CN109684866A - A kind of safe USB disk system for supporting multi-user data to protect - Google Patents

A kind of safe USB disk system for supporting multi-user data to protect Download PDF

Info

Publication number
CN109684866A
CN109684866A CN201811372902.2A CN201811372902A CN109684866A CN 109684866 A CN109684866 A CN 109684866A CN 201811372902 A CN201811372902 A CN 201811372902A CN 109684866 A CN109684866 A CN 109684866A
Authority
CN
China
Prior art keywords
user
data
host computer
log
usb disk
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811372902.2A
Other languages
Chinese (zh)
Other versions
CN109684866B (en
Inventor
赵慧
邓硕
张宏扬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Institute of Computer Technology and Applications
Original Assignee
Beijing Institute of Computer Technology and Applications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Institute of Computer Technology and Applications filed Critical Beijing Institute of Computer Technology and Applications
Priority to CN201811372902.2A priority Critical patent/CN109684866B/en
Publication of CN109684866A publication Critical patent/CN109684866A/en
Application granted granted Critical
Publication of CN109684866B publication Critical patent/CN109684866B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • G06F21/79Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in semiconductor storage media, e.g. directly-addressable memories
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06KGRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
    • G06K19/00Record carriers for use with machines and with at least a part designed to carry digital markings
    • G06K19/06Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code
    • G06K19/067Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components
    • G06K19/07Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components with integrated circuit chips
    • G06K19/077Constructional details, e.g. mounting of circuits in the carrier
    • G06K19/0772Physical layout of the record carrier
    • G06K19/07732Physical layout of the record carrier the record carrier having a housing or construction similar to well-known portable memory devices, such as SD cards, USB or memory sticks

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Microelectronics & Electronic Packaging (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention relates to the safe USB disk systems for supporting multi-user data protection; include: host computer executive subsystem include: Status Monitor, login window, log manager, User Manager, destroy control switch, file operation device, log generator, operating right filter, dedicated file system and SCSI protocol generator, the executable program of host computer executive subsystem are stored in the program area of safe USB disk;Embedded executive subsystem includes: SCSI protocol resolver, login authentication, condition responsive device, logs in lock, destroys control, user management, quick memory access device, audit management, hard algorithm for encryption device, user information database, cipher key store, program area, data field and log area, and executable object code is solidificated in the main control chip inside safe USB disk.Present invention accomplishes unit, multiple users share flash disk inside department, and the application demand that data mutually maintain secrecy between different user.

Description

A kind of safe USB disk system for supporting multi-user data to protect
Technical field
The present invention relates to a kind of safe USB disk, especially one kind, and private between different user is protected under multi-user shared environment There is the flash disk of data safety.
Background technique
The safe USB disk is using a variety of security strategies such as login authentication, user access control and data encryption storages, it is ensured that Data is safe and secret between different user, is primarily adapted for use in unit, multiple users share flash disk inside department, different user it Between the application scenarios that mutually maintain secrecy of data.
With popularizing for computer, mobile memory medium has become indispensable information in people's routine work and hands over Tool is changed, but propagates wooden horse, virus and flash disk loss during its cross-reference and causes to ask safely brought by information leakage Topic has become the item that people more pay close attention to.To solve safety problem existing for common flash disk, each equipment manufacturer is released in recent years A plurality of safe USB disks, summarize, Security Techniques are broadly divided into following a few classes: 1) in flash disk be internally integrated plus Close chip provides the transparent encryption and decryption service of user to the data being stored in inside flash disk;2) it provides matched with flash disk dedicated Software accesses flash disk by special-purpose software;3) user log-in authentication mechanism is provided, only legitimate user is allowed to use flash disk;4) exist Write-protect switch is set on USB disk outer shell, physically ensures that flash disk is in read-only status.Above-mentioned Security Techniques prevent The injection of the Malwares such as wooden horse, virus, realizes the full disk encryption of flash disk internal data, avoids after flash disk is lost and believes The leakage of breath, but the protection of private data between the different user using the flash disk cannot be prevented.
With the appearance of safe USB disk product, also it is put forward one after another for the patent of intellectual property protection.Such as: Zhenhua Patent application " the safety encipherment U disk " (patent No.: CN201710633311.5, the applying date of army section intelligent technology limited Phase: on July 28th, 2017) in, one kind is described by setting Fingerprint Identification Unit and fingerprint identification module to add to USB flash disk Close safety encipherment U disk ensures that only legitimate user could use flash disk, substantially increase U by ID authentication mechanism The safety of disk.For another example, Guangdong Hong Du Information technology Co., Ltd patent application " a kind of integrated U disc " (patent No.: CN201520394573.7, publication number: CN204667884U, date of application: on June 9th, 2015) in, propose a kind of use Safely and facilitate integrated safe USB disk, is internally integrated main controller, fingerprint identification module and memory in flash disk, and mention For matched host computer execution module and slave computer execution module, by special-purpose software access safety flash disk, prevent wooden horse, The injection of the Malwares such as virus.But it is mutual that these safe USB disks are not able to satisfy data between multiple users share and different user The application demand of secrecy.
Summary of the invention
The purpose of the present invention is to provide a kind of safe USB disk systems for supporting multi-user data to protect, for solving State problem of the prior art.
A kind of safe USB disk system for supporting multi-user data to protect of the present invention, wherein include: that host computer executes subsystem System and embedded executive subsystem;Host computer executive subsystem is divided into three layers: user's operation layer, security control layer and bottom Drive layer;User's operation layer includes: login window, log manager, User Manager, destroys control switch and file operation Device provides operation in the form of graphical interfaces for user and checks window;Security control layer includes: log generator, operation Jurisdiction filter, dedicated file system and SCSI protocol generator, unified api interface is provided for user's operation layer;Bottom drives Dynamic layer stores device drives using the Universal USB of system, realizes the data communication with safe USB disk;The outer main storage area of piece divides At program area, data field and log area: embedded executive subsystem includes: SCSI protocol resolver, login authentication, state sound Device is answered, lock is logged in, destroys control, is user management, quick memory access device, audit management, hard algorithm for encryption device, user information database, close Key library, program area, data field and log area;Loading and running host computer executive subsystem includes: safe USB disk connection host Afterwards, host's generator terminal automatic identification flash disk equipment shows program area;The executable journey that there is host computer to execute system for program area Sequence;It includes: to input the user name and password by login window that user, which logs in, constructs communication report by SCSI protocol generator Text, the login authentication module being sent in embedded executive subsystem;Login authentication module calls algorithm, in conjunction with user information User information in library completes certification work, and return authentication result;If certification passes through, host computer and embedded end point Respective login lock is not unlocked, unlocks User Manager, destruction control switch and file operation device in upper computer end;It is being embedded in Control, user management and quick accessor are destroyed in the unlock of formula end, and the attribute for modifying data field is readable write state, make it in place Host side is visible;If currently logged on user is administrator, log manager is also unlocked in upper computer end, embedded end is examined The more new function for counting the log area of management module is in operable state, and inquiry and deletion function are under administrator's logging state Effectively;If authentification failure, the respective login lock of host computer and embedded end still keeps lock state, executes the function of system Energy state is identical as when being not logged in;The User Manager of host computer and the user management module of embedded end and quick memory access device It cooperates, the common configuration task completed to user information;Host computer initiates user by User Manager and adds request, The quick memory access device and user management module of embedded end respond the request, complete the creation of the privately owned file of new user, are new User distributes data encryption storage key and saves new user information item operation in user information database, returns at request Manage result;Deleting user includes: the user information item that designated user is searched in user information database, according in user information item Privately owned folder path deletes the privately owned file of the user from data field;According to the cipher key index in user information item, Specified key is deleted from cipher key store;Corresponding user information item is deleted from user information database;Searching user's information includes: According to user type and user name, corresponding user information is inquired from user information database, and feed back to host computer;Unlock is used Family includes: to search for corresponding user information item in user information database according to user type and user name, then reset the use Initial log password and locking state in the item of information of family;Shared user includes: that shared user logs in the configuration of self information Afterwards, User Manager has the function of to inquire and update user information;The User Manager of host computer and the use of embedded end Family management module cooperates, inquiry and update to user information;The protection of data includes: to pass through permission between different user Filter, dedicated file system, SCSI protocol generator, SCSI protocol resolver and hard algorithm for encryption device are between different user Private data is protected;The filtering of operating right includes: that the file operation requests of All Files operator all pass through operating rights Filter is limited, judges whether to intercept the request;BehaviourThe privately owned file road for making jurisdiction filter according to currently logged on user passes through, Allow in the privately owned file sub-folder and file operation requests by the filter;The encryption storage of data includes: After user logins successfully, the executive subsystem turn-on data encryption and decryption functions of embedded end, and loaded currently from cipher key store The encryption key of login user;Data call hard algorithm for encryption device close with the encryption of active user when passing in and out external memory area Key carries out encryption and decryption to data;By the destruction control switch in host computer executive subsystem, quickly destroy user information database and Information in cipher key store.
One embodiment of the safe USB disk system according to the present invention for supporting multi-user data protection, wherein hardware system Include: control chip and flash storage chip, main control chip USB3.0 interface is externally provided, be internally integrated microprocessor, it is non-easily Lose memory and hard algorithm for encryption device;Software includes host computer executive subsystem and embedded executive subsystem;Host computer is held Row subsystem is divided into user's operation layer, security control layer and bottom layer driving layer.
One embodiment of the safe USB disk system according to the present invention for supporting multi-user data protection, wherein non-volatile master Memory block is divided into three subregions --- program area, data field and log area;Program area uses iso9660 file format, in place Host side can not distort;The data file of data area stores user, using customized file system format, data field with Before family logs in or when login failure, read protection measure is used, it is invisible to user;Log area is hidden partition, to user Invisible, administrator can be inquired and be deleted log by the log manager in host computer executive subsystem.
One embodiment of the safe USB disk system according to the present invention for supporting multi-user data protection, wherein include: non- The region main storage area Liang Kuai, user information and key data outside volatile memory block, including main control chip internal storage region and piece It is stored in memory block in piece.
One embodiment of the safe USB disk system according to the present invention for supporting multi-user data protection, wherein embedded to hold The maximum allowable number of login authentication failure is arranged in row subsystem, when the number of login failed for user exceeds maximum allowable number When, the access right of user will be locked, and administrator is needed to unlock.
One embodiment of the safe USB disk system according to the present invention for supporting multi-user data protection, wherein shared user The configuration of information includes: that shared user is arranged, and shared user information includes user type, user name, entry password, logs in and lose Number, locking state, cipher key index and privately owned folder path are lost, to the configuration of user information according to login user type Difference is divided into two classes: one kind is shared inquiry and change of the user to self information;Another kind of is administrator to shared user Addition, inquiry, update, deletion and the unlock of information.
One embodiment of the safe USB disk system according to the present invention for supporting multi-user data protection, wherein in cipher key store Key data be uniquely to record.
One embodiment of the safe USB disk system according to the present invention for supporting multi-user data protection, wherein including audit Management: hidden partition record log information, it is ensured that the access safety of log information is pipe in the executive subsystem of host computer Reason person provides inquiry and deletes the operation entry of log.
One embodiment of the safe USB disk system according to the present invention for supporting multi-user data protection, wherein including making by oneself Adopted scsi command: for customized flash disk configuring request and file read-write access request, it is all made of customized SCSI life It enables.
One embodiment of the safe USB disk system according to the present invention for supporting multi-user data protection, wherein in data field Document storage mode use customized file system.
Detailed description of the invention
Fig. 1 show the schematic diagram for supporting the safe USB disk system of multi-user data protection.
Specific embodiment
To keep the purpose of the present invention, content and advantage clearer, with reference to the accompanying drawings and examples, to of the invention Specific embodiment is described in further detail.
Fig. 1 show the schematic diagram for supporting the safe USB disk system of multi-user data protection, as shown in Fig. 1, the present invention one Kind supports the safe USB disk system of multi-user data protection, is made of software and hardware: hardware includes main control chip and flash storage Chip, main control chip externally provide USB3.0 interface, are internally integrated microprocessor, nonvolatile storage, hard algorithm for encryption device; Software includes host computer executive subsystem and embedded executive subsystem.
As shown in Figure 1, host computer executive subsystem is different according to level locating in an operating system, and it can be divided into three Layer: user's operation layer, security control layer and bottom layer driving layer.Firstly, user's operation layer includes: Status Monitor 1, logs in window Mouth 2, User Manager 5, destroys control switch 6 and file operation device 7 at log manager 4, is user in the form of graphical interfaces Operation is provided, checks window.Secondly, security control layer includes: log generator 8, operating right filter 9, private file System 10 and SCSI protocol generator 11 exist in the form of library, unified api interface are provided for user's operation layer.Finally, Bottom layer driving layer stores device drives using the Universal USB that system carries, and realizes the data communication with safe USB disk.Host computer The executable program of executive subsystem is stored in the program area 23 of safe USB disk, is existed with form of compact discs, is not required to additional attached Band fixing disc realizes the convenience that flash disk uses.
As shown in Figure 1, embedded executive subsystem includes: SCSI protocol resolver 12, login authentication 13, condition responsive Device 14, log in lock 15, destroy control 16, user management 17, quick memory access device 18, audit management 19, hard algorithm for encryption device 20, User information database 21, cipher key store 22, program area 23, data field 24 and log area 25, it is excellent that executable object code is solidificated in safety In main control chip inside disk.
As shown in Figure 1, the non-volatile storage area of safe USB disk includes main control chip internal storage region and the outer main storage area of piece Two pieces of regions.Wherein the sensitive informations such as user information, key data are stored in memory block in piece, are not tolled breakdown and to be stolen by physics It threatens, protects the safety of sensitive information.The outer main storage area of piece is divided into three subregions --- program area 23,24 and of data field Log area 25: program area 23 uses iso9660 file format, is presented with form of compact discs, can not be distorted in host's generator terminal;Data Area 24 stores the data file of user, using customized file system format, avoids illegal user and is executed by host computer The data in softward interview flash disk except subsystem, in addition, data field is used when user logs in preceding or login failure Read protection measure, it is invisible to user, protect the safety of entire subregion;Log area is hidden partition, invisible to user, Administrator can be inquired by the log manager 4 in host computer executive subsystem, delete log.
As shown in Figure 1, safe USB disk of the present invention configuration, using that specific step is as follows:
It loads and runs host computer executive subsystem and include:
After safe USB disk connects host, host's generator terminal automatic identification flash disk equipment, but only show program area 23.It opens Program area 23, it is seen that host computer executes the executable program of system, runs host computer executive subsystem, pops up user's operation circle Face, only Status Monitor 1 and the display of login window 2 can operate at this time, other are all with gray display operation failure.
User logs in
By login window 2 in user interface, the user name and password is inputted, SCSI agreement generator structure is passed through Communication message is built, 13 module of login authentication being sent in embedded executive subsystem;13 module of login authentication calls related calculate Method completes certification work, and return authentication result in conjunction with the user information in user information database 21.
If certification passes through, host computer and embedded end unlock login lock 3 and 15 respectively, meanwhile, it is unlocked in upper computer end User Manager 5 destroys control switch 6 and file operation device 7;It is unlocked in embedded end and destroys control 16,17 and of user management Quick accessor 18, while the attribute for modifying data field is readable write state, makes it in host's generator terminal as it can be seen that using convenient for logging in Family accesses the data file in data field.If currently logged on user is administrator, log management is also unlocked in upper computer end Device 4.The more new function of the log area 25 of the audit management module 19 of embedded end is constantly in operable state, convenient for capturing All security incidents during safe USB disk operation, but its inquiry and deletion function only just have under administrator's logging state Effect.
If authentification failure, the login lock 3 and 15 of host computer and embedded end still keeps lock state, executes system Functional status is identical as when being not logged in.
To avoid the unlimited logon attempt password of illegal user, embedded executive subsystem fails provided with login authentication Maximum allowable number.When the number of login failed for user exceeds maximum allowable number, use of the user to safe USB disk Permission will be locked, and administrator is needed to unlock.
The configuration of shared user information includes:
To support multi-user shared safe USB disk, need to be arranged shared user, shared user information include user type, User name, entry password, login failure number, locking state, cipher key index, privately owned folder path.User information is matched Set according to login user type difference, can be divided into two classes: one kind is shared inquiry and change of the user to self information;It is another Class is administrator to the addition of shared user information, inquiry, update, deletion, unlock etc..
Administrator includes: to the configuration of shared user information
Administrator log in after, visible User Manager 5 have addition user, delete user, unlock user and The functions such as searching user's information.17 module of user management and quickly visit of the User Manager 5 of host computer and embedded end at this time Storage 18 cooperates, the common configuration task completed to user information.
Wherein, addition user includes:
Host computer initiates user by User Manager 5 and adds request, the quick memory access device 18 of embedded end and user's pipe It manages 17 modules and responds the request, complete the creation of the privately owned file of new user, distribute data encryption storage for new user with close Key, the operation such as new user information item is saved in user information database, return to request processing result.
Deleting user includes:
It is opposite with addition user to delete user.The user information item that designated user is searched in user information database 21, according to Privately owned folder path in user information item deletes the privately owned file of the user from data field;According in user information item Cipher key index, specified key is deleted from cipher key store 22;Corresponding user information item is deleted from user information database 21.
Searching user's information includes:
According to user type and user name, corresponding user information is inquired from user information database, and is fed back to upper Machine.
Unlocking user includes:
First according to user type and user name, corresponding user information item is searched in user information database 21, is then weighed Set the initial log password and locking state in the user information item.
Share user includes: to the configuration of self information
After shared user logs in, User Manager 5 have the function of that inquiry, update user information are effective.It is upper at this time The user management module 17 of the User Manager 5 of machine and embedded end cooperates, the common inquiry realized to user information and More new function.In more new function, sharing user may be updated the entry password of account number.
The protection of data includes: between different user
Safe USB disk passes through operating right filter 9, dedicated file system 10, SCSI protocol generator 11, SCSI protocol Resolver 12 and hard algorithm for encryption device 20 realize the protection to private data between different user.
The filtering of operating right includes:
Operating right filter 9 is used as first layer filter, realizes according to user name filter request packet function.All texts The file operation requests of part operator 7 will all pass through operating right filter 9, be judged whether to intercept the request by it.Operating rights Limiting filter 9 will pass through according to the privately owned file road of currently logged on user, only allow to the sub-folder in the privately owned file With file operation requests by the filter, the possibility for accessing other users file is prevented in client layer.
Dedicated file system includes:
For the safety for guaranteeing file data in data field 24 in safe USB disk, to the document storage mode in data field 24 Using customized file system, it is ensured that user can only be by host computer executive subsystem access safety flash disk data field Data file avoids the risk that the Malwares such as virus, wooden horse steal data file.
Customized scsi command includes:
The mode that safe USB disk supports standard SCSI command to combine with customized scsi command, for customized excellent Disk configuring request and file read-write access request, are all made of customized scsi command, avoid passing through the included money of operating system Source manager access safety flash disk, further protects the safety of data in data field.
The encryption storage of data includes:
Hard algorithm for encryption device 20 is integrated in the main control chip of safe USB disk, is directly communicated with nand Flash controller. After user logins successfully, the executive subsystem turn-on data encryption and decryption functions of embedded end, and load and work as from cipher key store 22 The encryption key of preceding login user;Data can call hard algorithm for encryption device 20 to be used with current automatically when passing in and out external memory area The encryption key at family carries out encryption and decryption to data, on the one hand greatly improves data encrypting and deciphering using hard algorithm for encryption device 20 Speed, data safety when external memory physics being protected to toll breakdown;On the other hand each user encryption key difference, protection The privacy of data between different user.
It promptly destroys and includes:
To guarantee that safe USB disk in case of emergency do not reveal by user data information, can promptly be destroyed, Yong Huke By the destruction control switch 6 in host computer executive subsystem, the letter in user information database 21 and cipher key store 22 is quickly destroyed Breath.Subscriber data file is maintained in data field 24, and 24 memory capacity of data field is big, and that in case of emergency all destroys can Energy property is smaller.It is saved in view of 24 data of data field are all made of encryption storage mode, encryption key is inside main control chip It generates and remains stored in inside main control chip, do not support the export of key data, therefore the key data in cipher key store 22 is Unique record, being destroyed will lead to subscriber data file and can not crack, and protect the safety of information.
Data it is quick access include:
Safe USB disk provides two kinds of access modes of FTL_IO and NON_FTL_IO.Wherein it is directed to the SCSI of file read-write Read/Write order, using FTL_IO mode;Other all SCSI orders and customized privately owned order all use NON_ FTL_IO mode.FTL_IO mode supports the direct DMA transfer between USB endpoint and nand flash controller.When the end USB After point receives data, when finding that its order is SCSI Read/Write order by the parsing of SCSI protocol resolver 12, directly It calls FTL_IO mode to transmit access request to Flash controller, avoids main control chip microprocessor and wrapped in processing reception The secondary copy of data and software transfer processing, accelerate the access speed of Flash data, improve the number of USB interface in journey According to throughput.
Security audit management includes:
Safe USB disk provides audit function, using hidden partition record log information, it is ensured that the access of log information is pacified Entirely.Meanwhile the operation entry for providing inquiry in the executive subsystem of host computer for administrator, deleting log, it is convenient for administrator Control the history usage record of safe USB disk.
Present invention accomplishes multiple users share flash disks inside unit, department.
The above is only a preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art For member, without departing from the technical principles of the invention, several improvement and deformations can also be made, these improve and become Shape also should be regarded as protection scope of the present invention.

Claims (10)

1. it is a kind of support multi-user data protect safe USB disk system characterized by comprising host computer executive subsystem with And embedded executive subsystem;
Host computer executive subsystem is divided into three layers: user's operation layer, security control layer and bottom layer driving layer;
User's operation layer includes: login window, log manager, User Manager, destroys control switch and file operation device, with Graphical interfaces form provides operation for user and checks window;
Security control layer includes: log generator, operating right filter, dedicated file system and SCSI protocol generator, is User's operation layer provides unified api interface;
Bottom layer driving layer stores device drives using system Universal USB, realizes the data communication with safe USB disk;
The outer main storage area of piece is divided into program area, data field and log area:
Embedded executive subsystem include: SCSI protocol resolver, login authentication, condition responsive device, log in lock, destroy control, User management, quick memory access device, audit management, hard algorithm for encryption device, user information database, cipher key store, program area, data field and day Will area;
Loading and running host computer executive subsystem includes: host's generator terminal automatic identification flash disk after safe USB disk connection host Equipment shows program area;The executable program that there is host computer to execute system for program area;
It includes: to input the user name and password by login window that user, which logs in, constructs communication report by SCSI protocol generator Text, the login authentication module being sent in embedded executive subsystem;Login authentication module calls algorithm, in conjunction with user information database In user information, complete certification work, and return authentication result;
If certification passes through, host computer and embedded end unlock respective login lock respectively, unlock user management in upper computer end Device destroys control switch and file operation device;It is unlocked in embedded end and destroys control, user management and quick accessor, modification The attribute of data field is readable write state, keeps it visible in host's generator terminal;If currently logged on user is administrator, in host computer End also unlocks log manager, and the more new function of the log area of the audit management module of embedded end is in operable state, looks into It askes and deletion function is effective under administrator's logging state;
If authentification failure, the respective login lock of host computer and embedded end still keeps lock state, executes the function of system State is identical as when being not logged in;
The User Manager of host computer and the user management module of embedded end and quick memory access device cooperate, common completion pair The configuration task of user information;
Host computer initiates user by User Manager and adds request, and the quick memory access device and user management module of embedded end are rung It should request, complete the creation of the privately owned file of new user, distribute data encryption storage key for new user and in user New user information item operation is saved in information bank, returns to request processing result;
Deleting user includes: the user information item that designated user is searched in user information database, according to privately owned in user information item Folder path deletes the privately owned file of the user from data field;According to the cipher key index in user information item, from key Specified key is deleted in library;Corresponding user information item is deleted from user information database;
Searching user's information include: corresponding user information is inquired from user information database according to user type and user name, and Feed back to host computer;
Unlocking user includes: corresponding user information item to be searched in user information database, then according to user type and user name Reset the initial log password and locking state in the user information item;
Shared user includes: after shared user logs in the configuration of self information, and User Manager has inquiry and updates User information function;The User Manager of host computer and the user management module of embedded end cooperate, to user information Inquiry and update;
The protection of data includes: by jurisdiction filter, dedicated file system, SCSI protocol generator, SCSI between different user Protocol resolver and hard algorithm for encryption device protect private data between different user;
The filtering of operating right includes: that the file operation requests of All Files operator all pass through operating right filter, judgement Whether the request is intercepted;Operating right filter is passed through according to the privately owned file road of currently logged on user, is allowed to the privately owned text Sub-folder and file operation requests in part folder pass through the filter;
The encryption storage of data includes: the executive subsystem turn-on data encryption and decryption function of embedded end after user logins successfully Can, and from cipher key store load currently logged on user encryption key;Data call hard algorithm to add when passing in and out external memory area Close device carries out encryption and decryption to data with the encryption key of active user;
By the destruction control switch in host computer executive subsystem, the information in user information database and cipher key store is quickly destroyed.
2. supporting the safe USB disk system of multi-user data protection as described in claim 1, which is characterized in that hardware system packet Include: control chip and flash storage chip, main control chip externally provide USB3.0 interface, are internally integrated microprocessor, non-volatile deposit Reservoir and hard algorithm for encryption device;Software includes host computer executive subsystem and embedded executive subsystem;Host computer executes son System is divided into user's operation layer, security control layer and bottom layer driving layer.
3. supporting the safe USB disk system of multi-user data protection as described in claim 1, which is characterized in that program area uses Iso9660 file format can not be distorted in host's generator terminal;The data file of data area stores user, using customized file System format, data field uses read protection measure when user logs in preceding or login failure, invisible to user;Log area Invisible to user for hidden partition, administrator can be inquired and be deleted by the log manager in host computer executive subsystem Log.
4. supporting the safe USB disk system of multi-user data protection as described in claim 1 characterized by comprising non-easy The main storage area region Liang Kuai outside memory block, including main control chip internal storage region and piece is lost, user information and key data are protected There are memory blocks in piece.
5. supporting the safe USB disk system of multi-user data protection as described in claim 1, which is characterized in that embedded execution The maximum allowable number of login authentication failure is arranged in subsystem, when the number of login failed for user exceeds maximum allowable number, The access right of user will be locked, and administrator is needed to unlock.
6. supporting the safe USB disk system of multi-user data protection as described in claim 1, which is characterized in that shared user's letter The configuration of breath includes: that shared user is arranged, and shared user information includes user type, user name, entry password, login failure Number, locking state, cipher key index and privately owned folder path, it is different according to login user type to the configuration of user information, Be divided into two classes: one kind is shared inquiry and change of the user to self information;Another kind of is administrator to shared user information Addition inquiry, is updated, deletes and is unlocked.
7. supporting the safe USB disk system of multi-user data protection as described in claim 1, which is characterized in that in cipher key store Key data is uniquely to record.
8. supporting the safe USB disk system of multi-user data protection as described in claim 1, which is characterized in that managed including audit Reason: hidden partition record log information, it is ensured that the access safety of log information is administrator in the executive subsystem of host computer Inquiry is provided and deletes the operation entry of log.
9. supporting the safe USB disk system of multi-user data protection as described in claim 1, which is characterized in that including customized Scsi command: for customized flash disk configuring request and file read-write access request, it is all made of customized scsi command.
10. supporting the safe USB disk system of multi-user data protection as described in claim 1, which is characterized in that in data field Document storage mode use customized file system.
CN201811372902.2A 2018-11-19 2018-11-19 Safe USB flash disk system supporting multi-user data protection Active CN109684866B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811372902.2A CN109684866B (en) 2018-11-19 2018-11-19 Safe USB flash disk system supporting multi-user data protection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811372902.2A CN109684866B (en) 2018-11-19 2018-11-19 Safe USB flash disk system supporting multi-user data protection

Publications (2)

Publication Number Publication Date
CN109684866A true CN109684866A (en) 2019-04-26
CN109684866B CN109684866B (en) 2021-03-23

Family

ID=66184778

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811372902.2A Active CN109684866B (en) 2018-11-19 2018-11-19 Safe USB flash disk system supporting multi-user data protection

Country Status (1)

Country Link
CN (1) CN109684866B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110049487A (en) * 2019-03-27 2019-07-23 山东超越数控电子股份有限公司 A kind of high safety encryption storage remote destroying management system and its working method based on Beidou
CN112291206A (en) * 2020-10-14 2021-01-29 北京安石科技有限公司 Method for improving operating system security through main control chip
WO2024045909A1 (en) * 2022-08-30 2024-03-07 武汉攀升鼎承科技有限公司 Storage device with built-in independent data
CN117828573A (en) * 2024-03-04 2024-04-05 深圳市领德创科技有限公司 Intelligent encryption USB flash disk based on fingerprint technology
WO2024120039A1 (en) * 2022-12-06 2024-06-13 蔚来移动科技有限公司 Data processing method and device, vehicle, and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101882114A (en) * 2009-05-04 2010-11-10 同方股份有限公司 Mobile storage device with gradual identity authentication and log record
CN102200948A (en) * 2010-03-23 2011-09-28 北京爱国者信息技术有限公司 Multi-partition memory device and access method thereof
CN102567233A (en) * 2011-12-23 2012-07-11 福建升腾资讯有限公司 Data protection method of USB storage device based on magnetic disc virtual technology
CN102609367A (en) * 2011-11-25 2012-07-25 无锡华御信息技术有限公司 USB (Universal Serial Bus) flash disc system with safety control and audit
US20140298487A1 (en) * 2013-03-29 2014-10-02 International Business Machines Corporation Multi-user universal serial bus (usb) key with customizable file sharing permissions
CN106919817A (en) * 2017-02-06 2017-07-04 上海斐讯数据通信技术有限公司 The mobile hard disk and application method of account are accessed with multiple

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101882114A (en) * 2009-05-04 2010-11-10 同方股份有限公司 Mobile storage device with gradual identity authentication and log record
CN102200948A (en) * 2010-03-23 2011-09-28 北京爱国者信息技术有限公司 Multi-partition memory device and access method thereof
CN102609367A (en) * 2011-11-25 2012-07-25 无锡华御信息技术有限公司 USB (Universal Serial Bus) flash disc system with safety control and audit
CN102567233A (en) * 2011-12-23 2012-07-11 福建升腾资讯有限公司 Data protection method of USB storage device based on magnetic disc virtual technology
US20140298487A1 (en) * 2013-03-29 2014-10-02 International Business Machines Corporation Multi-user universal serial bus (usb) key with customizable file sharing permissions
CN106919817A (en) * 2017-02-06 2017-07-04 上海斐讯数据通信技术有限公司 The mobile hard disk and application method of account are accessed with multiple

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110049487A (en) * 2019-03-27 2019-07-23 山东超越数控电子股份有限公司 A kind of high safety encryption storage remote destroying management system and its working method based on Beidou
CN112291206A (en) * 2020-10-14 2021-01-29 北京安石科技有限公司 Method for improving operating system security through main control chip
CN112291206B (en) * 2020-10-14 2023-08-15 北京安石科技有限公司 Method for improving operating system safety through main control chip
WO2024045909A1 (en) * 2022-08-30 2024-03-07 武汉攀升鼎承科技有限公司 Storage device with built-in independent data
WO2024120039A1 (en) * 2022-12-06 2024-06-13 蔚来移动科技有限公司 Data processing method and device, vehicle, and storage medium
CN117828573A (en) * 2024-03-04 2024-04-05 深圳市领德创科技有限公司 Intelligent encryption USB flash disk based on fingerprint technology

Also Published As

Publication number Publication date
CN109684866B (en) 2021-03-23

Similar Documents

Publication Publication Date Title
CN109684866A (en) A kind of safe USB disk system for supporting multi-user data to protect
CN102948114B (en) Single for accessing enciphered data uses authentication method and system
US7210043B2 (en) Trusted computer system
US9141815B2 (en) System and method for intelligence based security
US8103883B2 (en) Method and apparatus for enforcing use of danbury key management services for software applied full volume encryption
CN100407174C (en) Data protection program and data protection method
US8479013B2 (en) Secure portable data transport and storage system
US9449164B2 (en) Method of securing a computing device
US8161527B2 (en) Security Enhanced Data Platform
JP5094365B2 (en) Hard disk drive
KR100861822B1 (en) Data management method
CN102722671A (en) Data defense system in windows operation system
US20030221115A1 (en) Data protection system
CN102884535A (en) Protected device management
CN101923678A (en) Data security protection method of enterprise management software
CN101635018A (en) Method of safety ferriage of USB flash disk data
CN101120355A (en) System for creating control structure for versatile content control
CN201682524U (en) Document transfer authority control system based on document filtering driver
US11469880B2 (en) Data at rest encryption (DARE) using credential vault
WO2011148224A1 (en) Method and system of secure computing environment having auditable control of data movement
WO2007035453A1 (en) Transactional sealed storage
CN215376310U (en) USB flash disk authentication system for encrypting USB flash disk and supporting finger vein recognition
CN111737722B (en) Method and device for safely ferrying data between intranet terminals
JPS63127334A (en) Withdrawal and conditioning execution right from software protection mechanism in safety
JP7143088B2 (en) File encryption system and file encryption program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant