identity certificate to described
The sign-on ID of concerning security matters main frame carries out signature verification;Non-at described first movable storage device after being verified
Ferrying machine sign-on ID position in volatile memory writes the sign-on ID of described Ferrying machine, and utilizes institute
State platform identity key or the registration to described Ferrying machine of the platform identity certificate of the creditable calculation modules of Ferrying machine
Mark is signed;
Described first movable storage device carries out data ferry-boat between described Ferrying machine and described concerning security matters main frame.
2. the method for claim 1, it is characterised in that also include: will be used for Ferrying machine with
Between outer net, the second movable storage device of data ferry-boat is registered on described Ferrying machine and is had read-write capability;
On Ferrying machine, other movable storage devices of registration do not have read-only function on described Ferrying machine.
3. the method for claim 1, it is characterised in that data are from concerning security matters main frame is ferried
During net, described first movable storage device is registered on concerning security matters main frame there is read-write capability;Data are from outward
Net ferry-boat to concerning security matters main frame time, described first movable storage device is registered on concerning security matters main frame have read-only
Function.
4. the method for claim 1, it is characterised in that resolve the registration of described concerning security matters main frame
Mark is to obtain platform identity key or the mistake of platform identity certificate of the creditable calculation modules of described concerning security matters main frame
Journey includes: all platform identity keys produced by the creditable calculation modules of concerning security matters main frame in advance or platform identity
Certificate is saved on described Ferrying machine in the form of a list;Resolve the sign-on ID of described concerning security matters main frame, from institute
State sign-on ID corresponding platform identity key or the platform identity certificate selecting described concerning security matters main frame in list.
5. the method as described in any one of Claims 1-4, it is characterised in that also include that setting is stepped on
Recording the password of described first movable storage device, what described password was saved in described first movable storage device can
In letter computing module.
6. the method as described in any one of Claims 1-4, it is characterised in that described first moves
Storage device is the data after described Ferrying machine is encrypted from the data of copy Ferrying machine, through described pendulum
Cross machine encryption after data be copied to concerning security matters main frame after, described concerning security matters main frame be decrypted.
7. the method as described in any one of Claims 1-4, it is characterised in that described first moves
Storage device is the data after described concerning security matters main frame is encrypted from the data of copy concerning security matters main frame, Jing Guosuo
State concerning security matters main frame encryption after data be copied to Ferrying machine after, described Ferrying machine be decrypted.
8. the method as described in any one of Claims 1-4, it is characterised in that described first moves
The log-on message of storage device and/or the second movable storage device is saved in concerning security matters main frame and Ferrying machine is respective
In creditable calculation modules.
9. the system of a ferrying data safely, it is characterised in that described system include concerning security matters main frame,
Ferrying machine and the first movable storage device ferried for data between concerning security matters main frame and Ferrying machine, wherein,
Described concerning security matters main frame for described first movable storage device registered have thereon read-only function or
Read-write capability;Described concerning security matters main frame is for accessing described concerning security matters main frame by described first movable storage device;?
The concerning security matters host registration mark of the nonvolatile storage space of the creditable calculation modules of described first movable storage device
Know position and write the sign-on ID of described concerning security matters main frame, and utilize creditable calculation modules flat of described concerning security matters main frame
The sign-on ID of described concerning security matters main frame is signed by platform identity key or platform identity certificate;
Described Ferrying machine has read-write capability thereon for being registered by described first movable storage device;Institute
State Ferrying machine for described first movable storage device is accessed described Ferrying machine;Detect described first to move and deposit
Whether the nonvolatile storage space of storage equipment writes the sign-on ID of concerning security matters main frame;If written into, then solve
The sign-on ID analysing described concerning security matters main frame is close with the platform identity obtaining the creditable calculation modules of described concerning security matters main frame
Key or platform identity certificate;Utilize described platform identity key or platform identity certificate to described concerning security matters main frame
Sign-on ID carries out signature verification;In the non-volatile memories of described first movable storage device after being verified
Ferrying machine sign-on ID position in space writes the sign-on ID of described Ferrying machine, and utilizes described Ferrying machine
The sign-on ID of described Ferrying machine is signed by platform identity key or the platform identity certificate of creditable calculation modules
Name;
Described the first movable storage device ferried for data between concerning security matters main frame and Ferrying machine is for described
Data ferry-boat is carried out between Ferrying machine and described concerning security matters main frame.
10. system as claimed in claim 9, it is characterised in that also include for Ferrying machine and outer net
Between data ferry-boat the second movable storage device, described Ferrying machine is additionally operable to move storage by described second and sets
Standby registering has read-write capability;Other movable storage devices do not registered on Ferrying machine are at described Ferrying machine
On there is read-only function.
11. systems as described in claim 9 or 10, it is characterised in that described first moves storage
Equipment includes that creditable calculation modules, described creditable calculation modules are used for preserving login described first and move storage and set
Standby password;Described Ferrying machine and concerning security matters main frame include password authentication module, and described password authentication module is used
In the password obtained in described creditable calculation modules, and according to described password authentification outside input password.
12. systems as described in claim 9 or 10, it is characterised in that described Ferrying machine and concerning security matters
Main frame includes that creditable calculation modules, described creditable calculation modules are used for preserving described first movable storage device
And/or second log-on message of movable storage device.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201110308360.4A CN103051593B (en) | 2011-10-12 | 2011-10-12 | A kind of method and system of ferrying data safely |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201110308360.4A CN103051593B (en) | 2011-10-12 | 2011-10-12 | A kind of method and system of ferrying data safely |
Publications (2)
Publication Number | Publication Date |
---|---|
CN103051593A CN103051593A (en) | 2013-04-17 |
CN103051593B true CN103051593B (en) | 2016-09-14 |
Family
ID=48064097
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201110308360.4A Active CN103051593B (en) | 2011-10-12 | 2011-10-12 | A kind of method and system of ferrying data safely |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103051593B (en) |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160241583A1 (en) * | 2015-02-13 | 2016-08-18 | Honeywell International Inc. | Risk management in an air-gapped environment |
CN105243336B (en) * | 2015-09-30 | 2018-02-13 | 北京奇安信科技有限公司 | Data prevention method and device |
CN106844254A (en) * | 2016-12-29 | 2017-06-13 | 武汉烽火众智数字技术有限责任公司 | Mobile memory medium switching device, data ferry-boat system and method |
CN109753832A (en) * | 2017-11-08 | 2019-05-14 | 山东超越数控电子股份有限公司 | A kind of safe Ferrying machine system and its implementation |
CN113344163A (en) * | 2021-05-24 | 2021-09-03 | 南通大学 | Mobile memory and method for realizing one-way data transmission based on NFC |
CN117473573A (en) * | 2023-12-28 | 2024-01-30 | 山东华翼微电子技术股份有限公司 | SATA interface system and data security ferrying method |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101458744A (en) * | 2007-12-12 | 2009-06-17 | 上海爱信诺航芯电子科技有限公司 | Digital copyright management proxy system based on dependable computing concept |
CN101458667A (en) * | 2009-01-10 | 2009-06-17 | 汤放鸣 | Electronic apparatus with electronic security level identification, information exchange flow control system based on electronic security level identification, method and mobile memory |
CN101504711A (en) * | 2009-03-26 | 2009-08-12 | 北京鼎普科技股份有限公司 | Movable storage device and method for controlling computer data downloading |
CN101635018A (en) * | 2009-09-01 | 2010-01-27 | 中国软件与技术服务股份有限公司 | Method of safety ferriage of USB flash disk data |
CN101940016A (en) * | 2008-02-07 | 2011-01-05 | 爱立信电话股份有限公司 | Method and system for mobile device credentialing |
CN101997672A (en) * | 2009-08-14 | 2011-03-30 | 北京新风机械厂 | Information security transmission method and system |
CN102063583A (en) * | 2010-09-16 | 2011-05-18 | 广州世安信息技术有限公司 | Data exchange method for mobile storage medium and device thereof |
CN102170424A (en) * | 2010-12-13 | 2011-08-31 | 沈晖 | Mobile medium safety protection system based on three-level security architecture |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040077332A1 (en) * | 2002-02-08 | 2004-04-22 | Dafna Ephraim | Management of pre-paid billing system for wireless communication |
JP2004272632A (en) * | 2003-03-10 | 2004-09-30 | Sony Corp | Information processor, information processing method and computer program |
-
2011
- 2011-10-12 CN CN201110308360.4A patent/CN103051593B/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101458744A (en) * | 2007-12-12 | 2009-06-17 | 上海爱信诺航芯电子科技有限公司 | Digital copyright management proxy system based on dependable computing concept |
CN101940016A (en) * | 2008-02-07 | 2011-01-05 | 爱立信电话股份有限公司 | Method and system for mobile device credentialing |
CN101458667A (en) * | 2009-01-10 | 2009-06-17 | 汤放鸣 | Electronic apparatus with electronic security level identification, information exchange flow control system based on electronic security level identification, method and mobile memory |
CN101504711A (en) * | 2009-03-26 | 2009-08-12 | 北京鼎普科技股份有限公司 | Movable storage device and method for controlling computer data downloading |
CN101997672A (en) * | 2009-08-14 | 2011-03-30 | 北京新风机械厂 | Information security transmission method and system |
CN101635018A (en) * | 2009-09-01 | 2010-01-27 | 中国软件与技术服务股份有限公司 | Method of safety ferriage of USB flash disk data |
CN102063583A (en) * | 2010-09-16 | 2011-05-18 | 广州世安信息技术有限公司 | Data exchange method for mobile storage medium and device thereof |
CN102170424A (en) * | 2010-12-13 | 2011-08-31 | 沈晖 | Mobile medium safety protection system based on three-level security architecture |
Also Published As
Publication number | Publication date |
---|---|
CN103051593A (en) | 2013-04-17 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11139978B2 (en) | Portable biometric identity on a distributed data storage layer | |
RU2747947C2 (en) | Systems and methods of personal identification and verification | |
CN103051593B (en) | A kind of method and system of ferrying data safely | |
US20190050598A1 (en) | Secure data storage | |
US9235702B2 (en) | Personal identification number security enhancement | |
CN104620226B (en) | Guarantee the safety of the personal information in public, private and mobile device | |
CN104333545B (en) | The method that cloud storage file data is encrypted | |
CN102236607B (en) | Data security protection method and data security protection device | |
CN106130730A (en) | The data sharing method of a kind of smart card and smart card | |
Panait et al. | Identity Management on Blockchain--Privacy and Security Aspects | |
AU2018256929B2 (en) | Systems and methods for identity atomization and usage | |
CN107092838A (en) | A kind of safety access control method of hard disk and a kind of hard disk | |
CN107835075A (en) | The processing method and processing device of local password | |
Kamboj et al. | An exploratory analysis of blockchain: applications, security, and related issues | |
CN111539042B (en) | Safe operation method based on trusted storage of core data files | |
Pali et al. | A comprehensive survey of aadhar and security issues | |
CN110914826A (en) | System and method for distributed data mapping | |
Tiwari et al. | India’s “Aadhaar” Biometric ID: Structure, Security, and Vulnerabilities | |
CN107273725A (en) | A kind of data back up method and system for classified information | |
TWI444849B (en) | System for monitoring personal data file based on server verifying and authorizing to decrypt and method thereof | |
CN104240387A (en) | Method and system for processing bank card transaction | |
Vachon | The Identity in Everyone's Pocket: Keeping users secure through their smartphones | |
YERRAMILLI et al. | A comparative study of traditional authentication and authorization methods with block chain technology for egovernance services | |
Balatska et al. | Blockchain Application Concept in SSO Technology Context | |
Ray | Cloud Computing and Challenges Faced in Existing Legal Structure |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant |