CN103198037A - Reliable pipe control method and system for IO (input output) equipment - Google Patents
Reliable pipe control method and system for IO (input output) equipment Download PDFInfo
- Publication number
- CN103198037A CN103198037A CN2013101415248A CN201310141524A CN103198037A CN 103198037 A CN103198037 A CN 103198037A CN 2013101415248 A CN2013101415248 A CN 2013101415248A CN 201310141524 A CN201310141524 A CN 201310141524A CN 103198037 A CN103198037 A CN 103198037A
- Authority
- CN
- China
- Prior art keywords
- usb device
- equipment
- described usb
- registration
- credible
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The invention provides reliable pipe control method and system for IO (input output) equipment. The reliable pipe control method includes: firstly whether an IO port is opened or not is judged, only when the IO port is opened, the IO equipment allows a USB (universal serial bus) device to access, then the IO equipment judges the accessing USB device is a registered device or not, if the accessing USB device is already registered in the IO equipment, the USB device is started and identified; if the accessing USB device is not registered in the IO equipment, the USB device is banned; after the USB device is started, the IO equipment can encrypt the USB device, namely the USB device is 'formatted' according to the core of the IO equipment, viruses, Trojan and the like possibly stored in the USB device are eliminated, and finally, the IO equipment decrypts the USB device to obtain a reliable USB flash disk according to data of core encryption, the reliable USB flash disk and the IO equipment exchange data, and safety management of the IO equipment and the USB device and safety transmission of data are guaranteed.
Description
Technical field
The equipment that the present invention relates to is credible control technology field particularly relates to the credible management-control method of IO equipment and system thereof.
Background technology
Usb is an external bus standard, is used for being connected and communication of standard computer and external unit, is the interfacing that is applied in the PC field.The plug and play of usb interface support equipment and hot plug function.Along with the high speed development of computer software and hardware, the above-mentioned advantage of usb interface makes the mobile usb equipment of usb bus type be more and more widely used.
Nowadays, the nearly all mobile device that appears on the market all is the usb socket, the u that carries such as us coils, mobile CD-ROM drive, printer etc. is so be more and more serious to the trust problem of usb equipment, especially our u coils, everyone can be optionally plugs operation at IO equipment arbitrarily, and this all is danger close concerning our movable u disk and IO equipment.
In general technology, what solve all is the safety problem of usb equipment mostly, check whether usb equipment exists unknown virus and wooden horse, whether file infected problem, people go never to be concerned about whether this equipment is the equipment of oneself trusting, like this in the safety that can't fundamentally guarantee IO equipment and USB device.
Summary of the invention
Based on this, be necessary to determine at general equipment safety management method whether equipment is the equipment of oneself trusting, and can't fundamentally guarantee the problem of device security, and the credible management-control method of a kind of IO equipment and system thereof are provided, guarantee the safety management of equipment and the safe transmission of data.
The credible management-control method of a kind of IO equipment comprises step:
Detect the IO port, when described IO port open, allow to insert USB device;
Judge whether described USB device is device registration, if device registration is then identified described USB device, if unregistered equipment is then forbidden described USB device operation;
According to the current operation system environment of described IO equipment, the described USB device of identification is encrypted;
The described USB device that deciphering has been encrypted obtains credible USB flash disk.
Therein among embodiment, described detection IO port is when described IO port open, allowing to insert USB device is specially: detect described IO port, when the driver loading of driver in the described IO port is finished, open described IO port, allow to insert described USB device.
Therein among embodiment, describedly judge whether described USB device is device registration, if device registration is then identified described USB device, comprise step if unregistered equipment is then forbidden described USB device operation:
Judge whether described USB device is device registration, if device registration then starts described USB device, if the unregistered equipment described USB device of online registration then, and forbid described USB device operation;
Judge whether the described USB device of online registration succeeds in registration, if the online registration success then starts described USB device, and the log-on message of described USB device is write in the white list of described IO equipment, if described USB device operation is then forbidden in the online registration failure.
Therein among embodiment, before the described USB device of described online registration also in steps:
Detect described USB device and whether accept online registration, when described USB device is not accepted online registration, forbid described USB device startup and withdraw from operation.
Therein among embodiment, describedly judge whether described USB device is device registration, if device registration then starts described USB device, specifically comprise step if unregistered equipment is then forbidden described USB device operation:
Monitor described IO device core process response;
When monitoring event that described USB device inserts when taking place, response events, and event information is sent to user's space handle;
Obtain described event information, forbid described USB device operation;
According to described event information, check the log-on message whether described USB device is arranged in the white list of described IO equipment, then start described USB device if having, then do not forbid described USB device operation if having.6, the credible management-control method of IO equipment according to claim 1 and 2 is characterized in that, the described USB device that described deciphering has been encrypted obtains credible USB flash disk and specifically comprises step:
Judge whether described IO equipment has the TCM chip, if having and judge that then can described TCM chip normally start, can normally start and then continue following operation if described IO equipment has described TCM chip and described TCM chip, otherwise non-decrypting and withdraw from operation;
Check the algorithm in the kernel of described IO equipment, if there is the algorithm of encrypting described USB device in the kernel of described IO equipment, then proceed following operation, otherwise non-decrypting and withdraw from operation;
Check current operation system, if current operation system is the operating system of encrypting described USB device, then proceed following operation, otherwise non-decrypting and withdraw from operation;
Obtain the key in the described TCM chip, judge whether described key is correct, if correctly then decipher described described USB device of having encrypted, obtain described credible USB flash disk, then non-decrypting and withdraw from operation as if incorrect.
The credible managing and control system of a kind of IO equipment comprises:
The IO port detecting module for detection of the IO port, when described IO port open, allows to insert USB device;
USB device registration judge module is used for judging whether described USB device is device registration, if device registration is then identified described USB device, if unregistered equipment is then forbidden described USB device operation;
Encrypting module is used for the current operation system environment according to described IO equipment, and the described USB device of identification is encrypted;
Deciphering module is used for deciphering the described USB device of having encrypted and obtains credible USB flash disk.
Therein among embodiment, institute's USB device registration is judged and is specifically comprised:
The registration judging unit is used for judging whether described USB device is device registration, if device registration then starts described USB device, if the unregistered equipment described USB device of online registration then, and forbid that described USB device operates;
Judging unit succeeds in registration, be used for judging whether the described USB device of online registration succeeds in registration, if the online registration success then starts described USB device, and the log-on message of described USB device is write in the white list of described IO equipment, if described USB device operation is then forbidden in the online registration failure.
Among embodiment, described registration judging unit comprises therein:
Whether the online registration confirmation unit accepts online registration for detection of described USB device, when described USB device is not accepted online registration, forbids described USB device startup and withdraws from operation.
Among embodiment, described USB device registration judge module specifically comprises therein:
The process monitoring unit is used for the described IO device core process response of monitoring;
Response unit is used for when monitoring the event generation that described USB device inserts, response events, and event information is sent to user's space handle;
Information acquisition unit is used for obtaining described event information, forbids described USB device operation;
Inspection unit is used for according to described event information, checks in the white list of described IO equipment whether the log-on message of described USB device is arranged, and then starts described USB device if having, and does not then forbid described USB device operation if having.
Among embodiment, described deciphering module specifically comprises therein:
IO Equipment Inspection unit, be used for judging whether described IO equipment has the TCM chip, if have and judge that then can described TCM chip normally start, can normally start and then continue following operation if described IO equipment has described TCM chip and described TCM chip, otherwise non-decrypting and withdraw from operation;
The algorithm detecting unit be used for to check the algorithm of the kernel of described IO equipment, if there is the algorithm of encrypting described USB device in the kernel of described IO equipment, then proceeds following operation, otherwise non-decrypting and withdraw from operation;
The operating system detecting unit be used for to check current operation system, if current operation system is the operating system of encrypting described USB device, then proceeds following operation, otherwise non-decrypting and withdraw from operation;
Key acquiring unit is used for obtaining the key of described TCM chip, judges whether described key is correct, if correctly then decipher described described USB device of having encrypted, obtains described credible USB flash disk, and is then non-decrypting and withdraw from operation as if incorrect.
The credible management-control method of IO equipment of the present invention, judge at first whether the IO port is opened, have only when the IO port open, IO equipment just allows USB device to insert, IO equipment judges whether the USB device that inserts is device registration afterwards, if the USB device that inserts in IO equipment registration just start and identify this USB device, if registering, the USB device that inserts just do not forbid this USB device in IO equipment, IO equipment can be encrypted USB device according to the current operation system environment after USB device started, popular is exactly that USB device is set " format " according to the kernel of IO equipment, elimination may be stored in the virus in the USB device, wooden horse etc., data deciphering when last IO equipment is encrypted USB device according to kernel obtains credible USB flash disk, credible USB flash disk and IO equipment carry out data interaction, guarantee the safety management of IO equipment and USB device and the safe transmission of data.
Description of drawings
Fig. 1 is the schematic flow sheet of credible one of them embodiment of management-control method of IO equipment of the present invention;
Fig. 2 is the schematic flow sheet of credible one of them embodiment of management-control method of IO equipment of the present invention;
Fig. 3 is the schematic flow sheet of credible one of them embodiment of management-control method of IO equipment of the present invention;
The described USB device that Fig. 4 has encrypted for deciphering among one of them embodiment of the credible management-control method of IO equipment of the present invention obtains the schematic flow sheet of credible USB flash disk;
Fig. 5 is the structural representation of credible one of them embodiment of managing and control system of IO equipment of the present invention;
Fig. 6 is the structural representation of credible one of them embodiment of managing and control system of IO equipment of the present invention;
Fig. 7 is the structural representation of credible one of them embodiment of managing and control system of IO equipment of the present invention;
Fig. 8 is the structural representation of deciphering module among one of them embodiment of the credible managing and control system of IO equipment of the present invention.
Embodiment
As shown in Figure 1, the credible management-control method of a kind of IO equipment comprises step:
S100: detect the IO port, when described IO port open, allow to insert USB device.
For the control of IO port, can solve the protection to IO equipment, the keeper has the right the port on the IO equipment is opened and quiescing, prevents that mobile device plugs at IO equipment arbitrarily.IO equipment is forbidden the USB device operation when the IO port shutdown, and when the IO port open, IO equipment just can allow USB device to continue operation.Specifically, when the IO port driver drives and pci bus drives when separating, the IO port shutdown is when the IO port driver drives and pci bus driving when binding the IO port open.
S200: judge whether described USB device is device registration, if device registration is then identified described USB device, if unregistered equipment is then forbidden described USB device operation.
Judge whether the USB device that inserts is registered devices on IO equipment, and only the equipment of registering at this machine could be identified at this machine, and the equipment that is not registered will be forbidden being arrived by the IO recognition of devices.If the USB device that inserts is that unregistered equipment I O equipment will be forbidden its operation, is that device registration IO equipment will be identified this equipment if insert USB device, and proceeds operation.
S300: according to the current operation system environment of described IO equipment, the described USB device of identification is encrypted.
S400: the described USB device that deciphering has been encrypted obtains credible USB flash disk.
The u dish hardware that credible u dish is a kind of encrypted mistake has only the u dish hardware that support can be encrypted to make credible u dish by software, does not support encrypted u dish hardware not to be encrypted by software.By the All Files that in credible u dish, writes, all will be encrypted to ciphertext automatically, before not deciphering, even other people can get access to the file of credible u dish the inside by the means of violence, owing to encrypt by some complicated algorithm, also be difficult to file is reverted to expressly.Have only the operating system by formulating, and believable computing machine, credible u dish could be deciphered.The mentality of designing of making credible u dish is: the dm-crypt kernel module utilizes the password application programming interface of kernel to realize transparent encryption, because there is unrivaled superiority in the dm-crypt system, its speed is faster, ease for use is stronger, characteristics such as widely applicable are so it is undisputed to select it to encrypt by kernel.
The mentality of designing of deciphering u dish is: be to realize in kernel by dm-crypt, whether it at first detects this IO equipment is the credible calculating that the tcm chip is arranged, only be that trusted computer could be deciphered credible u dish, whether detect then is operating system when making credible u dish, have only the operating system of having specified to decipher and open credible u dish, whether the cryptographic algorithm that detects this equipment then exists in kernel, algoritic module exists then will be deciphered this credible u and coil successfully, but the deciphering of this moment is not to be the real physics usb equipment of deciphering, but above this characteristic of device-mapper of supporting of linux kernel 2.6 versions, add the method for a kind of universal flexible that virtual level provides at actual physical usb equipment, realize mirror image, encrypt, deciphering waits to be handled, and advantage is the usb equipment of having deciphered.
The credible management-control method of IO equipment of the present invention, judge at first whether the IO port is opened, have only when the IO port open, IO equipment just allows USB device to insert, IO equipment judges whether the USB device that inserts is device registration afterwards, if the USB device that inserts in IO equipment registration just start and identify this USB device, if registering, the USB device that inserts just do not forbid this USB device in IO equipment, IO equipment can be encrypted USB device according to the current operation system environment after USB device started, popular is exactly that USB device is set " format " according to the kernel of IO equipment, elimination may be stored in the virus in the USB device, wooden horse etc., data deciphering when last IO equipment is encrypted USB device according to kernel obtains credible USB flash disk, credible USB flash disk and IO equipment carry out data interaction, guarantee the safety management of IO equipment and USB device and the safe transmission of data.
Therein among embodiment, described detection IO port is when described IO port open, allowing to insert USB device is specially: detect described IO port, when the driver loading of driver in the described IO port is finished, open described IO port, allow to insert described USB device.
In existing technology, control closing of IO port and forbid it being feasible by the method for physics, for example in BIOS, arrange.In the present embodiment by the more convenient faster purpose that reaches the IO port controlling of the method for software, specifically be to say to be exactly that driver by driver in the described IO port loads with deletion and realizes respectively, when the deletion of the driver of driver, allow the IO port blocking, when the driver drives program loads, allow the IO port open.
As shown in Figure 2, described step S200 comprises step:
S220: judge whether described USB device is device registration, if device registration then starts described USB device, if the unregistered equipment described USB device of online registration then, and forbid described USB device operation.
Judge whether the USB device that inserts is registered devices on IO equipment, and only the equipment of registering at this machine could be identified at this machine, and the equipment that is not registered will be forbidden being arrived by the IO recognition of devices.If the USB device that inserts is that unregistered equipment I O equipment will be forbidden its operation, is that device registration IO equipment will be identified this equipment if insert USB device, and proceeds operation.
S240: judge whether the described USB device of online registration succeeds in registration, if the online registration success then starts described USB device, and the log-on message of described USB device write in the white list of described IO equipment, if described USB device operation is then forbidden in the online registration failure.
If the equipment that inserts is unregistered USB device, IO equipment is after forbidding its operation, also can carry out online registration to it, offer an opportunity and allow the USB device that inserts register, IO equipment will be written to the log-on message of this USB device in the white list of IO equipment if the USB device that inserts succeeds in registration, this USB device as device registration identification, if the not successful IO equipment of online registration will be forbidden the USB device operation that inserts, and is withdrawed from whole operation.
In the present embodiment, IO equipment is for the new USB device that inserts provides the chance of an online registration, conveniently be the USB device online registration of IO equipment management personnel demand in IO equipment, be conducive to the flexible Application of the credible management-control method of IO equipment of the present invention.
Therein among embodiment, before the described USB device of described online registration also in steps:
Detect described USB device and whether accept online registration, when described USB device is not accepted online registration, forbid described USB device startup and withdraw from operation.
As shown in Figure 3, among embodiment, described step S200 specifically comprises step therein:
S320: monitor described IO device core process response, in real time to corresponding monitoring the in the IO device core.
S340: when monitoring event that described USB device inserts when taking place, response events, and event information is sent to user's space handle.As having monitored USB device when inserting, as run into mouse, during equipment such as usb such as u dish grade, will obtain a response events, obtained event after IO equipment this event is sent to user's space, give the user and carry out processing and identification.
S360: obtain event information, forbid described USB device operation.The event information that the IO device analysis is obtained is simultaneously because the USB device of also failing to judge access device registration whether will be forbidden the USB device operation in order to ensure safety.
S380: according to described event information, check the log-on message whether described USB device is arranged in the white list of described IO equipment, then start described USB device if having, then do not forbid described USB device operation if having.Whether there is the log-on message of the USB device of access in the IO equipment inspection white list, just starts the USB device that inserts if having, if there be not to keep forbidding and withdraw from operation the USB device that inserts.
As shown in Figure 4, among embodiment, described step S400 specifically comprises step therein:
S420: judge whether described IO equipment has the TCM chip, judge that then can described TCM chip normally start if having, can normally start and then continue following operation if described IO equipment has described TCM chip and described TCM chip, otherwise non-decrypting and withdraw from operation.
Check at first whether this IO facility environment is the trusted computer that the tcm chip is arranged, detect the TCM chip afterwards again and can normally and open.If not then not deciphering credible u dish, only be that trusted computer and TCM wherein can normally start just and can carry out next step decryption oprerations.
S440: check the algorithm in the kernel of described IO equipment, if there is the algorithm of encrypting described USB device in the kernel of described IO equipment, then proceed following operation, otherwise non-decrypting and withdraw from operation.Employed algorithm will exist in the USB device when encrypting described USB device, will check whether there is this algoritic module in the kernel when the deciphering USB device, has only existence and correctly just can carry out next step decryption oprerations.
S460: check current operation system, if current operation system is the operating system of encrypting described USB device, then proceed following operation, otherwise non-decrypting and withdraw from operation.Check it whether is operating system when encrypting described USB device, have only current operating system not change and be operating system when encrypting described USB device, just can carry out next step operation.
S480: obtain the key in the described TCM chip, judge whether described key is correct, if correctly then decipher described described USB device of having encrypted, obtain described credible USB flash disk, then non-decrypting and withdraw from operation as if incorrect.Obtain key, key is placed among the nv of tcm or in the file, when the key that reads is not distorted, can normally decipher credible u dish.
Coil used cryptographic algorithm with respect to u in the existing technology and also do not support the close algorithm sms4 of state; the credible management-control method of IO equipment of the present invention can be supported under the prerequisite of the close algorithm sms4 of state at kernel; selection is called the close algorithm sms4 of state and is encrypted the u dish; because credible calculating TCM chip is supported the close algorithm sms4 of state, the expansion in later stage can also be carried out operating with the protection that reaches hardware by the hardware encipher of TCM chip.Along with people are more and more higher to the understanding of safety, for on the trusted computer that the TCM chip is arranged, can also specify distinctive value in the TCM chip, value such as nv that can unique definite TCM chip is encrypted the u dish as key, only on the computing machine of the chip that TCM is arranged, could decipher this u dish, reach the credible of u dish with this.
As shown in Figure 5, the credible managing and control system of a kind of IO equipment comprises:
IO port detecting module 100 for detection of the IO port, when described IO port open, allows to insert USB device.
For the control of IO port, can solve the protection to IO equipment, the keeper has the right the port on the IO equipment is opened and quiescing, prevents that mobile device plugs at IO equipment arbitrarily.IO equipment is forbidden the USB device operation when the IO port shutdown, and when the IO port open, IO equipment just can allow USB device to continue operation.Specifically, when the IO port driver drives and pci bus drives when separating, the IO port shutdown is when the IO port driver drives and pci bus driving when binding the IO port open.
USB device registration judge module 200 is used for judging whether described USB device is device registration, if device registration is then identified described USB device, if unregistered equipment is then forbidden described USB device operation.
Judge whether the USB device that inserts is registered devices on IO equipment, and only the equipment of registering at this machine could be identified at this machine, and the equipment that is not registered will be forbidden being arrived by the IO recognition of devices.If the USB device that inserts is that unregistered equipment I O equipment will be forbidden its operation, is that device registration IO equipment will be identified this equipment if insert USB device, and proceeds operation.
Encrypting module 300 is used for the current operation system environment according to described IO equipment, and the described USB device of identification is encrypted.
Deciphering module 400 is used for deciphering the described USB device of having encrypted and obtains credible USB flash disk.
The u dish hardware that credible u dish is a kind of encrypted mistake has only the u dish hardware that support can be encrypted to make credible u dish by software, does not support encrypted u dish hardware not to be encrypted by software.By the All Files that in credible u dish, writes, all will be encrypted to ciphertext automatically, before not deciphering, even other people can get access to the file of credible u dish the inside by the means of violence, owing to encrypt by some complicated algorithm, also be difficult to file is reverted to expressly.Have only the operating system by formulating, and believable computing machine, credible u dish could be deciphered.The mentality of designing of making credible u dish is: the dm-crypt kernel module utilizes the password application programming interface of kernel to realize transparent encryption, because there is unrivaled superiority in the dm-crypt system, its speed is faster, ease for use is stronger, characteristics such as widely applicable are so it is undisputed to select it to encrypt by kernel.
The mentality of designing of deciphering u dish is: be to realize in kernel by dm-crypt, whether it at first detects this IO equipment is the credible calculating that the tcm chip is arranged, only be that trusted computer could be deciphered credible u dish, whether detect then is operating system when making credible u dish, have only the operating system of having specified to decipher and open credible u dish, whether the cryptographic algorithm that detects this equipment then exists in kernel, algoritic module exists then will be deciphered this credible u and coil successfully, but the deciphering of this moment is not to be the real physics usb equipment of deciphering, but above this characteristic of device-mapper of supporting of linux kernel 2.6 versions, add the method for a kind of universal flexible that virtual level provides at actual physical usb equipment, realize mirror image, encrypt, deciphering waits to be handled, and advantage is the usb equipment of having deciphered.
The credible managing and control system of IO equipment of the present invention, the IO port detecting module judges whether the IO port is opened, have only when the IO port open, IO equipment just allows USB device to insert, USB device registration judge module judges whether the USB device that inserts is device registration, if the USB device that inserts in IO equipment registration just start and identify this USB device, if registering, the USB device that inserts just do not forbid this USB device in IO equipment, encrypting module is encrypted USB device according to the current operation system environment, popular is exactly that USB device is set " format " according to the kernel of IO equipment, elimination may be stored in the virus in the USB device, wooden horse etc., data deciphering when last deciphering module is encrypted USB device according to kernel obtains credible USB flash disk, credible USB flash disk and IO equipment carry out data interaction, guarantee the safety management of IO equipment and USB device and the safe transmission of data.
As shown in Figure 6, among embodiment, USB device registration judge module 200 comprises therein:
Judging unit 240 succeeds in registration, be used for judging whether the described USB device of online registration succeeds in registration, if the online registration success then starts described USB device, and the log-on message of described USB device is write in the white list of described IO equipment, if described USB device operation is then forbidden in the online registration failure.
Among embodiment, described registration judging unit 220 comprises therein: the online registration confirmation unit, whether accept online registration for detection of described USB device, and when described USB device is not accepted online registration, forbid that described USB device starts and withdraws from operation.
As shown in Figure 7, among embodiment, USB device registration judge module 200 specifically comprises therein:
As shown in Figure 8, among embodiment, deciphering module 400 specifically comprises therein:
IO Equipment Inspection unit 420, be used for judging whether described IO equipment has the TCM chip, if have and judge that then can described TCM chip normally start, can normally start and then continue following operation if described IO equipment has described TCM chip and described TCM chip, otherwise non-decrypting and withdraw from operation;
Operating system detecting unit 460 be used for to check current operation system, if current operation system is the operating system of encrypting described USB device, then proceeds following operation, otherwise non-decrypting and withdraw from operation;
Key acquiring unit 480 is used for obtaining the key of described TCM chip, judges whether described key is correct, if correctly then decipher described described USB device of having encrypted, obtains described credible USB flash disk, and is then non-decrypting and withdraw from operation as if incorrect.
The above embodiment has only expressed several embodiment of the present invention, and it describes comparatively concrete and detailed, but can not therefore be interpreted as the restriction to claim of the present invention.Should be pointed out that for the person of ordinary skill of the art without departing from the inventive concept of the premise, can also make some distortion and improvement, these all belong to protection scope of the present invention.Therefore, the protection domain of patent of the present invention should be as the criterion with claims.
Claims (11)
1. the credible management-control method of IO equipment is characterized in that, comprises step:
Detect the IO port, when described IO port open, allow to insert USB device;
Judge whether the USB device that inserts is device registration, if device registration is then identified described USB device, if unregistered equipment is then forbidden described USB device operation;
According to the current operation system environment of described IO equipment, the described USB device of identification is encrypted;
The described USB device that deciphering has been encrypted obtains credible USB flash disk.
2. the credible management-control method of IO equipment according to claim 1, it is characterized in that, described detection IO port, when described IO port open, allowing to insert USB device is specially: detect described IO port, when the driver loading of driver in the described IO port is finished, open described IO port, allow to insert described USB device.
3. the credible management-control method of IO equipment according to claim 1 and 2, it is characterized in that, describedly judge whether described USB device is device registration, if device registration is then identified described USB device, comprise step if unregistered equipment is then forbidden described USB device operation:
Judge whether described USB device is device registration, if device registration then starts described USB device, if the unregistered equipment described USB device of online registration then, and forbid described USB device operation;
Judge whether the described USB device of online registration succeeds in registration, if the online registration success then starts described USB device, and the log-on message of described USB device is write in the white list of described IO equipment, if described USB device operation is then forbidden in the online registration failure.
4. the credible management-control method of IO equipment according to claim 3 is characterized in that, before the described USB device of described online registration also in steps:
Detect described USB device and whether accept online registration, when described USB device is not accepted online registration, forbid described USB device startup and withdraw from operation.
5. the credible management-control method of IO equipment according to claim 1 and 2, it is characterized in that, describedly judge whether described USB device is device registration, if device registration then starts described USB device, specifically comprise step if unregistered equipment is then forbidden described USB device operation:
Monitor described IO device core process response;
When monitoring event that described USB device inserts when taking place, response events, and event information is sent to user's space handle;
Obtain described event information, forbid described USB device operation;
According to described event information, check the log-on message whether described USB device is arranged in the white list of described IO equipment, then start described USB device if having, then do not forbid described USB device operation if having.
6. the credible management-control method of IO equipment according to claim 1 and 2 is characterized in that, the described USB device that described deciphering has been encrypted obtains credible USB flash disk and specifically comprises step:
Judge whether described IO equipment has the TCM chip, if having and judge that then can described TCM chip normally start, can normally start and then continue following operation if described IO equipment has described TCM chip and described TCM chip, otherwise non-decrypting and withdraw from operation;
Check the algorithm in the kernel of described IO equipment, if there is the algorithm of encrypting described USB device in the kernel of described IO equipment, then proceed following operation, otherwise non-decrypting and withdraw from operation;
Check current operation system, if current operation system is the operating system of encrypting described USB device, then proceed following operation, otherwise non-decrypting and withdraw from operation;
Obtain the key in the described TCM chip, judge whether described key is correct, if correctly then decipher described described USB device of having encrypted, obtain described credible USB flash disk, then non-decrypting and withdraw from operation as if incorrect.
7. the credible managing and control system of IO equipment is characterized in that, comprising:
The IO port detecting module for detection of the IO port, when described IO port open, allows to insert USB device;
USB device registration judge module is used for judging whether described USB device is device registration, if device registration is then identified described USB device, if unregistered equipment is then forbidden described USB device operation;
Encrypting module is used for the current operation system environment according to described IO equipment, and the described USB device of identification is encrypted;
Deciphering module is used for deciphering the described USB device of having encrypted and obtains credible USB flash disk.
8. the credible managing and control system of IO equipment according to claim 7 is characterized in that, institute's USB device registration judge module comprises:
The registration judging unit is used for judging whether described USB device is device registration, if device registration then starts described USB device, if the unregistered equipment described USB device of online registration then, and forbid that described USB device operates;
Judging unit succeeds in registration, be used for judging whether the described USB device of online registration succeeds in registration, if the online registration success then starts described USB device, and the log-on message of described USB device is write in the white list of described IO equipment, if described USB device operation is then forbidden in the online registration failure.
9. the credible managing and control system of IO equipment according to claim 8 is characterized in that, described registration judging unit comprises:
Whether the online registration confirmation unit accepts online registration for detection of described USB device, when described USB device is not accepted online registration, forbids described USB device startup and withdraws from operation.
10. the credible managing and control system of IO equipment according to claim 7 is characterized in that, described USB device registration judge module specifically comprises:
The process monitoring unit is used for the described IO device core process response of monitoring;
Response unit is used for when monitoring the event generation that described USB device inserts, response events, and event information is sent to user's space handle;
Information acquisition unit is used for obtaining described event information, forbids described USB device operation;
Inspection unit is used for according to described event information, checks in the white list of described IO equipment whether the log-on message of described USB device is arranged, and then starts described USB device if having, and does not then forbid described USB device operation if having.
11. according to claim 7 or the credible managing and control system of 8 described IO equipment, it is characterized in that described deciphering module specifically comprises:
IO Equipment Inspection unit, be used for judging whether described IO equipment has the TCM chip, if have and judge that then can described TCM chip normally start, can normally start and then continue following operation if described IO equipment has described TCM chip and described TCM chip, otherwise non-decrypting and withdraw from operation;
The algorithm detecting unit be used for to check the algorithm of the kernel of described IO equipment, if there is the algorithm of encrypting described USB device in the kernel of described IO equipment, then proceeds following operation, otherwise non-decrypting and withdraw from operation;
The operating system detecting unit be used for to check current operation system, if current operation system is the operating system of encrypting described USB device, then proceeds following operation, otherwise non-decrypting and withdraw from operation;
Key acquiring unit is used for obtaining the key of described TCM chip, judges whether described key is correct, if correctly then decipher described described USB device of having encrypted, obtains described credible USB flash disk, and is then non-decrypting and withdraw from operation as if incorrect.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310141524.8A CN103198037B (en) | 2013-04-22 | 2013-04-22 | Reliable pipe control method and system for IO (input output) equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310141524.8A CN103198037B (en) | 2013-04-22 | 2013-04-22 | Reliable pipe control method and system for IO (input output) equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103198037A true CN103198037A (en) | 2013-07-10 |
| CN103198037B CN103198037B (en) | 2015-06-24 |
Family
ID=48720612
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310141524.8A Active CN103198037B (en) | 2013-04-22 | 2013-04-22 | Reliable pipe control method and system for IO (input output) equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103198037B (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104598401A (en) * | 2014-12-22 | 2015-05-06 | 中国人民解放军信息工程大学 | Domestic platform peripheral equipment management and control system and management and control method thereof |
| CN104636655A (en) * | 2015-02-06 | 2015-05-20 | 电子科技大学 | Credibility verifying method of hot plug device |
| CN104680055A (en) * | 2015-03-02 | 2015-06-03 | 北京威努特技术有限公司 | Control method for performing management on U disk after access into industrial control system network |
| CN105718824A (en) * | 2015-10-22 | 2016-06-29 | 哈尔滨安天科技股份有限公司 | System and method for preventing malicious USB equipment |
| CN106201373A (en) * | 2016-06-30 | 2016-12-07 | 北京嘉华龙马科技有限公司 | A kind of method strengthening existing printer security performance |
| CN106407793A (en) * | 2016-11-16 | 2017-02-15 | 北京众谊越泰科技有限公司 | Security access monitoring method of USB equipment |
| CN106919842A (en) * | 2017-03-13 | 2017-07-04 | 湖州贝格信息安全科技有限公司 | Computer safety protective method and computer |
| CN111753340A (en) * | 2020-05-18 | 2020-10-09 | 贵州电网有限责任公司 | USB interface information security prevention and control method and system |
| CN114385539A (en) * | 2022-01-12 | 2022-04-22 | 苏州国芯科技股份有限公司 | Verification system, method, device and medium for USB storage equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN200953248Y (en) * | 2006-09-20 | 2007-09-26 | 北京中乐华建科技有限公司 | Fingerprint ciphering virus-killing U disc |
| CN101324912B (en) * | 2008-07-30 | 2010-06-23 | 中国航天科工集团第二研究院七○六所 | Credible safety computer |
| CN102236755A (en) * | 2011-05-04 | 2011-11-09 | 山东超越数控电子有限公司 | One-machine multi-user security access control method |
-
2013
- 2013-04-22 CN CN201310141524.8A patent/CN103198037B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN200953248Y (en) * | 2006-09-20 | 2007-09-26 | 北京中乐华建科技有限公司 | Fingerprint ciphering virus-killing U disc |
| CN101324912B (en) * | 2008-07-30 | 2010-06-23 | 中国航天科工集团第二研究院七○六所 | Credible safety computer |
| CN102236755A (en) * | 2011-05-04 | 2011-11-09 | 山东超越数控电子有限公司 | One-machine multi-user security access control method |
Non-Patent Citations (1)
| Title |
|---|
| 李莺 等: "《USB存储设备访问控制与数据安全系统》", 《微计算机应用》 * |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104598401B (en) * | 2014-12-22 | 2017-11-17 | 中国人民解放军信息工程大学 | Domestic Platform ancillary equipment managing and control system and its management-control method |
| CN104598401A (en) * | 2014-12-22 | 2015-05-06 | 中国人民解放军信息工程大学 | Domestic platform peripheral equipment management and control system and management and control method thereof |
| CN104636655A (en) * | 2015-02-06 | 2015-05-20 | 电子科技大学 | Credibility verifying method of hot plug device |
| CN104680055A (en) * | 2015-03-02 | 2015-06-03 | 北京威努特技术有限公司 | Control method for performing management on U disk after access into industrial control system network |
| CN105718824B (en) * | 2015-10-22 | 2019-11-05 | 哈尔滨安天科技股份有限公司 | A kind of system and method protecting malice USB device |
| CN105718824A (en) * | 2015-10-22 | 2016-06-29 | 哈尔滨安天科技股份有限公司 | System and method for preventing malicious USB equipment |
| CN106201373A (en) * | 2016-06-30 | 2016-12-07 | 北京嘉华龙马科技有限公司 | A kind of method strengthening existing printer security performance |
| CN106407793A (en) * | 2016-11-16 | 2017-02-15 | 北京众谊越泰科技有限公司 | Security access monitoring method of USB equipment |
| CN106407793B (en) * | 2016-11-16 | 2018-03-09 | 北京众谊越泰科技有限公司 | USB device secure accessing monitoring method |
| CN106919842A (en) * | 2017-03-13 | 2017-07-04 | 湖州贝格信息安全科技有限公司 | Computer safety protective method and computer |
| CN111753340A (en) * | 2020-05-18 | 2020-10-09 | 贵州电网有限责任公司 | USB interface information security prevention and control method and system |
| CN114385539A (en) * | 2022-01-12 | 2022-04-22 | 苏州国芯科技股份有限公司 | Verification system, method, device and medium for USB storage equipment |
| CN114385539B (en) * | 2022-01-12 | 2024-05-10 | 苏州国芯科技股份有限公司 | Verification system, method, device and medium for USB storage equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103198037B (en) | 2015-06-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103198037B (en) | Reliable pipe control method and system for IO (input output) equipment | |
| JP6239788B2 (en) | Fingerprint authentication method, apparatus, intelligent terminal, and computer storage medium | |
| US9047486B2 (en) | Method for virtualizing a personal working environment and device for the same | |
| US10078754B1 (en) | Volume cryptographic key management | |
| EP3074907B1 (en) | Controlled storage device access | |
| CN108604274A (en) | secure system-on-chip | |
| CN103065102A (en) | Data encryption mobile storage management method based on virtual disk | |
| US9129114B2 (en) | Preboot environment with system security check | |
| US11269984B2 (en) | Method and apparatus for securing user operation of and access to a computer system | |
| CN107003866A (en) | The safety establishment of encrypted virtual machine from encrypted template | |
| CN101986325A (en) | Computer security access control system and method | |
| CN102063583B (en) | Data exchange method for mobile storage medium and device thereof | |
| JP2016025616A (en) | Method for protecting data stored in disk drive, and portable computer | |
| WO2015055141A1 (en) | Method and device for controlling debug port of terminal device | |
| CN109344598A (en) | The binding of equipment room and authority control method, device, equipment and storage medium | |
| RU130429U1 (en) | TERMINAL AND PROTECTED COMPUTER SYSTEM INCLUDING TERMINAL | |
| EP2953050A1 (en) | System and method for full disk encryption with a check for compatibility of the boot disk | |
| CN105303093A (en) | Token verification method for cryptographic smart token | |
| CN101504622A (en) | Method and device for information interaction between threads | |
| WO2017137481A1 (en) | A removable security device and a method to prevent unauthorized exploitation and control access to files | |
| JP4724107B2 (en) | User authentication method using removable device and computer | |
| CN104361280B (en) | A kind of method realizing carrying out authentic authentication to USB storage device by SMI interrupt | |
| CN101420299A (en) | Method for enhancing stability of intelligent cipher key equipment and intelligent cipher key equipment | |
| CN104361298A (en) | Method and device for information safety and confidentiality | |
| KR101630462B1 (en) | Apparatus and Method for Securing a Keyboard |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: CHINA STANDARD SOFTWARE CO., LTD. Effective date: 20131101 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| C53 | Correction of patent of invention or patent application | ||
| CB03 | Change of inventor or designer information |
Inventor after: Liang Zhihong Inventor after: Ning Chaoju Inventor after: Cui Shantong Inventor after: Guo Jing Inventor after: Lv Xuecheng Inventor after: Liang Zhiqiang Inventor after: Huang Shu Inventor after: Yu Nanhua Inventor after: Hu Chaohui Inventor after: Jiang Zexin Inventor after: Chen Jiongcong Inventor after: Zhou Qiangfeng Inventor after: Lin Dansheng Inventor before: Liang Zhihong Inventor before: Liang Zhiqiang Inventor before: Huang Shu Inventor before: Yu Nanhua Inventor before: Hu Chaohui Inventor before: Jiang Zexin Inventor before: Chen Jiongcong Inventor before: Zhou Qiangfeng Inventor before: Lin Dansheng |
|
| COR | Change of bibliographic data |
Free format text: CORRECT: INVENTOR; FROM: LIANG ZHIHONG LIANG ZHIQIANG HUANG SHU YU NANHUA HU CHAOHUI JIANG ZEXIN CHEN JIONGCONG ZHOU QIANGFENG LIN DANSHENG TO: LIANG ZHIHONG LIANG ZHIQIANG HUANG SHU YU NANHUA HU CHAOHUI JIANG ZEXIN CHEN JIONGCONG ZHOU QIANGFENG LIN DANSHENG NING CHAOJU CUI SHANTONG GUO JING LV XUECHENG |
|
| TA01 | Transfer of patent application right |
Effective date of registration: 20131101 Address after: 510080 Dongfeng East Road, Dongfeng, Guangdong, Guangzhou, Zhejiang Province, No. 8 Applicant after: Electrical Power Research Institute of Guangdong Power Grid Corporation Applicant after: China Standard Software Co., Ltd. Address before: 510080 Dongfeng East Road, Dongfeng, Guangdong, Guangzhou, Zhejiang Province, No. 8 Applicant before: Electrical Power Research Institute of Guangdong Power Grid Corporation |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 510080 Dongfeng East Road, Dongfeng, Guangdong, Guangzhou, Zhejiang Province, No. 8 Patentee after: ELECTRIC POWER RESEARCH INSTITUTE, GUANGDONG POWER GRID CO., LTD. Patentee after: China Standard Software Co., Ltd. Address before: 510080 Dongfeng East Road, Dongfeng, Guangdong, Guangzhou, Zhejiang Province, No. 8 Patentee before: Electrical Power Research Institute of Guangdong Power Grid Corporation Patentee before: China Standard Software Co., Ltd. |