CN109684866A - A kind of safe USB disk system for supporting multi-user data to protect - Google Patents
A kind of safe USB disk system for supporting multi-user data to protect Download PDFInfo
- Publication number
- CN109684866A CN109684866A CN201811372902.2A CN201811372902A CN109684866A CN 109684866 A CN109684866 A CN 109684866A CN 201811372902 A CN201811372902 A CN 201811372902A CN 109684866 A CN109684866 A CN 109684866A
- Authority
- CN
- China
- Prior art keywords
- user
- data
- host computer
- log
- usb disk
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6209—Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
- G06F21/79—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in semiconductor storage media, e.g. directly-addressable memories
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06K—GRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
- G06K19/00—Record carriers for use with machines and with at least a part designed to carry digital markings
- G06K19/06—Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code
- G06K19/067—Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components
- G06K19/07—Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components with integrated circuit chips
- G06K19/077—Constructional details, e.g. mounting of circuits in the carrier
- G06K19/0772—Physical layout of the record carrier
- G06K19/07732—Physical layout of the record carrier the record carrier having a housing or construction similar to well-known portable memory devices, such as SD cards, USB or memory sticks
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Microelectronics & Electronic Packaging (AREA)
- Medical Informatics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The present invention relates to the safe USB disk systems for supporting multi-user data protection; include: host computer executive subsystem include: Status Monitor, login window, log manager, User Manager, destroy control switch, file operation device, log generator, operating right filter, dedicated file system and SCSI protocol generator, the executable program of host computer executive subsystem are stored in the program area of safe USB disk;Embedded executive subsystem includes: SCSI protocol resolver, login authentication, condition responsive device, logs in lock, destroys control, user management, quick memory access device, audit management, hard algorithm for encryption device, user information database, cipher key store, program area, data field and log area, and executable object code is solidificated in the main control chip inside safe USB disk.Present invention accomplishes unit, multiple users share flash disk inside department, and the application demand that data mutually maintain secrecy between different user.
Description
Technical field
The present invention relates to a kind of safe USB disk, especially one kind, and private between different user is protected under multi-user shared environment
There is the flash disk of data safety.
Background technique
The safe USB disk is using a variety of security strategies such as login authentication, user access control and data encryption storages, it is ensured that
Data is safe and secret between different user, is primarily adapted for use in unit, multiple users share flash disk inside department, different user it
Between the application scenarios that mutually maintain secrecy of data.
With popularizing for computer, mobile memory medium has become indispensable information in people's routine work and hands over
Tool is changed, but propagates wooden horse, virus and flash disk loss during its cross-reference and causes to ask safely brought by information leakage
Topic has become the item that people more pay close attention to.To solve safety problem existing for common flash disk, each equipment manufacturer is released in recent years
A plurality of safe USB disks, summarize, Security Techniques are broadly divided into following a few classes: 1) in flash disk be internally integrated plus
Close chip provides the transparent encryption and decryption service of user to the data being stored in inside flash disk;2) it provides matched with flash disk dedicated
Software accesses flash disk by special-purpose software;3) user log-in authentication mechanism is provided, only legitimate user is allowed to use flash disk;4) exist
Write-protect switch is set on USB disk outer shell, physically ensures that flash disk is in read-only status.Above-mentioned Security Techniques prevent
The injection of the Malwares such as wooden horse, virus, realizes the full disk encryption of flash disk internal data, avoids after flash disk is lost and believes
The leakage of breath, but the protection of private data between the different user using the flash disk cannot be prevented.
With the appearance of safe USB disk product, also it is put forward one after another for the patent of intellectual property protection.Such as: Zhenhua
Patent application " the safety encipherment U disk " (patent No.: CN201710633311.5, the applying date of army section intelligent technology limited
Phase: on July 28th, 2017) in, one kind is described by setting Fingerprint Identification Unit and fingerprint identification module to add to USB flash disk
Close safety encipherment U disk ensures that only legitimate user could use flash disk, substantially increase U by ID authentication mechanism
The safety of disk.For another example, Guangdong Hong Du Information technology Co., Ltd patent application " a kind of integrated U disc " (patent No.:
CN201520394573.7, publication number: CN204667884U, date of application: on June 9th, 2015) in, propose a kind of use
Safely and facilitate integrated safe USB disk, is internally integrated main controller, fingerprint identification module and memory in flash disk, and mention
For matched host computer execution module and slave computer execution module, by special-purpose software access safety flash disk, prevent wooden horse,
The injection of the Malwares such as virus.But it is mutual that these safe USB disks are not able to satisfy data between multiple users share and different user
The application demand of secrecy.
Summary of the invention
The purpose of the present invention is to provide a kind of safe USB disk systems for supporting multi-user data to protect, for solving
State problem of the prior art.
A kind of safe USB disk system for supporting multi-user data to protect of the present invention, wherein include: that host computer executes subsystem
System and embedded executive subsystem;Host computer executive subsystem is divided into three layers: user's operation layer, security control layer and bottom
Drive layer;User's operation layer includes: login window, log manager, User Manager, destroys control switch and file operation
Device provides operation in the form of graphical interfaces for user and checks window;Security control layer includes: log generator, operation
Jurisdiction filter, dedicated file system and SCSI protocol generator, unified api interface is provided for user's operation layer;Bottom drives
Dynamic layer stores device drives using the Universal USB of system, realizes the data communication with safe USB disk;The outer main storage area of piece divides
At program area, data field and log area: embedded executive subsystem includes: SCSI protocol resolver, login authentication, state sound
Device is answered, lock is logged in, destroys control, is user management, quick memory access device, audit management, hard algorithm for encryption device, user information database, close
Key library, program area, data field and log area;Loading and running host computer executive subsystem includes: safe USB disk connection host
Afterwards, host's generator terminal automatic identification flash disk equipment shows program area;The executable journey that there is host computer to execute system for program area
Sequence;It includes: to input the user name and password by login window that user, which logs in, constructs communication report by SCSI protocol generator
Text, the login authentication module being sent in embedded executive subsystem;Login authentication module calls algorithm, in conjunction with user information
User information in library completes certification work, and return authentication result;If certification passes through, host computer and embedded end point
Respective login lock is not unlocked, unlocks User Manager, destruction control switch and file operation device in upper computer end;It is being embedded in
Control, user management and quick accessor are destroyed in the unlock of formula end, and the attribute for modifying data field is readable write state, make it in place
Host side is visible;If currently logged on user is administrator, log manager is also unlocked in upper computer end, embedded end is examined
The more new function for counting the log area of management module is in operable state, and inquiry and deletion function are under administrator's logging state
Effectively;If authentification failure, the respective login lock of host computer and embedded end still keeps lock state, executes the function of system
Energy state is identical as when being not logged in;The User Manager of host computer and the user management module of embedded end and quick memory access device
It cooperates, the common configuration task completed to user information;Host computer initiates user by User Manager and adds request,
The quick memory access device and user management module of embedded end respond the request, complete the creation of the privately owned file of new user, are new
User distributes data encryption storage key and saves new user information item operation in user information database, returns at request
Manage result;Deleting user includes: the user information item that designated user is searched in user information database, according in user information item
Privately owned folder path deletes the privately owned file of the user from data field;According to the cipher key index in user information item,
Specified key is deleted from cipher key store;Corresponding user information item is deleted from user information database;Searching user's information includes:
According to user type and user name, corresponding user information is inquired from user information database, and feed back to host computer;Unlock is used
Family includes: to search for corresponding user information item in user information database according to user type and user name, then reset the use
Initial log password and locking state in the item of information of family;Shared user includes: that shared user logs in the configuration of self information
Afterwards, User Manager has the function of to inquire and update user information;The User Manager of host computer and the use of embedded end
Family management module cooperates, inquiry and update to user information;The protection of data includes: to pass through permission between different user
Filter, dedicated file system, SCSI protocol generator, SCSI protocol resolver and hard algorithm for encryption device are between different user
Private data is protected;The filtering of operating right includes: that the file operation requests of All Files operator all pass through operating rights
Filter is limited, judges whether to intercept the request;BehaviourThe privately owned file road for making jurisdiction filter according to currently logged on user passes through,
Allow in the privately owned file sub-folder and file operation requests by the filter;The encryption storage of data includes:
After user logins successfully, the executive subsystem turn-on data encryption and decryption functions of embedded end, and loaded currently from cipher key store
The encryption key of login user;Data call hard algorithm for encryption device close with the encryption of active user when passing in and out external memory area
Key carries out encryption and decryption to data;By the destruction control switch in host computer executive subsystem, quickly destroy user information database and
Information in cipher key store.
One embodiment of the safe USB disk system according to the present invention for supporting multi-user data protection, wherein hardware system
Include: control chip and flash storage chip, main control chip USB3.0 interface is externally provided, be internally integrated microprocessor, it is non-easily
Lose memory and hard algorithm for encryption device;Software includes host computer executive subsystem and embedded executive subsystem;Host computer is held
Row subsystem is divided into user's operation layer, security control layer and bottom layer driving layer.
One embodiment of the safe USB disk system according to the present invention for supporting multi-user data protection, wherein non-volatile master
Memory block is divided into three subregions --- program area, data field and log area;Program area uses iso9660 file format, in place
Host side can not distort;The data file of data area stores user, using customized file system format, data field with
Before family logs in or when login failure, read protection measure is used, it is invisible to user;Log area is hidden partition, to user
Invisible, administrator can be inquired and be deleted log by the log manager in host computer executive subsystem.
One embodiment of the safe USB disk system according to the present invention for supporting multi-user data protection, wherein include: non-
The region main storage area Liang Kuai, user information and key data outside volatile memory block, including main control chip internal storage region and piece
It is stored in memory block in piece.
One embodiment of the safe USB disk system according to the present invention for supporting multi-user data protection, wherein embedded to hold
The maximum allowable number of login authentication failure is arranged in row subsystem, when the number of login failed for user exceeds maximum allowable number
When, the access right of user will be locked, and administrator is needed to unlock.
One embodiment of the safe USB disk system according to the present invention for supporting multi-user data protection, wherein shared user
The configuration of information includes: that shared user is arranged, and shared user information includes user type, user name, entry password, logs in and lose
Number, locking state, cipher key index and privately owned folder path are lost, to the configuration of user information according to login user type
Difference is divided into two classes: one kind is shared inquiry and change of the user to self information;Another kind of is administrator to shared user
Addition, inquiry, update, deletion and the unlock of information.
One embodiment of the safe USB disk system according to the present invention for supporting multi-user data protection, wherein in cipher key store
Key data be uniquely to record.
One embodiment of the safe USB disk system according to the present invention for supporting multi-user data protection, wherein including audit
Management: hidden partition record log information, it is ensured that the access safety of log information is pipe in the executive subsystem of host computer
Reason person provides inquiry and deletes the operation entry of log.
One embodiment of the safe USB disk system according to the present invention for supporting multi-user data protection, wherein including making by oneself
Adopted scsi command: for customized flash disk configuring request and file read-write access request, it is all made of customized SCSI life
It enables.
One embodiment of the safe USB disk system according to the present invention for supporting multi-user data protection, wherein in data field
Document storage mode use customized file system.
Detailed description of the invention
Fig. 1 show the schematic diagram for supporting the safe USB disk system of multi-user data protection.
Specific embodiment
To keep the purpose of the present invention, content and advantage clearer, with reference to the accompanying drawings and examples, to of the invention
Specific embodiment is described in further detail.
Fig. 1 show the schematic diagram for supporting the safe USB disk system of multi-user data protection, as shown in Fig. 1, the present invention one
Kind supports the safe USB disk system of multi-user data protection, is made of software and hardware: hardware includes main control chip and flash storage
Chip, main control chip externally provide USB3.0 interface, are internally integrated microprocessor, nonvolatile storage, hard algorithm for encryption device;
Software includes host computer executive subsystem and embedded executive subsystem.
As shown in Figure 1, host computer executive subsystem is different according to level locating in an operating system, and it can be divided into three
Layer: user's operation layer, security control layer and bottom layer driving layer.Firstly, user's operation layer includes: Status Monitor 1, logs in window
Mouth 2, User Manager 5, destroys control switch 6 and file operation device 7 at log manager 4, is user in the form of graphical interfaces
Operation is provided, checks window.Secondly, security control layer includes: log generator 8, operating right filter 9, private file
System 10 and SCSI protocol generator 11 exist in the form of library, unified api interface are provided for user's operation layer.Finally,
Bottom layer driving layer stores device drives using the Universal USB that system carries, and realizes the data communication with safe USB disk.Host computer
The executable program of executive subsystem is stored in the program area 23 of safe USB disk, is existed with form of compact discs, is not required to additional attached
Band fixing disc realizes the convenience that flash disk uses.
As shown in Figure 1, embedded executive subsystem includes: SCSI protocol resolver 12, login authentication 13, condition responsive
Device 14, log in lock 15, destroy control 16, user management 17, quick memory access device 18, audit management 19, hard algorithm for encryption device 20,
User information database 21, cipher key store 22, program area 23, data field 24 and log area 25, it is excellent that executable object code is solidificated in safety
In main control chip inside disk.
As shown in Figure 1, the non-volatile storage area of safe USB disk includes main control chip internal storage region and the outer main storage area of piece
Two pieces of regions.Wherein the sensitive informations such as user information, key data are stored in memory block in piece, are not tolled breakdown and to be stolen by physics
It threatens, protects the safety of sensitive information.The outer main storage area of piece is divided into three subregions --- program area 23,24 and of data field
Log area 25: program area 23 uses iso9660 file format, is presented with form of compact discs, can not be distorted in host's generator terminal;Data
Area 24 stores the data file of user, using customized file system format, avoids illegal user and is executed by host computer
The data in softward interview flash disk except subsystem, in addition, data field is used when user logs in preceding or login failure
Read protection measure, it is invisible to user, protect the safety of entire subregion;Log area is hidden partition, invisible to user,
Administrator can be inquired by the log manager 4 in host computer executive subsystem, delete log.
As shown in Figure 1, safe USB disk of the present invention configuration, using that specific step is as follows:
It loads and runs host computer executive subsystem and include:
After safe USB disk connects host, host's generator terminal automatic identification flash disk equipment, but only show program area 23.It opens
Program area 23, it is seen that host computer executes the executable program of system, runs host computer executive subsystem, pops up user's operation circle
Face, only Status Monitor 1 and the display of login window 2 can operate at this time, other are all with gray display operation failure.
User logs in
By login window 2 in user interface, the user name and password is inputted, SCSI agreement generator structure is passed through
Communication message is built, 13 module of login authentication being sent in embedded executive subsystem;13 module of login authentication calls related calculate
Method completes certification work, and return authentication result in conjunction with the user information in user information database 21.
If certification passes through, host computer and embedded end unlock login lock 3 and 15 respectively, meanwhile, it is unlocked in upper computer end
User Manager 5 destroys control switch 6 and file operation device 7;It is unlocked in embedded end and destroys control 16,17 and of user management
Quick accessor 18, while the attribute for modifying data field is readable write state, makes it in host's generator terminal as it can be seen that using convenient for logging in
Family accesses the data file in data field.If currently logged on user is administrator, log management is also unlocked in upper computer end
Device 4.The more new function of the log area 25 of the audit management module 19 of embedded end is constantly in operable state, convenient for capturing
All security incidents during safe USB disk operation, but its inquiry and deletion function only just have under administrator's logging state
Effect.
If authentification failure, the login lock 3 and 15 of host computer and embedded end still keeps lock state, executes system
Functional status is identical as when being not logged in.
To avoid the unlimited logon attempt password of illegal user, embedded executive subsystem fails provided with login authentication
Maximum allowable number.When the number of login failed for user exceeds maximum allowable number, use of the user to safe USB disk
Permission will be locked, and administrator is needed to unlock.
The configuration of shared user information includes:
To support multi-user shared safe USB disk, need to be arranged shared user, shared user information include user type,
User name, entry password, login failure number, locking state, cipher key index, privately owned folder path.User information is matched
Set according to login user type difference, can be divided into two classes: one kind is shared inquiry and change of the user to self information;It is another
Class is administrator to the addition of shared user information, inquiry, update, deletion, unlock etc..
Administrator includes: to the configuration of shared user information
Administrator log in after, visible User Manager 5 have addition user, delete user, unlock user and
The functions such as searching user's information.17 module of user management and quickly visit of the User Manager 5 of host computer and embedded end at this time
Storage 18 cooperates, the common configuration task completed to user information.
Wherein, addition user includes:
Host computer initiates user by User Manager 5 and adds request, the quick memory access device 18 of embedded end and user's pipe
It manages 17 modules and responds the request, complete the creation of the privately owned file of new user, distribute data encryption storage for new user with close
Key, the operation such as new user information item is saved in user information database, return to request processing result.
Deleting user includes:
It is opposite with addition user to delete user.The user information item that designated user is searched in user information database 21, according to
Privately owned folder path in user information item deletes the privately owned file of the user from data field;According in user information item
Cipher key index, specified key is deleted from cipher key store 22;Corresponding user information item is deleted from user information database 21.
Searching user's information includes:
According to user type and user name, corresponding user information is inquired from user information database, and is fed back to upper
Machine.
Unlocking user includes:
First according to user type and user name, corresponding user information item is searched in user information database 21, is then weighed
Set the initial log password and locking state in the user information item.
Share user includes: to the configuration of self information
After shared user logs in, User Manager 5 have the function of that inquiry, update user information are effective.It is upper at this time
The user management module 17 of the User Manager 5 of machine and embedded end cooperates, the common inquiry realized to user information and
More new function.In more new function, sharing user may be updated the entry password of account number.
The protection of data includes: between different user
Safe USB disk passes through operating right filter 9, dedicated file system 10, SCSI protocol generator 11, SCSI protocol
Resolver 12 and hard algorithm for encryption device 20 realize the protection to private data between different user.
The filtering of operating right includes:
Operating right filter 9 is used as first layer filter, realizes according to user name filter request packet function.All texts
The file operation requests of part operator 7 will all pass through operating right filter 9, be judged whether to intercept the request by it.Operating rights
Limiting filter 9 will pass through according to the privately owned file road of currently logged on user, only allow to the sub-folder in the privately owned file
With file operation requests by the filter, the possibility for accessing other users file is prevented in client layer.
Dedicated file system includes:
For the safety for guaranteeing file data in data field 24 in safe USB disk, to the document storage mode in data field 24
Using customized file system, it is ensured that user can only be by host computer executive subsystem access safety flash disk data field
Data file avoids the risk that the Malwares such as virus, wooden horse steal data file.
Customized scsi command includes:
The mode that safe USB disk supports standard SCSI command to combine with customized scsi command, for customized excellent
Disk configuring request and file read-write access request, are all made of customized scsi command, avoid passing through the included money of operating system
Source manager access safety flash disk, further protects the safety of data in data field.
The encryption storage of data includes:
Hard algorithm for encryption device 20 is integrated in the main control chip of safe USB disk, is directly communicated with nand Flash controller.
After user logins successfully, the executive subsystem turn-on data encryption and decryption functions of embedded end, and load and work as from cipher key store 22
The encryption key of preceding login user;Data can call hard algorithm for encryption device 20 to be used with current automatically when passing in and out external memory area
The encryption key at family carries out encryption and decryption to data, on the one hand greatly improves data encrypting and deciphering using hard algorithm for encryption device 20
Speed, data safety when external memory physics being protected to toll breakdown;On the other hand each user encryption key difference, protection
The privacy of data between different user.
It promptly destroys and includes:
To guarantee that safe USB disk in case of emergency do not reveal by user data information, can promptly be destroyed, Yong Huke
By the destruction control switch 6 in host computer executive subsystem, the letter in user information database 21 and cipher key store 22 is quickly destroyed
Breath.Subscriber data file is maintained in data field 24, and 24 memory capacity of data field is big, and that in case of emergency all destroys can
Energy property is smaller.It is saved in view of 24 data of data field are all made of encryption storage mode, encryption key is inside main control chip
It generates and remains stored in inside main control chip, do not support the export of key data, therefore the key data in cipher key store 22 is
Unique record, being destroyed will lead to subscriber data file and can not crack, and protect the safety of information.
Data it is quick access include:
Safe USB disk provides two kinds of access modes of FTL_IO and NON_FTL_IO.Wherein it is directed to the SCSI of file read-write
Read/Write order, using FTL_IO mode;Other all SCSI orders and customized privately owned order all use NON_
FTL_IO mode.FTL_IO mode supports the direct DMA transfer between USB endpoint and nand flash controller.When the end USB
After point receives data, when finding that its order is SCSI Read/Write order by the parsing of SCSI protocol resolver 12, directly
It calls FTL_IO mode to transmit access request to Flash controller, avoids main control chip microprocessor and wrapped in processing reception
The secondary copy of data and software transfer processing, accelerate the access speed of Flash data, improve the number of USB interface in journey
According to throughput.
Security audit management includes:
Safe USB disk provides audit function, using hidden partition record log information, it is ensured that the access of log information is pacified
Entirely.Meanwhile the operation entry for providing inquiry in the executive subsystem of host computer for administrator, deleting log, it is convenient for administrator
Control the history usage record of safe USB disk.
Present invention accomplishes multiple users share flash disks inside unit, department.
The above is only a preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art
For member, without departing from the technical principles of the invention, several improvement and deformations can also be made, these improve and become
Shape also should be regarded as protection scope of the present invention.
Claims (10)
1. it is a kind of support multi-user data protect safe USB disk system characterized by comprising host computer executive subsystem with
And embedded executive subsystem;
Host computer executive subsystem is divided into three layers: user's operation layer, security control layer and bottom layer driving layer;
User's operation layer includes: login window, log manager, User Manager, destroys control switch and file operation device, with
Graphical interfaces form provides operation for user and checks window;
Security control layer includes: log generator, operating right filter, dedicated file system and SCSI protocol generator, is
User's operation layer provides unified api interface;
Bottom layer driving layer stores device drives using system Universal USB, realizes the data communication with safe USB disk;
The outer main storage area of piece is divided into program area, data field and log area:
Embedded executive subsystem include: SCSI protocol resolver, login authentication, condition responsive device, log in lock, destroy control,
User management, quick memory access device, audit management, hard algorithm for encryption device, user information database, cipher key store, program area, data field and day
Will area;
Loading and running host computer executive subsystem includes: host's generator terminal automatic identification flash disk after safe USB disk connection host
Equipment shows program area;The executable program that there is host computer to execute system for program area;
It includes: to input the user name and password by login window that user, which logs in, constructs communication report by SCSI protocol generator
Text, the login authentication module being sent in embedded executive subsystem;Login authentication module calls algorithm, in conjunction with user information database
In user information, complete certification work, and return authentication result;
If certification passes through, host computer and embedded end unlock respective login lock respectively, unlock user management in upper computer end
Device destroys control switch and file operation device;It is unlocked in embedded end and destroys control, user management and quick accessor, modification
The attribute of data field is readable write state, keeps it visible in host's generator terminal;If currently logged on user is administrator, in host computer
End also unlocks log manager, and the more new function of the log area of the audit management module of embedded end is in operable state, looks into
It askes and deletion function is effective under administrator's logging state;
If authentification failure, the respective login lock of host computer and embedded end still keeps lock state, executes the function of system
State is identical as when being not logged in;
The User Manager of host computer and the user management module of embedded end and quick memory access device cooperate, common completion pair
The configuration task of user information;
Host computer initiates user by User Manager and adds request, and the quick memory access device and user management module of embedded end are rung
It should request, complete the creation of the privately owned file of new user, distribute data encryption storage key for new user and in user
New user information item operation is saved in information bank, returns to request processing result;
Deleting user includes: the user information item that designated user is searched in user information database, according to privately owned in user information item
Folder path deletes the privately owned file of the user from data field;According to the cipher key index in user information item, from key
Specified key is deleted in library;Corresponding user information item is deleted from user information database;
Searching user's information include: corresponding user information is inquired from user information database according to user type and user name, and
Feed back to host computer;
Unlocking user includes: corresponding user information item to be searched in user information database, then according to user type and user name
Reset the initial log password and locking state in the user information item;
Shared user includes: after shared user logs in the configuration of self information, and User Manager has inquiry and updates
User information function;The User Manager of host computer and the user management module of embedded end cooperate, to user information
Inquiry and update;
The protection of data includes: by jurisdiction filter, dedicated file system, SCSI protocol generator, SCSI between different user
Protocol resolver and hard algorithm for encryption device protect private data between different user;
The filtering of operating right includes: that the file operation requests of All Files operator all pass through operating right filter, judgement
Whether the request is intercepted;Operating right filter is passed through according to the privately owned file road of currently logged on user, is allowed to the privately owned text
Sub-folder and file operation requests in part folder pass through the filter;
The encryption storage of data includes: the executive subsystem turn-on data encryption and decryption function of embedded end after user logins successfully
Can, and from cipher key store load currently logged on user encryption key;Data call hard algorithm to add when passing in and out external memory area
Close device carries out encryption and decryption to data with the encryption key of active user;
By the destruction control switch in host computer executive subsystem, the information in user information database and cipher key store is quickly destroyed.
2. supporting the safe USB disk system of multi-user data protection as described in claim 1, which is characterized in that hardware system packet
Include: control chip and flash storage chip, main control chip externally provide USB3.0 interface, are internally integrated microprocessor, non-volatile deposit
Reservoir and hard algorithm for encryption device;Software includes host computer executive subsystem and embedded executive subsystem;Host computer executes son
System is divided into user's operation layer, security control layer and bottom layer driving layer.
3. supporting the safe USB disk system of multi-user data protection as described in claim 1, which is characterized in that program area uses
Iso9660 file format can not be distorted in host's generator terminal;The data file of data area stores user, using customized file
System format, data field uses read protection measure when user logs in preceding or login failure, invisible to user;Log area
Invisible to user for hidden partition, administrator can be inquired and be deleted by the log manager in host computer executive subsystem
Log.
4. supporting the safe USB disk system of multi-user data protection as described in claim 1 characterized by comprising non-easy
The main storage area region Liang Kuai outside memory block, including main control chip internal storage region and piece is lost, user information and key data are protected
There are memory blocks in piece.
5. supporting the safe USB disk system of multi-user data protection as described in claim 1, which is characterized in that embedded execution
The maximum allowable number of login authentication failure is arranged in subsystem, when the number of login failed for user exceeds maximum allowable number,
The access right of user will be locked, and administrator is needed to unlock.
6. supporting the safe USB disk system of multi-user data protection as described in claim 1, which is characterized in that shared user's letter
The configuration of breath includes: that shared user is arranged, and shared user information includes user type, user name, entry password, login failure
Number, locking state, cipher key index and privately owned folder path, it is different according to login user type to the configuration of user information,
Be divided into two classes: one kind is shared inquiry and change of the user to self information;Another kind of is administrator to shared user information
Addition inquiry, is updated, deletes and is unlocked.
7. supporting the safe USB disk system of multi-user data protection as described in claim 1, which is characterized in that in cipher key store
Key data is uniquely to record.
8. supporting the safe USB disk system of multi-user data protection as described in claim 1, which is characterized in that managed including audit
Reason: hidden partition record log information, it is ensured that the access safety of log information is administrator in the executive subsystem of host computer
Inquiry is provided and deletes the operation entry of log.
9. supporting the safe USB disk system of multi-user data protection as described in claim 1, which is characterized in that including customized
Scsi command: for customized flash disk configuring request and file read-write access request, it is all made of customized scsi command.
10. supporting the safe USB disk system of multi-user data protection as described in claim 1, which is characterized in that in data field
Document storage mode use customized file system.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811372902.2A CN109684866B (en) | 2018-11-19 | 2018-11-19 | Safe USB flash disk system supporting multi-user data protection |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811372902.2A CN109684866B (en) | 2018-11-19 | 2018-11-19 | Safe USB flash disk system supporting multi-user data protection |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109684866A true CN109684866A (en) | 2019-04-26 |
CN109684866B CN109684866B (en) | 2021-03-23 |
Family
ID=66184778
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811372902.2A Active CN109684866B (en) | 2018-11-19 | 2018-11-19 | Safe USB flash disk system supporting multi-user data protection |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109684866B (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110049487A (en) * | 2019-03-27 | 2019-07-23 | 山东超越数控电子股份有限公司 | A kind of high safety encryption storage remote destroying management system and its working method based on Beidou |
CN112291206A (en) * | 2020-10-14 | 2021-01-29 | 北京安石科技有限公司 | Method for improving operating system security through main control chip |
WO2024045909A1 (en) * | 2022-08-30 | 2024-03-07 | 武汉攀升鼎承科技有限公司 | Storage device with built-in independent data |
CN117828573A (en) * | 2024-03-04 | 2024-04-05 | 深圳市领德创科技有限公司 | Intelligent encryption USB flash disk based on fingerprint technology |
WO2024120039A1 (en) * | 2022-12-06 | 2024-06-13 | 蔚来移动科技有限公司 | Data processing method and device, vehicle, and storage medium |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101882114A (en) * | 2009-05-04 | 2010-11-10 | 同方股份有限公司 | Mobile storage device with gradual identity authentication and log record |
CN102200948A (en) * | 2010-03-23 | 2011-09-28 | 北京爱国者信息技术有限公司 | Multi-partition memory device and access method thereof |
CN102567233A (en) * | 2011-12-23 | 2012-07-11 | 福建升腾资讯有限公司 | Data protection method of USB storage device based on magnetic disc virtual technology |
CN102609367A (en) * | 2011-11-25 | 2012-07-25 | 无锡华御信息技术有限公司 | USB (Universal Serial Bus) flash disc system with safety control and audit |
US20140298487A1 (en) * | 2013-03-29 | 2014-10-02 | International Business Machines Corporation | Multi-user universal serial bus (usb) key with customizable file sharing permissions |
CN106919817A (en) * | 2017-02-06 | 2017-07-04 | 上海斐讯数据通信技术有限公司 | The mobile hard disk and application method of account are accessed with multiple |
-
2018
- 2018-11-19 CN CN201811372902.2A patent/CN109684866B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101882114A (en) * | 2009-05-04 | 2010-11-10 | 同方股份有限公司 | Mobile storage device with gradual identity authentication and log record |
CN102200948A (en) * | 2010-03-23 | 2011-09-28 | 北京爱国者信息技术有限公司 | Multi-partition memory device and access method thereof |
CN102609367A (en) * | 2011-11-25 | 2012-07-25 | 无锡华御信息技术有限公司 | USB (Universal Serial Bus) flash disc system with safety control and audit |
CN102567233A (en) * | 2011-12-23 | 2012-07-11 | 福建升腾资讯有限公司 | Data protection method of USB storage device based on magnetic disc virtual technology |
US20140298487A1 (en) * | 2013-03-29 | 2014-10-02 | International Business Machines Corporation | Multi-user universal serial bus (usb) key with customizable file sharing permissions |
CN106919817A (en) * | 2017-02-06 | 2017-07-04 | 上海斐讯数据通信技术有限公司 | The mobile hard disk and application method of account are accessed with multiple |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110049487A (en) * | 2019-03-27 | 2019-07-23 | 山东超越数控电子股份有限公司 | A kind of high safety encryption storage remote destroying management system and its working method based on Beidou |
CN112291206A (en) * | 2020-10-14 | 2021-01-29 | 北京安石科技有限公司 | Method for improving operating system security through main control chip |
CN112291206B (en) * | 2020-10-14 | 2023-08-15 | 北京安石科技有限公司 | Method for improving operating system safety through main control chip |
WO2024045909A1 (en) * | 2022-08-30 | 2024-03-07 | 武汉攀升鼎承科技有限公司 | Storage device with built-in independent data |
WO2024120039A1 (en) * | 2022-12-06 | 2024-06-13 | 蔚来移动科技有限公司 | Data processing method and device, vehicle, and storage medium |
CN117828573A (en) * | 2024-03-04 | 2024-04-05 | 深圳市领德创科技有限公司 | Intelligent encryption USB flash disk based on fingerprint technology |
Also Published As
Publication number | Publication date |
---|---|
CN109684866B (en) | 2021-03-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109684866A (en) | A kind of safe USB disk system for supporting multi-user data to protect | |
CN102948114B (en) | Single for accessing enciphered data uses authentication method and system | |
US7210043B2 (en) | Trusted computer system | |
US9141815B2 (en) | System and method for intelligence based security | |
US8103883B2 (en) | Method and apparatus for enforcing use of danbury key management services for software applied full volume encryption | |
CN100407174C (en) | Data protection program and data protection method | |
US8479013B2 (en) | Secure portable data transport and storage system | |
US9449164B2 (en) | Method of securing a computing device | |
US8161527B2 (en) | Security Enhanced Data Platform | |
JP5094365B2 (en) | Hard disk drive | |
KR100861822B1 (en) | Data management method | |
CN102722671A (en) | Data defense system in windows operation system | |
US20030221115A1 (en) | Data protection system | |
CN102884535A (en) | Protected device management | |
CN101923678A (en) | Data security protection method of enterprise management software | |
CN101635018A (en) | Method of safety ferriage of USB flash disk data | |
CN101120355A (en) | System for creating control structure for versatile content control | |
CN201682524U (en) | Document transfer authority control system based on document filtering driver | |
US11469880B2 (en) | Data at rest encryption (DARE) using credential vault | |
WO2011148224A1 (en) | Method and system of secure computing environment having auditable control of data movement | |
WO2007035453A1 (en) | Transactional sealed storage | |
CN215376310U (en) | USB flash disk authentication system for encrypting USB flash disk and supporting finger vein recognition | |
CN111737722B (en) | Method and device for safely ferrying data between intranet terminals | |
JPS63127334A (en) | Withdrawal and conditioning execution right from software protection mechanism in safety | |
JP7143088B2 (en) | File encryption system and file encryption program |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |