CN108460267A - A kind of teaching computer network information safety device - Google Patents

A kind of teaching computer network information safety device Download PDF

Info

Publication number
CN108460267A
CN108460267A CN201711462099.7A CN201711462099A CN108460267A CN 108460267 A CN108460267 A CN 108460267A CN 201711462099 A CN201711462099 A CN 201711462099A CN 108460267 A CN108460267 A CN 108460267A
Authority
CN
China
Prior art keywords
integrated
usbkey
management
hardwares
terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201711462099.7A
Other languages
Chinese (zh)
Other versions
CN108460267B (en
Inventor
区展豪
邱家旺
李长青
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Hua Xia Technical College
Original Assignee
Guangzhou Hua Xia Technical College
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Hua Xia Technical College filed Critical Guangzhou Hua Xia Technical College
Priority to CN201711462099.7A priority Critical patent/CN108460267B/en
Publication of CN108460267A publication Critical patent/CN108460267A/en
Application granted granted Critical
Publication of CN108460267B publication Critical patent/CN108460267B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operation
    • G06F11/1402Saving, restoring, recovering or retrying
    • G06F11/1446Point-in-time backing up or restoration of persistent data
    • G06F11/1458Management of the backup or restore process
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/82Protecting input, output or interconnection devices
    • G06F21/85Protecting input, output or interconnection devices interconnection devices, e.g. bus-connected or in-line devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Automation & Control Theory (AREA)
  • Databases & Information Systems (AREA)
  • Quality & Reliability (AREA)
  • Telephonic Communication Services (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a kind of teaching computer network information safety devices,Including terminal,And the management server by TCP/IP connections,And management server includes certificate server,VCN switching devices,Network-control,Port Management module and dual-layer data backup module,Terminal logs in management by what the single faces of USBKey integrated hardwares realized built in user,And the hardware that application layer is arranged in USBKey integrated hardwares is set fire wall module,Terminal realizes authentication by the PIN code booting dog in USBKey integrated hardwares,And the network connection mandate from certificate server is obtained by PIN code booting dog simultaneously,Unidirectional anti-copy module in USBKey integrated hardwares sets the interface of the other mobile devices of terminal to forbid read-write or read-only status,And terminal realizes the connection management and data transmission of network by the network interface management module and USB interface of USBKey integrated hardwares,It can effectively ensure that the safety of the network information.

Description

A kind of teaching computer network information safety device
Technical field
The present invention relates to computer network security field, specially a kind of teaching computer network information safety device.
Background technology
Computer is big and information processing rate is fast with its information storage, is governability, science and technology research and development, army building And the wing of rapid development has been plugged in enterprise development, and a large amount of Company Confidential, including business secret, technology machine are store in computer Close, decision-making management is secret etc., the safety of computerized information be for company it is particularly important, therefore, concerning security matters unit meeting It takes several steps to take precautions against the stolen risk of computerized information, the means of the outer thief of the strick precaution mostly used greatly are to install to supervise in company Equipment, warning device etc. are controlled, the conventional means that information data is stolen for taking precautions against intra-company personnel are that computer is not provided with pair Outer coffret, but more and more information are stolen when people surf the Internet, and the data of computer are protected when in order to surf the Internet Safety, some clients are using installation software firewall, but software firewall is mounted on application layer, soft when program is run Part fire wall just starts, and the effect to the protection of computer is little, is a kind of pseudo- protection, and computer is a open Information stores and intercommunion platform, and internal information is extremely easy through USB, floppy drive, CD-ROM drive, serial ports, parallel port, infrared, 1394 interfaces And network illegally copies out, especially by large capacity disk cartridge, or even can copy entire LAN Information completely Shellfish walks.
Invention content
In order to overcome the shortcomings of that prior art, a kind of teaching of present invention offer are filled with information security of computer network It sets, can effectively solve the problem that the problem of background technology proposes.
The technical solution adopted by the present invention to solve the technical problems is:
A kind of teaching computer network information safety device, including terminal, and pass through TCP/IP connections Management server, and management server includes certificate server, VCN switching devices, network-control, Port Management module and double Layer data backup module, terminal log in management by what the single faces of USBKey integrated hardwares realized built in user, And the hardware that application layer is arranged in USBKey integrated hardwares is set fire wall module, terminal is by USBKey integrated hardwares PIN code booting dog realizes authentication, and obtains the network connection from certificate server by PIN code booting dog simultaneously and award It weighs, the interface of the other mobile devices of terminal is set as forbidding reading by the unidirectional anti-copy module in USBKey integrated hardwares It writes or read-only status, and terminal passes through the network interface management module and USB interface of USBKey integrated hardwares and realizes net The connection management and data transmission of network.
Further, wherein dual-layer data backup module includes hardware database A and hardware database B, and management service Utensil has the direct management of hardware database A to authorize, and hardware database B is by accessing management server, hardware number after VCN gateways According to being provided with relay contact switch on the connection path between library A and hardware database B.
Further, the unidirectional anti-copy module in USBKey integrated hardwares includes that high speed is total for processor, integrated PCI Wire protocol, the fpga chip of enciphering and deciphering algorithm and cache flash storage composition, high speed microprocessor inside are three-level stream Water.
Further, the network port of the CPU of terminal is connected by network interface card with the input terminal of hardware firewall, Hardware firewall uses the fire wall of Eudemon8080.
Compared with prior art, the beneficial effects of the invention are as follows:
(1) being realized to the terminal for accessing computer network by USBKey integrated hardwares for the present invention virtualizes area Domain divides, and realizes unitized management, and terminal is started using user to be opened with encrypted special equipment USBKey and PIN code Machine dog forms dual factors secure log and avoids forcing to access protection, meanwhile, it is unidirectional to copy mould data transfer algorithms in the block, It ensure that data exchange is in the state of opposite secrecy and safety;
(2) system of the invention allows the visit that each terminal has enough rights to carry out server data information It asks, and to sensitive data progress protection setting and seat control accordingly and can add in the Intranet access mandate under security situation It is close, and whether be connected to independent of network, the back mechanism of corresponding double hardware databases can effectively prevent data information It is destroyed, protection information safety.
Description of the drawings
Fig. 1 is the overall system structure schematic diagram of the present invention;
Figure label:
1- terminals;2- management servers;3-USBKey integrated hardwares;4- network interface cards;
201- certificate servers;202-VCN switching devices;203- network-controls;204- Port Management modules;205- is double-deck Data backup module;2051- hardware databases A;2052- hardware databases B;2053-VCN gateways;2054- relay contacts are opened It closes;
301- hardware is set fire wall;302-PIN codes booting dog;The unidirectional anti-copy modules of 303-;304- network interface management moulds Block;305-USB interfaces;3031- high speed microprocessors;3032- integrates pci bus agreement;3033- enciphering and deciphering algorithm FPGA cores Piece;3034- cache flash storages.
Specific implementation mode
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation describes, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other Embodiment shall fall within the protection scope of the present invention.
As shown in Figure 1, the present invention provides a kind of teaching computer network information safety device, including terminal 1, and by the management server 2 of TCP/IP connections, and management server 2 includes certificate server 201, VCN switching devices 202, network-control 203, Port Management module 204 and dual-layer data backup module 205, terminal 1 pass through USBKey The single face of integrated hardware 3 realizes the management that logs in of built in user, and the hard of physical layer is arranged in USBKey integrated hardwares 3 Part is set fire wall module 301, and terminal 1 realizes authentication by the PIN code booting dog 302 in USBKey integrated hardwares 3, and The network connection mandate from certificate server 201 is obtained by the PIN code dog 302 that is switched on simultaneously, in USBKey integrated hardwares 3 Unidirectional anti-copy module 303 is set as the interface of the other connection mobile devices of terminal 1 to forbid read-write or read-only status, And terminal 1 realizes the company of network by the network interface management module 304 and USB interface 305 of USBKey integrated hardwares 3 Take over reason and data transmission.
The terminal for accessing TCP is divided by void by management server 2 VCN switching devices 202 in the present invention The certification area and unverified area of quasi-ization, and the premise of the terminal 1 in certification area is intervention USBKey integrated hardwares 3, and 3 incidental PIN code of USBKey integrated hardwares generates access request, by the mandate of certificate server 201, is calculated to realize Machine terminal 1 starts application access, while PIN code booting dog 302 keys in the PIN code of unique mark interface, realizes computer The network port of initial start, the CPU of terminal 1 is connected by network interface card 4 with the input terminal of hardware firewall 301, firmly Part fire wall 301 uses the fire wall of Eudemon8080, Eudemon8080 hardware firewalls to be mounted on physical layer, and in network interface card Before 4, various attacks, DoS attack is effectively prevented to take precautions against type and include:SYNFLOOD, ICMPFLOOD, UDPFLOOD, CC are attacked Hit, IPSpoofing, LAND attack, smurf attack, Fraggle attacks, Winnuke, PingofDeath, TearDrop, Location scanning, port scan, IPOption controls, the control of IP fragmentation message, the validity checking of TCP labels, super large icmp packet control System, ICMP redirection messages, the unreachable messages of ICMP, TRACERT messages, HTTPGet are attacked, BGPFLOOD is attacked, DNSFLOOD attacks etc..
Wherein dual-layer data backup module 205 includes hardware database A2051 and hardware database B2052, and manages clothes Directly management of the business device 2 with hardware database A2051 authorizes, and hardware database B2052 passes through access tube after VCN gateways 2053 Server 2 is managed, being provided with relay contact on the connection path between hardware database A2051 and hardware database B2052 opens 2054 are closed, when secure network connection network interface card 4 is so that relay contact switch 2054 is connected to, the content in hardware database A is by reality When backup in hardware database B, and carry out hardware database B reading mandate when must be made firmly by VCN gateways Part database B is in interior net state, when the switching of network interface card 4 or VCN switching devices carry out network connection state conversion by network connection In state indexing when net state, relay contact switch 2054 disconnects so that hardware database B and hardware database A, which is disconnected, to be connected It connects, stops backup, and to the connection for providing hardware database A and server, VCN gateways 2053 switch to hardware database B Interior net state, while forbidding the access mandate of terminal 1, to ensure the information security of database, avoid internet worm Intrusion, prevents data-base content from damaging.
Unidirectional anti-copy module 303 in USBKey integrated hardwares 3 is total including high speed microprocessor 3031, integrated PCI Wire protocol 3032, the fpga chip 3033 of enciphering and deciphering algorithm and cache flash storage 3034 form, high speed microprocessor Inside is three-level flowing water, and the fpga chip 3033 of enciphering and deciphering algorithm therein generates two keys when carrying out enciphering and deciphering algorithm, Two equally big prime number ps and q are chosen simultaneously, and public-key cryptography includes modulus M and exponent e.Modulus M=p × q;Exponent e is encryption Key, randomly selecting keeps e and (p-1) (q-1) coprime.Private key d is decruption key, meets e × d ≡ 1mod (p-1) (q- 1), i.e. d=e-1mod ((p-1) (q-1)) when encryption, will be divided into the packet X smaller than M and (use binary system, choose in plain text 2 maximum power less than n), encrypted ciphertext is made of the grouping C of equal length, and calculation formula is:Encrypt formula:C= When Xe (modM) ciphertext data, takes each encrypted grouping C to calculate, restore plaintext X, calculate as follows:Decrypt formula:X= Cd(modM)。
Entire algorithm process process is controlled while encryption and decryption calculates by built-in state machine to circulate, control module life Control signal of the modules under corresponding state, including the control of three-level flowing water and interruption control etc. are produced, cache Flash is deposited The intermediate result and end-results of 3034 modular multiplication of reservoir, and finally by Network Interface Module 304 and external harmoniousness pci bus 3032 Signal Matching of agreement is completed data and is output and input.
It is obvious to a person skilled in the art that invention is not limited to the details of the above exemplary embodiments, Er Qie In the case of without departing substantially from spirit or essential attributes of the invention, the present invention can be realized in other specific forms.Therefore, no matter From the point of view of which point, the present embodiments are to be considered as illustrative and not restrictive, and the scope of the present invention is by appended power Profit requires rather than above description limits, it is intended that all by what is fallen within the meaning and scope of the equivalent requirements of the claims Variation is included within the present invention.Any reference signs in the claims should not be construed as limiting the involved claims.

Claims (4)

1. a kind of teaching computer network information safety device, it is characterised in that:Including terminal (1), and pass through The management server (2) of TCP/IP connections, and management server (2) includes certificate server (201), VCN switching devices (202), network-control (203), Port Management module (204) and dual-layer data backup module (205), terminal (1) Management is logged in by what the single faces of USBKey integrated hardwares (3) realized built in user, and in USBKey integrated hardwares (3) The hardware that physical layer is arranged is set fire wall module (301), and terminal (1) is switched on by the PIN code in USBKey integrated hardwares (3) Dog (302) realizes authentication, and obtains the network from certificate server (201) by PIN code booting dog (302) simultaneously and connect Mandate is connect, the unidirectional anti-copy module (303) in USBKey integrated hardwares (3) sets the other connection movements of terminal (1) Standby interface is set as forbidding read-write or read-only status, and terminal (1) is connect by the network of USBKey integrated hardwares (3) Mouth management module (304) and USB interface (305) realize the connection management and data transmission of network.
2. a kind of teaching computer network information safety device according to claim 1, it is characterised in that:It is wherein double-deck Data backup module (205) includes hardware database A (2051) and hardware database B (2052), and management server (2) has The directly management of hardware database A (2051) authorizes, and hardware database B (2052) passes through VCN gateways (2053) access-in management afterwards Server (2) is provided with relay on the connection path between hardware database A (2051) and hardware database B (2052) and touches Point switch (2054).
3. a kind of teaching computer network information safety device according to claim 1, it is characterised in that:In USBKey Unidirectional anti-copy module (303) in integrated hardware (3) includes high speed microprocessor (3031), integrated pci bus agreement (3032), the fpga chip (3033) of enciphering and deciphering algorithm and cache flash storage (3034) composition, high speed microprocessor Inside is three-level flowing water.
4. a kind of teaching computer network information safety device according to claim 1, it is characterised in that:Computer is whole The network port of the CPU of (1) is held to be connected with the input terminal of hardware firewall (301) by network interface card (4), hardware firewall (301) fire wall of Eudemon8080 is used.
CN201711462099.7A 2017-12-28 2017-12-28 Computer network information safety device for teaching Active CN108460267B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711462099.7A CN108460267B (en) 2017-12-28 2017-12-28 Computer network information safety device for teaching

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711462099.7A CN108460267B (en) 2017-12-28 2017-12-28 Computer network information safety device for teaching

Publications (2)

Publication Number Publication Date
CN108460267A true CN108460267A (en) 2018-08-28
CN108460267B CN108460267B (en) 2020-04-17

Family

ID=63220407

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711462099.7A Active CN108460267B (en) 2017-12-28 2017-12-28 Computer network information safety device for teaching

Country Status (1)

Country Link
CN (1) CN108460267B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110955878A (en) * 2019-11-29 2020-04-03 临沂大学 Industrial computer information safety processing device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080320589A1 (en) * 2007-06-22 2008-12-25 Xavier Gonzalez Securing system and method using a security device
CN101964709A (en) * 2010-09-02 2011-02-02 浪潮齐鲁软件产业有限公司 USB KEY for independently transmitting information through 3G module
CN202077041U (en) * 2011-05-12 2011-12-14 郑州信大捷安信息技术股份有限公司 Trusted system based on USB (Universal Serial Bus) secure storage encryption card
CN103116720A (en) * 2011-11-16 2013-05-22 航天信息股份有限公司 Universal serial bus (USB) Key device and account management method and authentication application method thereof
CN204695314U (en) * 2015-06-11 2015-10-07 包头轻工职业技术学院 A kind of computer information safe device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080320589A1 (en) * 2007-06-22 2008-12-25 Xavier Gonzalez Securing system and method using a security device
CN101964709A (en) * 2010-09-02 2011-02-02 浪潮齐鲁软件产业有限公司 USB KEY for independently transmitting information through 3G module
CN202077041U (en) * 2011-05-12 2011-12-14 郑州信大捷安信息技术股份有限公司 Trusted system based on USB (Universal Serial Bus) secure storage encryption card
CN103116720A (en) * 2011-11-16 2013-05-22 航天信息股份有限公司 Universal serial bus (USB) Key device and account management method and authentication application method thereof
CN204695314U (en) * 2015-06-11 2015-10-07 包头轻工职业技术学院 A kind of computer information safe device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
王俊: "基于USBKey身份认证技术的计算机硬件访问控制及启动管理解决方案初探", 《技术天地》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110955878A (en) * 2019-11-29 2020-04-03 临沂大学 Industrial computer information safety processing device
CN110955878B (en) * 2019-11-29 2023-05-02 临沂大学 Industrial computer information safety processing device

Also Published As

Publication number Publication date
CN108460267B (en) 2020-04-17

Similar Documents

Publication Publication Date Title
US10911457B2 (en) Immediate policy effectiveness in eventually consistent systems
Paladi et al. Providing user security guarantees in public infrastructure clouds
US11036869B2 (en) Data security with a security module
KR101713045B1 (en) System and method for an endpoint hardware assisted network firewall in a security environment
US9547771B2 (en) Policy enforcement with associated data
US10211977B1 (en) Secure management of information using a security module
CN105959111B (en) Information security big data resource access control system based on cloud computing and trust computing
CN109361668A (en) A kind of data trusted transmission method
CN106022080A (en) Cipher card based on PCIe (peripheral component interface express) interface and data encryption method of cipher card
CN106453384A (en) Security cloud disk system and security encryption method thereof
CN106888084A (en) A kind of quantum fort machine system and its authentication method
CN102111349A (en) Security certificate gateway
CN107332671A (en) A kind of safety mobile terminal system and method for secure transactions based on safety chip
CN105471901A (en) Industrial information security authentication system
CN107196932A (en) Managing and control system in a kind of document sets based on virtualization
CN108737078A (en) A kind of data cryptogram operation method and data cryptogram server
CN1808457B (en) Portable trusted device for remote dynamic management
CN108460267A (en) A kind of teaching computer network information safety device
Hu Study of file encryption and decryption system using security key
CN105721458A (en) Industrial Ethernet switching method based on ISG security password technique
Alangar Cloud computing security and encryption
CN2914500Y (en) Portable and reliable platform module
Li Data protection of accounting information based on big data and cloud computing
CN106097600A (en) Device management method based on ATL, system and financial self-service equipment
Yin The analysis of critical technology on cloud storage security

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant