CN103051593B - A kind of method and system of ferrying data safely - Google Patents

A kind of method and system of ferrying data safely Download PDF

Info

Publication number
CN103051593B
CN103051593B CN201110308360.4A CN201110308360A CN103051593B CN 103051593 B CN103051593 B CN 103051593B CN 201110308360 A CN201110308360 A CN 201110308360A CN 103051593 B CN103051593 B CN 103051593B
Authority
CN
China
Prior art keywords
main frame
concerning security
security matters
storage device
movable storage
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201110308360.4A
Other languages
Chinese (zh)
Other versions
CN103051593A (en
Inventor
付月朋
艾俊
王正鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nationz Technologies Inc
Original Assignee
Nationz Technologies Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nationz Technologies Inc filed Critical Nationz Technologies Inc
Priority to CN201110308360.4A priority Critical patent/CN103051593B/en
Publication of CN103051593A publication Critical patent/CN103051593A/en
Application granted granted Critical
Publication of CN103051593B publication Critical patent/CN103051593B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

The present invention discloses the method and system of a kind of ferrying data safely, the method includes registering the first movable storage device being used for the ferry-boat of data between concerning security matters main frame and Ferrying machine on concerning security matters main frame have read-only function or read-write capability, registering on Ferrying machine and have read-write capability, this first movable storage device carries out data ferry-boat between Ferrying machine and concerning security matters main frame;This system includes concerning security matters main frame, Ferrying machine and the first movable storage device, wherein, concerning security matters main frame has read-only function or read-write capability thereon for being registered by the first movable storage device, described Ferrying machine has read-write capability thereon for being registered by the first movable storage device, and the first movable storage device is for carrying out data ferry-boat between Ferrying machine and concerning security matters main frame.The present invention, by above technical scheme, has stopped illegal movable storage device and has copied data from Ferrying machine or concerning security matters main frame, caused the problem divulged a secret.

Description

A kind of method and system of ferrying data safely
Technical field
The present invention relates to field of data transmission, particularly relate to the method and system of a kind of ferrying data safely.
Background technology
Ferry-boat attack is that one is specifically designed for movable storage device, from internal network physically-isolated with the Internet In steal the attack means of data.Such as important departments such as government bodies, army, bank, scientific research institutions with relate to Close unit is for the consideration of information security, typically tight by implementing between internal network self-built for unit and the Internet The physical isolation of lattice, movable storage device becomes the first-selected instrument of internal, external network off-line exchange data.Ferry-boat is attacked Hit and utilize movable storage device as " ferryboat " exactly, indirectly reach to steal the purpose of data from Intranet.
In order to ensure intranet security, generally from outer net copy into Intranet data will through Ferrying machine carry out wooden horse, Checking and killing virus processes, and just can copy on the concerning security matters main frame of Intranet.But, existing ferry-boat process exists as follows Problem: one is to intersect to divulge a secret, as data are copied to by a movable storage device on Ferrying machine or concerning security matters main frame After on Ferrying machine, not deleting, another illegal movable storage device will be left in the data copy on Ferrying machine To outer net, cause and divulge a secret;Two is that movable storage device is once lost, and can cause leakage of data;Three is artificial The log-on message adding movable storage device from background data base, illegal movable storage device can be made to access Leakage of data is caused to concerning security matters network.
Summary of the invention
The present invention provides the method and system of a kind of ferrying data safely, solves illegal movable storage device from pendulum Cross copy data on machine or concerning security matters main frame, cause the problem divulged a secret.
For solve above-mentioned technical problem, the present invention by the following technical solutions:
A kind of method of ferrying data safely, including:
The first movable storage device of the ferry-boat of data between concerning security matters main frame and Ferrying machine will be used at concerning security matters main frame Register and there is read-only function or read-write capability, Ferrying machine is registered there is read-write capability;
Described first movable storage device carries out data ferry-boat between described Ferrying machine and described concerning security matters main frame.
Also include: the second movable storage device of the ferry-boat of data between Ferrying machine and outer net will be used at described pendulum Cross to register on machine and there is read-write capability;The movable storage device do not registered on Ferrying machine is at described Ferrying machine On there is read-only function.
Described first movable storage device, when outer net ferried by concerning security matters main frame, is noted on concerning security matters main frame by data Volume becomes to have read-write capability;Data are when outer net ferries concerning security matters main frame, by described first movable storage device Concerning security matters main frame is registered there is read-only function.
The process registered the first movable storage device on concerning security matters main frame and Ferrying machine includes: first in institute State and on concerning security matters main frame, the first movable storage device is registered;Again in described concerning security matters on described Ferrying machine The first movable storage device succeeded in registration on main frame is registered.
The process registered the first movable storage device on described concerning security matters main frame includes: by described first Movable storage device accesses described concerning security matters main frame;Creditable calculation modules at described first movable storage device The concerning security matters host registration flag of nonvolatile storage space writes the sign-on ID of described concerning security matters main frame, and profit With platform identity key (PIK) or the platform identity certificate (PEK of the creditable calculation modules of described concerning security matters main frame Certificate) sign-on ID of described concerning security matters main frame is signed.
The first movable storage device succeeded in registration on described concerning security matters main frame is noted by described Ferrying machine The process of volume includes: described first movable storage device is accessed described Ferrying machine;Detect described first to move Whether the nonvolatile storage space of storage device writes the sign-on ID of concerning security matters main frame;If written into, then Resolve the sign-on ID of described concerning security matters main frame with obtain the creditable calculation modules of described concerning security matters main frame PIK or PEK;Utilize described PIK or PEK that the sign-on ID of described concerning security matters main frame is carried out signature verification;It is verified After in the nonvolatile storage space of described first movable storage device Ferrying machine sign-on ID position write institute State the sign-on ID of Ferrying machine, and utilize PIK or PEK of creditable calculation modules of described Ferrying machine to described The sign-on ID of Ferrying machine is signed.
Resolve the sign-on ID of described concerning security matters main frame to obtain the PIK of the creditable calculation modules of described concerning security matters main frame Or the process of PEK includes: all PIK or the PEK in advance creditable calculation modules of concerning security matters main frame produced with The form of list is saved on described Ferrying machine;Resolve the sign-on ID of described concerning security matters main frame, from described list Corresponding PIK or PEK of sign-on ID of middle selection described concerning security matters main frame.
Also including arranging the password logging in movable storage device, described password is saved in described movable storage device Creditable calculation modules in.
Described first movable storage device is after described Ferrying machine is encrypted from the data of copy Ferrying machine Data, after the data after described Ferrying machine is encrypted are copied to concerning security matters main frame, are entered by described concerning security matters main frame Row deciphering.
The data that described first movable storage device copies from concerning security matters main frame are to encrypt through described concerning security matters main frame After data, through described concerning security matters main frame encrypt after data be copied to Ferrying machine after, by described Ferrying machine It is decrypted.
The log-on message of movable storage device is saved in concerning security matters main frame and the respective creditable calculation modules of Ferrying machine In.
The system of a kind of ferrying data safely, described system includes concerning security matters main frame, Ferrying machine and for concerning security matters master First movable storage device of data ferry-boat between machine and Ferrying machine, wherein,
Described concerning security matters main frame for described first movable storage device registered have thereon read-only function or Read-write capability;
Described Ferrying machine has read-write capability thereon for being registered by described first movable storage device;
Described the first movable storage device ferried for data between concerning security matters main frame and Ferrying machine is for described Data ferry-boat is carried out between Ferrying machine and described concerning security matters main frame.
Also include for the second movable storage device of data ferry-boat, described Ferrying machine between Ferrying machine and outer net It is additionally operable to register described second movable storage device that there is read-write capability;The not shifting of registration on Ferrying machine Dynamic storage device has read-only function on described Ferrying machine.
Described movable storage device includes that creditable calculation modules, described creditable calculation modules are used for preserving login institute State the password of movable storage device;Described Ferrying machine and concerning security matters main frame include password authentication module, described close Code authentication module is for obtaining the password in described creditable calculation modules and outside defeated according to described password authentification Enter password.
Described Ferrying machine and concerning security matters main frame include that creditable calculation modules, described creditable calculation modules are used for preserving The log-on message of movable storage device.
The present invention provides the method and system of a kind of ferrying data safely, will be used for concerning security matters main frame and Ferrying machine it Between data ferry-boat the first movable storage device register on concerning security matters main frame have read-only function or read-write merit Can, Ferrying machine to be registered there is read-write capability, the movable storage device after registration is in Ferrying machine and concerning security matters Carrying out data ferry-boat between main frame, unregistered movable storage device does not allow from Ferrying machine and concerning security matters main frame Copy data, have stopped illegal movable storage device and have copied data from Ferrying machine or concerning security matters main frame, caused and let out Close problem.
Further, first on concerning security matters main frame, the first movable storage device is registered, more right on Ferrying machine The first movable storage device succeeded in registration on concerning security matters main frame is registered, and only registers on concerning security matters main frame Successful first movable storage device just can complete registration on Ferrying machine, further increases first and moves The safety of storage device.
Further, (the first movable storage device and/or second moves storage and sets to arrange login movable storage device Standby) password, user by inputting this cryptographic acess movable storage device, stop movable storage device lose After, other people steal the hidden danger of the data in this movable storage device.
Further, the first movable storage device is after Ferrying machine is encrypted from the data of copy Ferrying machine Data, and/or the first movable storage device from concerning security matters main frame copy data be through concerning security matters main frame encryption after Data, stop further first movable storage device lose after, other people steal this first movable storage device In the hidden danger of data.
Further, the log-on message of the movable storage device succeeded in registration on concerning security matters main frame, Ferrying machine preserves In the respective creditable calculation modules of concerning security matters main frame and Ferrying machine, it is to avoid in prior art, log-on message is protected There is background data base, the most artificial log-on message adding movable storage device from background data base, The problem causing illegal movable storage device to be linked into concerning security matters network and to cause leakage of data.Log-on message includes The read-write properties of movable storage device, may also include the information such as user profile, hour of log-on, use authority.
Accompanying drawing explanation
Fig. 1 is data to be put from outer net through Ferrying machine in embodiment of the present invention one ferrying data safely method Cross the flow chart of concerning security matters main frame;
Fig. 2 be in embodiment of the present invention one ferrying data safely method through Ferrying machine by data from concerning security matters master Machine is ferried the flow chart of outer net;
Fig. 3 is the frame diagram of the system of a kind of ferrying data safely of the embodiment of the present invention.
Detailed description of the invention
The method of a kind of ferrying data safely that the present invention provides, specifically includes that and will be used for concerning security matters main frame and pendulum Cross the first movable storage device of the ferry-boat of data between machine to register on concerning security matters main frame there is read-only function or reading Write function, Ferrying machine is registered there is read-write capability;This first movable storage device at this Ferrying machine and Data ferry-boat is carried out between this concerning security matters main frame.The method includes data being ferried to from outer net through Ferrying machine relating to The process of close main frame and the process of outer net of data being ferried to from concerning security matters main frame through Ferrying machine, wherein, pass through Data are specifically included that by Ferrying machine from the ferry process of concerning security matters main frame of outer net
Step one: access Ferrying machine for the second movable storage device of data ferry-boat between Ferrying machine and outer net, Its data are copied on Ferrying machine, the second movable storage device in this step can be on Ferrying machine Registration or unregistered movable storage device, the movable storage device do not registered on Ferrying machine is on Ferrying machine There is read-only function;
Step 2: registered for data between concerning security matters main frame and Ferrying machine on concerning security matters main frame and Ferrying machine First movable storage device of ferry-boat accesses Ferrying machine, the data on Ferrying machine copies to this and first moves and deposit In storage equipment;
Step 3: this first movable storage device accesses concerning security matters main frame, copies data thereon to concerning security matters master In machine.
Above-mentioned through Ferrying machine by data during outer net ferries concerning security matters main frame, for concerning security matters main frame with Between Ferrying machine, the first movable storage device of data ferry-boat is registered on Ferrying machine in advance and is had read-write merit Can, concerning security matters main frame is registered there is read-only function.
Through Ferrying machine, data are specifically included that from the ferry process of outer net of concerning security matters main frame
Step one: registered for data between concerning security matters main frame and Ferrying machine on concerning security matters main frame and Ferrying machine First movable storage device of ferry-boat accesses concerning security matters main frame, and the data on concerning security matters main frame copy to this first shifting In dynamic storage device;
Step 2: this first movable storage device accesses Ferrying machine, copies data thereon to this Ferrying machine On;
Step 3: on Ferrying machine registered one-tenth have read-write capability for data between Ferrying machine and outer net Second movable storage device of ferry-boat accesses this Ferrying machine, copies the data on this Ferrying machine to self.
Through Ferrying machine by data during outer net ferried by concerning security matters main frame, for concerning security matters main frame and ferry-boat Between machine, the first movable storage device of data ferry-boat is registered on concerning security matters main frame in advance and is had read-write capability, Register on Ferrying machine again and there is read-write capability.
Combine accompanying drawing with specific embodiment below the method is described in further detail.
Fig. 1 is to be transmitted by outer network data through Ferrying machine in embodiment of the present invention one ferrying data safely method To the flow chart of Intranet, refer to Fig. 1:
S11, the first movable storage device of the ferry-boat of data between concerning security matters main frame and Ferrying machine will be used for concerning security matters master Register on machine and there is read-only function, then register on Ferrying machine there is read-write capability, and login is set should The password of movable storage device.
First movable storage device is registered on concerning security matters main frame there is read-only function, i.e. represent that first moves The data of movable storage device self can only be copied on concerning security matters main frame by storage device, and cannot be by concerning security matters master Data on machine copy self to;First movable storage device is registered on Ferrying machine there is read-write capability, I.e. represent that the data of movable storage device self can be copied on Ferrying machine, also by the first movable storage device The data on Ferrying machine can be copied to self.
The process arranging password may include that movable storage device initialization, arranges password for mobile storage The possessory password of creditable calculation modules in equipment, and this password is saved in the credible of this movable storage device In computing module.The peace of the login password of movable storage device is ensured by the safety of creditable calculation modules Quan Xing.
First on concerning security matters main frame, this first movable storage device is registered, then in concerning security matters on Ferrying machine The first movable storage device succeeded in registration on main frame is registered, and detailed process may include that
First the first movable storage device is accessed concerning security matters main frame;Trust computing at this first movable storage device The concerning security matters host registration flag of the nonvolatile storage space of module writes the sign-on ID of this concerning security matters main frame, And utilize PIK or PEK of the creditable calculation modules of this concerning security matters main frame that the sign-on ID of this concerning security matters main frame is carried out Signature, to complete the process registered this first movable storage device on concerning security matters main frame;Again by this One movable storage device accesses Ferrying machine;Detect in the nonvolatile storage space of this first movable storage device Whether write the sign-on ID of concerning security matters main frame;If written into, then resolve the sign-on ID of this concerning security matters main frame to obtain Take PIK or PEK of the creditable calculation modules of this concerning security matters main frame on Ferrying machine;Utilize this PIK or PEK that this is related to The sign-on ID of close main frame carries out signature verification;Non-volatile to this first movable storage device after being verified Ferrying machine sign-on ID position in property memory space writes the sign-on ID of this Ferrying machine, and utilizes this Ferrying machine PIK or PEK of creditable calculation modules the sign-on ID of this Ferrying machine is signed, to complete in ferry-boat The process on machine, the first movable storage device succeeded in registration on concerning security matters main frame registered.
Wherein, the first movable storage device succeeded in registration on concerning security matters main frame is registered by Ferrying machine During, resolve the sign-on ID of the concerning security matters main frame in the first movable storage device to obtain concerning security matters main frame The method of PIK or PEK of creditable calculation modules may include that creditable calculation modules by concerning security matters main frame in advance All P IK or PEK produced are saved on described Ferrying machine in the form of a list;Resolve this concerning security matters main frame Sign-on ID, selects corresponding PIK or PEK of sign-on ID of this concerning security matters main frame from this list.
Mobile storage can be updated by updating the sign-on ID of concerning security matters main frame in the first movable storage device The equipment read-only or read-write properties on concerning security matters main frame;Can ferry by updating in the first movable storage device The sign-on ID (for the second movable storage device, can use similar operations) of machine, updates the first shifting The dynamic storage device read-only or read-write properties on Ferrying machine.
S12, the second movable storage device access Ferrying machine ferried for data between Ferrying machine and outer net, pendulum After data in this second movable storage device are killed virus, filtered by the machine that crosses, copy its data to ferry-boat On machine.
The second movable storage device in this step can be that registered or unregistered movement is deposited on Ferrying machine Storage equipment, unregistered movable storage device has read-only function on Ferrying machine, i.e. represents unregistered shifting The data of movable storage device self can only be copied on Ferrying machine by dynamic storage device, and cannot be by Ferrying machine On data copy self to.
S13, the first movable storage device access ferry-boat ferried for data between concerning security matters main frame and Ferrying machine Machine, inputs password in the Password Input frame that Ferrying machine ejects, and after password authentification is passed through, detection is accessed First movable storage device has the most been registered on this Ferrying machine, if registered, then verifies signature, Signature verification is by afterwards, and data are encrypted by Ferrying machine, and the data after encryption copy to this first shifting In dynamic storage device.
This step being verified, the process of signature may include that and resolves the registration mark of Ferrying machine in movable storage device Know so that PIK or the PEK list local from Ferrying machine to obtain corresponding PEK or PIK, corresponding according to this PEK or PIK carries out signature verification to the sign-on ID of this Ferrying machine.
S14, the first movable storage device access concerning security matters master ferried for data between concerning security matters main frame and Ferrying machine Machine, inputs password in the Password Input frame that concerning security matters main frame ejects, and after password authentification is passed through, detection is accessed The first movable storage device whether registered on this concerning security matters main frame, if registered, then verify signature, Data, by afterwards, are copied on this concerning security matters main frame by signature verification, and concerning security matters main frame, to data deciphering, completes Through Ferrying machine by data process on the concerning security matters main frame that outer net is transferred to concerning security matters Intranet.
This step being verified, the process of signature may include that and resolves the registration of concerning security matters main frame in movable storage device Identify so that PIK or the PEK list local from concerning security matters main frame to obtain corresponding PEK or PIK, corresponding according to this PEK or PIK the sign-on ID of this concerning security matters main frame is carried out signature verification.
In the present embodiment, Ferrying machine can be an independent computer, is not connected with any network, not with any Computer is connected;Unregistered movable storage device has read-only function on Ferrying machine, and Ferrying machine is to unregistered Movable storage device on data carry out killing virus, filter after, copy on Ferrying machine, unregistered movement Data on Ferrying machine cannot copy away by storage device, it is to avoid the problem of divulging a secret occurred on Ferrying machine; It is close that movable storage device (including the first movable storage device and/or the second movable storage device) is provided with login Code, even if this device losses, it is also difficult to read the data wherein stored;Movable storage device is from Ferrying machine The data of copy are the data after Ferrying machine is encrypted, and therefore, further ensure movable storage device and lose After mistake, the safety of data;Movable storage device log-on message on Ferrying machine and concerning security matters main frame leaves in In Ferrying machine and the respective creditable calculation modules of concerning security matters main frame, it is to avoid artificially distort the note of movable storage device Volume information, the problem causing leakage of data in concerning security matters network.It addition, movable storage device at Ferrying machine and While log-on message on concerning security matters main frame leaves Ferrying machine and the respective creditable calculation modules of concerning security matters main frame in, Can also deposit a at Ferrying machine and the local data base of concerning security matters main frame.
Fig. 2 be in embodiment of the present invention one ferrying data safely method through Ferrying machine by data from concerning security matters master Machine is ferried the flow chart of outer net, refer to Fig. 2:
S21, the first movable storage device of the ferry-boat of data between concerning security matters main frame and Ferrying machine will be used for concerning security matters master Register on machine and there is read-write capability, Ferrying machine is registered there is read-write capability, and this shifting of login is set The password of dynamic storage device.
First movable storage device is registered on concerning security matters main frame has read-write capability, i.e. expression first is moved and deposited The data of movable storage device self can be copied on concerning security matters main frame by storage equipment, it is also possible to by concerning security matters main frame On data copy self to.
S22, the first movable storage device access concerning security matters master ferried for data between concerning security matters main frame and Ferrying machine Machine, inputs password in the Password Input frame that concerning security matters main frame ejects, and after password authentification is passed through, detection is accessed The first movable storage device whether registered on this concerning security matters main frame, if registered, then verify signature, Signature verification is by afterwards, it would be desirable to copy the data encryption in the first movable storage device to, after encrypting Data copy on this first movable storage device.
S23, the first movable storage device access ferry-boat ferried for data between concerning security matters main frame and Ferrying machine Machine, inputs password in the Password Input frame that Ferrying machine ejects, and after password authentification is passed through, detection is accessed First movable storage device has the most been registered on this Ferrying machine, if registered, then verifies signature, Data, by afterwards, are copied to this Ferrying machine by signature verification, and data are decrypted by Ferrying machine.
S24, the second movable storage device access Ferrying machine ferried for data between Ferrying machine and outer net, The Password Input frame that Ferrying machine ejects inputs password, after password authentification is passed through, the second shifting that detection is accessed Whether dynamic storage device has been registered on this Ferrying machine, if registered, data copy to this and second moves Storage device, now data are the need of encryption, depend on whether this second movable storage device self has and add Deciphering function, if self has encryption and decryption functions, is then encrypted file, if it is not, need not Encryption.Both of which can reach the function to data protection.The former uses cryptoguard and data encryption dual Protection, the latter uses cryptoguard movable storage device.
In this step, for being further ensured that data safety, this second movable storage device can be set at Ferrying machine On there is time limit of read-write capability, as being arranged to 5 minutes in this time limit, after 5 minutes, this is second years old Movable storage device does not have read-write capability on this Ferrying machine, or only has read-only function.
Present invention additionally comprises the system of a kind of ferrying data safely, this system include concerning security matters main frame, Ferrying machine and For the first movable storage device of data ferry-boat between concerning security matters main frame and Ferrying machine, wherein, concerning security matters main frame is used Register in the first movable storage device that this is used for the ferry-boat of data between concerning security matters main frame and Ferrying machine and relate at this There is on close main frame read-only function or read-write capability;Ferrying machine for by this be used for concerning security matters main frame and Ferrying machine it Between the first movable storage device of data ferry-boat register, on this Ferrying machine, there is read-write capability;This is used for relating to Between close main frame and Ferrying machine, the first movable storage device of data ferry-boat is for this Ferrying machine and these concerning security matters master Data ferry-boat is carried out between machine.
Fig. 3 is the frame diagram of the system of a kind of ferrying data safely of the embodiment of the present invention, refer to Fig. 3:
A kind of system of ferrying data safely, this system include concerning security matters main frame 31, Ferrying machine 32, for concerning security matters Between main frame and Ferrying machine data ferry-boat the first movable storage device 33 and between Ferrying machine and outer net number According to the second movable storage device 34 of ferry-boat, wherein,
Data virus killing module, registration management module, password it is each provided with on concerning security matters main frame 31 and Ferrying machine 32 Authentication module, data encrypting and deciphering module and creditable calculation modules, wherein, data virus killing module is for access Data in the movable storage device of concerning security matters main frame 31 or Ferrying machine 32 are killed virus;Registration management module is used The movable storage device accessed in detection is the most registered on this concerning security matters main frame 31 or Ferrying machine 32, uses In unregistered movable storage device is registered, and for inquiring about the log-on message of movable storage device, Registration management module in concerning security matters main frame 31 has only specifically for being registered by the first movable storage device 33 Read function or read-write capability;Registration management module in Ferrying machine 32 is specifically for by the first movable storage device 33 register and have read-write capability, are registered by the second movable storage device 34 and have read-write capability;Password is tested Card module is used for obtaining the password logging in movable storage device, and according to the input password of this password authentification user; Data encrypting and deciphering module is for reading to movable storage device or write on concerning security matters main frame 31 or Ferrying machine 32 Data carry out encryption and decryption;Creditable calculation modules is for preserving the log-on message of movable storage device;For concerning security matters Between main frame and Ferrying machine, the first movable storage device 33 of data ferry-boat includes creditable calculation modules, credible meter Calculate module for preserving the password logging in the first movable storage device.
Further, between concerning security matters main frame and Ferrying machine data ferry-boat the first movable storage device 33 can The nonvolatile storage space of letter computing module is additionally operable to arrange concerning security matters host registration flag and Ferrying machine registration Flag, it may also be used for preserve the signing messages of sign-on ID;Note on concerning security matters main frame 31 and Ferrying machine 32 Volume management module is for writing the sign-on ID of concerning security matters main frame 31 in this concerning security matters host registration flag, at this The sign-on ID of Ferrying machine 32 is write on Ferrying machine sign-on ID position;Trust computing mould on concerning security matters main frame 31 Block is additionally operable to produce PIK or PEK, signs with the sign-on ID to this concerning security matters main frame 31;Ferrying machine 32 On creditable calculation modules be additionally operable to produce PIK or PEK, sign with the sign-on ID to this Ferrying machine 32 Name.
Further, concerning security matters main frame 31 and Ferrying machine 32 can also include data filtering module and Data Audit Module, wherein, data filtering module for according to preset rules to movable storage device at concerning security matters main frame 31 or The data read on Ferrying machine 32 or write filter;Data Audit module is for preserving and inquire about mobile depositing Storage equipment reads or writes the operation note of data on concerning security matters main frame 31 or Ferrying machine 32.
Further, can have for the second movable storage device 34 of data ferry-boat between Ferrying machine and outer net Creditable calculation modules, it is also possible to do not have creditable calculation modules, ferries for data between Ferrying machine and outer net The second movable storage device 34 for the data of Ferrying machine are ferried to outer net when, need in ferry-boat Carrying out on machine registering and arrange its authority having, the information of registration is saved in the local data base of Ferrying machine, The when that this second movable storage device being inserted on Ferrying machine, Ferrying machine can be to this second movable storage device Carrying out differentiating to determine which kind of authority it has, then data filtering module is right to carry out according to its log-on message The operation of its data above is filtered.
Above content is to combine specific embodiment further description made for the present invention, it is impossible to recognize Determine the present invention be embodied as be confined to these explanations.Ordinary skill for the technical field of the invention For personnel, without departing from the inventive concept of the premise, it is also possible to make some simple deduction or replace, All should be considered as belonging to protection scope of the present invention.

Claims (12)

1. the method for a ferrying data safely, it is characterised in that including:
The first movable storage device of the ferry-boat of data between concerning security matters main frame and Ferrying machine will be used at concerning security matters main frame Register and there is read-only function or read-write capability, Ferrying machine is registered there is read-write capability;Described relating to The process on close main frame and Ferrying machine registered described first movable storage device includes: by described first Movable storage device accesses described concerning security matters main frame;Creditable calculation modules at described first movable storage device The concerning security matters host registration flag of nonvolatile storage space writes the sign-on ID of described concerning security matters main frame, and profit Platform identity key or platform identity certificate with the creditable calculation modules of described concerning security matters main frame are to described concerning security matters master The sign-on ID of machine is signed;Described first movable storage device is accessed described Ferrying machine;Detection is described Whether the nonvolatile storage space of the first movable storage device writes the sign-on ID of concerning security matters main frame;If Write, then resolve the sign-on ID of described concerning security matters main frame to obtain the creditable calculation modules of described concerning security matters main frame Platform identity key or platform identity certificate;Utilize described platform identity key or platform identity certificate to described The sign-on ID of concerning security matters main frame carries out signature verification;Non-at described first movable storage device after being verified Ferrying machine sign-on ID position in volatile memory writes the sign-on ID of described Ferrying machine, and utilizes institute State platform identity key or the registration to described Ferrying machine of the platform identity certificate of the creditable calculation modules of Ferrying machine Mark is signed;
Described first movable storage device carries out data ferry-boat between described Ferrying machine and described concerning security matters main frame.
2. the method for claim 1, it is characterised in that also include: will be used for Ferrying machine with Between outer net, the second movable storage device of data ferry-boat is registered on described Ferrying machine and is had read-write capability; On Ferrying machine, other movable storage devices of registration do not have read-only function on described Ferrying machine.
3. the method for claim 1, it is characterised in that data are from concerning security matters main frame is ferried During net, described first movable storage device is registered on concerning security matters main frame there is read-write capability;Data are from outward Net ferry-boat to concerning security matters main frame time, described first movable storage device is registered on concerning security matters main frame have read-only Function.
4. the method for claim 1, it is characterised in that resolve the registration of described concerning security matters main frame Mark is to obtain platform identity key or the mistake of platform identity certificate of the creditable calculation modules of described concerning security matters main frame Journey includes: all platform identity keys produced by the creditable calculation modules of concerning security matters main frame in advance or platform identity Certificate is saved on described Ferrying machine in the form of a list;Resolve the sign-on ID of described concerning security matters main frame, from institute State sign-on ID corresponding platform identity key or the platform identity certificate selecting described concerning security matters main frame in list.
5. the method as described in any one of Claims 1-4, it is characterised in that also include that setting is stepped on Recording the password of described first movable storage device, what described password was saved in described first movable storage device can In letter computing module.
6. the method as described in any one of Claims 1-4, it is characterised in that described first moves Storage device is the data after described Ferrying machine is encrypted from the data of copy Ferrying machine, through described pendulum Cross machine encryption after data be copied to concerning security matters main frame after, described concerning security matters main frame be decrypted.
7. the method as described in any one of Claims 1-4, it is characterised in that described first moves Storage device is the data after described concerning security matters main frame is encrypted from the data of copy concerning security matters main frame, Jing Guosuo State concerning security matters main frame encryption after data be copied to Ferrying machine after, described Ferrying machine be decrypted.
8. the method as described in any one of Claims 1-4, it is characterised in that described first moves The log-on message of storage device and/or the second movable storage device is saved in concerning security matters main frame and Ferrying machine is respective In creditable calculation modules.
9. the system of a ferrying data safely, it is characterised in that described system include concerning security matters main frame, Ferrying machine and the first movable storage device ferried for data between concerning security matters main frame and Ferrying machine, wherein,
Described concerning security matters main frame for described first movable storage device registered have thereon read-only function or Read-write capability;Described concerning security matters main frame is for accessing described concerning security matters main frame by described first movable storage device;? The concerning security matters host registration mark of the nonvolatile storage space of the creditable calculation modules of described first movable storage device Know position and write the sign-on ID of described concerning security matters main frame, and utilize creditable calculation modules flat of described concerning security matters main frame The sign-on ID of described concerning security matters main frame is signed by platform identity key or platform identity certificate;
Described Ferrying machine has read-write capability thereon for being registered by described first movable storage device;Institute State Ferrying machine for described first movable storage device is accessed described Ferrying machine;Detect described first to move and deposit Whether the nonvolatile storage space of storage equipment writes the sign-on ID of concerning security matters main frame;If written into, then solve The sign-on ID analysing described concerning security matters main frame is close with the platform identity obtaining the creditable calculation modules of described concerning security matters main frame Key or platform identity certificate;Utilize described platform identity key or platform identity certificate to described concerning security matters main frame Sign-on ID carries out signature verification;In the non-volatile memories of described first movable storage device after being verified Ferrying machine sign-on ID position in space writes the sign-on ID of described Ferrying machine, and utilizes described Ferrying machine The sign-on ID of described Ferrying machine is signed by platform identity key or the platform identity certificate of creditable calculation modules Name;
Described the first movable storage device ferried for data between concerning security matters main frame and Ferrying machine is for described Data ferry-boat is carried out between Ferrying machine and described concerning security matters main frame.
10. system as claimed in claim 9, it is characterised in that also include for Ferrying machine and outer net Between data ferry-boat the second movable storage device, described Ferrying machine is additionally operable to move storage by described second and sets Standby registering has read-write capability;Other movable storage devices do not registered on Ferrying machine are at described Ferrying machine On there is read-only function.
11. systems as described in claim 9 or 10, it is characterised in that described first moves storage Equipment includes that creditable calculation modules, described creditable calculation modules are used for preserving login described first and move storage and set Standby password;Described Ferrying machine and concerning security matters main frame include password authentication module, and described password authentication module is used In the password obtained in described creditable calculation modules, and according to described password authentification outside input password.
12. systems as described in claim 9 or 10, it is characterised in that described Ferrying machine and concerning security matters Main frame includes that creditable calculation modules, described creditable calculation modules are used for preserving described first movable storage device And/or second log-on message of movable storage device.
CN201110308360.4A 2011-10-12 2011-10-12 A kind of method and system of ferrying data safely Active CN103051593B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201110308360.4A CN103051593B (en) 2011-10-12 2011-10-12 A kind of method and system of ferrying data safely

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110308360.4A CN103051593B (en) 2011-10-12 2011-10-12 A kind of method and system of ferrying data safely

Publications (2)

Publication Number Publication Date
CN103051593A CN103051593A (en) 2013-04-17
CN103051593B true CN103051593B (en) 2016-09-14

Family

ID=48064097

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110308360.4A Active CN103051593B (en) 2011-10-12 2011-10-12 A kind of method and system of ferrying data safely

Country Status (1)

Country Link
CN (1) CN103051593B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160241583A1 (en) * 2015-02-13 2016-08-18 Honeywell International Inc. Risk management in an air-gapped environment
CN105243336B (en) * 2015-09-30 2018-02-13 北京奇安信科技有限公司 Data prevention method and device
CN106844254A (en) * 2016-12-29 2017-06-13 武汉烽火众智数字技术有限责任公司 Mobile memory medium switching device, data ferry-boat system and method
CN109753832A (en) * 2017-11-08 2019-05-14 山东超越数控电子股份有限公司 A kind of safe Ferrying machine system and its implementation
CN113344163A (en) * 2021-05-24 2021-09-03 南通大学 Mobile memory and method for realizing one-way data transmission based on NFC
CN117473573A (en) * 2023-12-28 2024-01-30 山东华翼微电子技术股份有限公司 SATA interface system and data security ferrying method

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101458744A (en) * 2007-12-12 2009-06-17 上海爱信诺航芯电子科技有限公司 Digital copyright management proxy system based on dependable computing concept
CN101458667A (en) * 2009-01-10 2009-06-17 汤放鸣 Electronic apparatus with electronic security level identification, information exchange flow control system based on electronic security level identification, method and mobile memory
CN101504711A (en) * 2009-03-26 2009-08-12 北京鼎普科技股份有限公司 Movable storage device and method for controlling computer data downloading
CN101635018A (en) * 2009-09-01 2010-01-27 中国软件与技术服务股份有限公司 Method of safety ferriage of USB flash disk data
CN101940016A (en) * 2008-02-07 2011-01-05 爱立信电话股份有限公司 Method and system for mobile device credentialing
CN101997672A (en) * 2009-08-14 2011-03-30 北京新风机械厂 Information security transmission method and system
CN102063583A (en) * 2010-09-16 2011-05-18 广州世安信息技术有限公司 Data exchange method for mobile storage medium and device thereof
CN102170424A (en) * 2010-12-13 2011-08-31 沈晖 Mobile medium safety protection system based on three-level security architecture

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040077332A1 (en) * 2002-02-08 2004-04-22 Dafna Ephraim Management of pre-paid billing system for wireless communication
JP2004272632A (en) * 2003-03-10 2004-09-30 Sony Corp Information processor, information processing method and computer program

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101458744A (en) * 2007-12-12 2009-06-17 上海爱信诺航芯电子科技有限公司 Digital copyright management proxy system based on dependable computing concept
CN101940016A (en) * 2008-02-07 2011-01-05 爱立信电话股份有限公司 Method and system for mobile device credentialing
CN101458667A (en) * 2009-01-10 2009-06-17 汤放鸣 Electronic apparatus with electronic security level identification, information exchange flow control system based on electronic security level identification, method and mobile memory
CN101504711A (en) * 2009-03-26 2009-08-12 北京鼎普科技股份有限公司 Movable storage device and method for controlling computer data downloading
CN101997672A (en) * 2009-08-14 2011-03-30 北京新风机械厂 Information security transmission method and system
CN101635018A (en) * 2009-09-01 2010-01-27 中国软件与技术服务股份有限公司 Method of safety ferriage of USB flash disk data
CN102063583A (en) * 2010-09-16 2011-05-18 广州世安信息技术有限公司 Data exchange method for mobile storage medium and device thereof
CN102170424A (en) * 2010-12-13 2011-08-31 沈晖 Mobile medium safety protection system based on three-level security architecture

Also Published As

Publication number Publication date
CN103051593A (en) 2013-04-17

Similar Documents

Publication Publication Date Title
US11139978B2 (en) Portable biometric identity on a distributed data storage layer
RU2747947C2 (en) Systems and methods of personal identification and verification
CN103051593B (en) A kind of method and system of ferrying data safely
US20190050598A1 (en) Secure data storage
US9235702B2 (en) Personal identification number security enhancement
CN104620226B (en) Guarantee the safety of the personal information in public, private and mobile device
CN104333545B (en) The method that cloud storage file data is encrypted
CN102236607B (en) Data security protection method and data security protection device
CN106130730A (en) The data sharing method of a kind of smart card and smart card
Panait et al. Identity Management on Blockchain--Privacy and Security Aspects
AU2018256929B2 (en) Systems and methods for identity atomization and usage
CN107092838A (en) A kind of safety access control method of hard disk and a kind of hard disk
CN107835075A (en) The processing method and processing device of local password
Kamboj et al. An exploratory analysis of blockchain: applications, security, and related issues
CN111539042B (en) Safe operation method based on trusted storage of core data files
Pali et al. A comprehensive survey of aadhar and security issues
CN110914826A (en) System and method for distributed data mapping
Tiwari et al. India’s “Aadhaar” Biometric ID: Structure, Security, and Vulnerabilities
CN107273725A (en) A kind of data back up method and system for classified information
TWI444849B (en) System for monitoring personal data file based on server verifying and authorizing to decrypt and method thereof
CN104240387A (en) Method and system for processing bank card transaction
Vachon The Identity in Everyone's Pocket: Keeping users secure through their smartphones
YERRAMILLI et al. A comparative study of traditional authentication and authorization methods with block chain technology for egovernance services
Balatska et al. Blockchain Application Concept in SSO Technology Context
Ray Cloud Computing and Challenges Faced in Existing Legal Structure

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant