CN110266725B - Password security isolation module and mobile office security system - Google Patents

Password security isolation module and mobile office security system Download PDF

Info

Publication number
CN110266725B
CN110266725B CN201910610899.1A CN201910610899A CN110266725B CN 110266725 B CN110266725 B CN 110266725B CN 201910610899 A CN201910610899 A CN 201910610899A CN 110266725 B CN110266725 B CN 110266725B
Authority
CN
China
Prior art keywords
module
external
internal
data
fifo queue
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910610899.1A
Other languages
Chinese (zh)
Other versions
CN110266725A (en
Inventor
何荣宝
曲义利
金毅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN201910610899.1A priority Critical patent/CN110266725B/en
Publication of CN110266725A publication Critical patent/CN110266725A/en
Application granted granted Critical
Publication of CN110266725B publication Critical patent/CN110266725B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/088Access security using filters or firewalls

Abstract

The invention discloses a password security isolation module which is arranged between a main control chip and a communication module of a tablet personal computer and is configured to physically isolate the main control chip of the tablet personal computer from an external network, so that all communication data of the tablet personal computer pass through the password security isolation module, are encrypted and then are transmitted to a server, and all return data from the server enter the main control module of the tablet personal computer after being decrypted by the password security isolation module. According to the password security isolation module, the security of the system is greatly improved; the outgoing data is encrypted and sent to the specified password isolation gateway, so that the situation that the data is sent to a third party by an internal trojan horse is prevented, and even if the third party obtains the data, the data plaintext cannot be obtained due to the fact that a decryption key does not exist.

Description

Password security isolation module and mobile office security system
Technical Field
The invention belongs to the field of mobile office information communication safety, and particularly relates to a password safety isolation module and a mobile office safety system.
Background
With the popularization of 4G and the coming 5G era, mobile office has become the first office means of social organizations such as enterprises and governments. No matter where people go, the ubiquitous mobile network keeps them working, meetings and signing with business partners, co-workers and leaders at zero distance. The mobile office is realized by utilizing a mobile phone, a tablet personal computer and a notebook computer and relying on a mobile network, and becomes a necessary means for office.
For a long time, the security problem of the mobile terminal is always puzzled, the remote terminal accessing the mobile internet, the host and the network share the processor and the storage resource, and a network hacker on an operating system platform invades the host, steals data, implants trojans, spreads viruses and invades an internal network by means of an IP protocol pool.
The passing SSL VPN or IPSec VPN network and the transmission layer protection technology still have difficulty in fundamentally blocking the intrusion attack of advanced hackers. This is because the I/O processes at the network ports of such devices still share host resources, and the plaintext and ciphertext still run in the same processor and operating system environment, sharing computing, storage, and peripheral resources. The mobile terminal is always operated in a high risk environment. Fig. 1 shows a schematic diagram of such a prior art mobile office security protection technique. As shown in fig. 1, although a common tablet computer may be equipped with a password chip, its network port for external communication (4G/WIFI) is directly connected to the host, sharing host resources with the password chip.
It can be seen that there is a need in the art for an improved network security solution for mobile office environments and the like.
Disclosure of Invention
In one aspect of the present invention, a password security isolation module is provided, which is disposed between a main control chip and a communication module of a tablet computer, and is configured to physically isolate the main control chip of the tablet computer from an external network, so that all communication data of the tablet computer pass through the password security isolation module, are encrypted, and are transmitted to a server, and all return data from the server enter the main control module of the tablet computer after being decrypted by the password security isolation module.
In another aspect of the present invention, there is provided a mobile office security system, including: a tablet computer main control module; a cryptographic security isolation module according to any one of the embodiments of the invention; a password security isolation gateway; and a management center; the password security isolation gateway and the password security isolation module establish a secure communication channel in an untrusted network environment together, control access of a secure tablet computer terminal and provide authentication information for application; the management center realizes management and key distribution between the password security isolation module and the password security isolation gateway; the tablet personal computer main control module provides a hardware platform and an operating system for mobile office, and all communication of the tablet personal computer main control module is realized through the password security isolation module.
Compared with the prior art, the technical scheme provided by the embodiment of the invention has the following advantages:
(1) external attacks are directly blocked at the communication port, and the external attacks cannot contact the main control module of the tablet computer. External attackers cannot attack the interior of the main control module of the tablet computer through hardware defects or operating system defects, and therefore the safety of the system is greatly improved.
(2) The outgoing data is encrypted and sent to the specified password isolation gateway, so that the situation that the data is sent to a third party by an internal trojan horse is prevented, and even if the third party obtains the data, the data plaintext cannot be obtained due to the fact that a decryption key does not exist.
Drawings
FIG. 1 illustrates a schematic diagram of such prior art mobile office security technologies;
FIG. 2 is a connection diagram between the crypto security isolation module and the main control module according to an embodiment of the present invention;
fig. 3 illustrates a comparison of a hardware structure of a security tablet according to an embodiment of the present invention with a hardware structure of an existing tablet;
FIG. 4 shows a block diagram of a mobile office security system according to an embodiment of the invention;
FIG. 5 illustrates a functional block diagram of a cryptographic security isolation module according to an embodiment of the present invention;
FIG. 6 illustrates a data buffering and processing mechanism within a cryptographically secure isolated module, according to an embodiment of the invention;
FIG. 7 illustrates an IP packet encryption mechanism according to an embodiment of the invention;
fig. 8 illustrates an exemplary timing diagram for establishing a connection relationship between a secure tablet terminal and a secure access gateway according to an embodiment of the invention;
fig. 9 illustrates an IP packet data format according to an embodiment of the present invention.
Detailed Description
Aiming at urgent needs of users, the invention provides a password security isolation module which can comprehensively solve the problem of security isolation between a tablet personal computer and an external network in a mobile internet environment, can comprehensively isolate various invasive attacks from the outside, ensures that users can utilize various public channel resources, establishes a safe private network and ensures that various invasive attacks are blocked. Meanwhile, a password module of the mobile terminal is comprehensively utilized to establish a credible application password service mechanism such as identity authentication, access control, data encryption and the like, and an orderly, safe and credible internal office environment is realized.
Specifically, the tablet computer is physically isolated from an external network through a high-speed communication interface, an FIFO circuit and a cryptographic algorithm engine in the cryptographic chip, external data enters a main control module of the tablet computer and must be decrypted and verified through the cryptographic algorithm engine, and data which cannot be verified cannot enter the tablet computer, so that the system is not affected by external attack. Data accessed to the outside are encrypted and sent to the outside through the cryptographic algorithm engine, and people who do not hold a decryption key cannot acquire data plaintext, so that the transmission of internal illegal external data is protected.
The invention relates to a technology for realizing isolation of a business network from other networks by using a password chip and ensuring the communication safety of the business network in the field of mobile office, which is a mobile office platform capable of realizing safe communication, safe storage and safe authentication.
Referring now to fig. 2, shown is a connection diagram between a cryptographic security isolation module and a master control module in accordance with an embodiment of the present invention.
As shown in fig. 2, the security isolation module (or called cryptographic chip) 100 directly physically isolates the tablet computer main control module 200 from 4G communication (or 5G communication, etc.), all data entering the inside must be decrypted and verified by the cryptographic chip 100, data failed in verification cannot enter the tablet computer main control module 200, all data going out must be encrypted and sent by the cryptographic chip, and it is ensured that internal service data does not appear in external plaintext.
Referring now to fig. 3, a comparison of the hardware architecture of a security tablet according to an embodiment of the present invention with the hardware architecture of an existing tablet is shown.
As shown in fig. 3, in the existing tablet computer, the central processor directly communicates with a communication module, such as a 4G/5G communication module, which generally includes a radio frequency module, a baseband module, a digital baseband processor, and the like. In the security tablet according to the embodiment of the present invention, a password security isolation module 100 is added between the central processing unit and the communication module (which may be a 5G/4G/bluetooth/WiFi wireless routing communication module and may include a radio frequency module, a bluetooth module, a WLAN module, and a digital baseband processor), so that all communications between the central processing unit and the outside through the communication module pass through the password security isolation module 100 and are processed and filtered by the same, thereby physically isolating the central processing unit of the tablet from communications between the outside.
Referring now to fig. 4, a block diagram of a mobile office security system is shown, in accordance with an embodiment of the present invention.
As shown in fig. 4, a mobile office security system according to an embodiment of the present invention includes: the system comprises a tablet computer main control module 200, a password security isolation module 100, a password security isolation gateway 300 and a management center 400.
The password security isolation gateway 300 and the password security isolation module 100 together implement establishing a secure communication channel in the untrusted network environment, controlling the access of the secure tablet terminal, and providing authentication information for the application.
The password security isolation module 100 physically isolates the tablet computer main control module 200 from the mobile network by adopting a gatekeeper scheme, and encrypts service communication data by using a password technology to prevent third parties from stealing.
The management center 400 implements management and key distribution between the password security isolation module 100 and the password security isolation gateway 300, which may include a CA (certificate) center, a KMC (password management center), a management center, an audit center, and the like.
The tablet computer main control module 200 is contained in the secure tablet computer terminal, provides a hardware platform and an operating system for mobile office, and all communication of the main control module is realized through the password security isolation module 100.
After the password security isolation module 100 and the password security isolation gateway 300 establish a secure communication channel in an untrusted network environment, the secure tablet terminal may access various application services, such as video conference, mail service, and the like, in a password secure manner.
Referring now to FIG. 5, a functional block diagram of a cryptographic security isolation module 100 is shown, in accordance with an embodiment of the present invention. As shown in fig. 5, the crypto security isolation module 100 includes the following functional modules:
and the file management module 101 is responsible for organizing, reading and writing internal file storage.
And the SPI communication module 102 is responsible for parsing and verifying a communication protocol with the host side.
A key management module 103, which is responsible for key generation, import, export, storage, destruction, and updating.
A cryptographic service module 104 responsible for providing cryptographic services to the host.
And the algorithm detection module 105 is responsible for detecting the correctness of the algorithm after power-on and detecting the correctness of the algorithm in the using process.
And the random number detection module 106 is responsible for detecting whether the random numbers generated by the random number generator meet the specification or not after being electrified and detecting whether the random numbers meet the specification or not in the use process.
And the monitoring module 107 is responsible for monitoring and starting the running conditions of all the modules.
A session management module 108 responsible for communication handshaking and communication session context management with the key management center and the cryptographically secure isolated gateway 300.
The USB device driver module 109 is responsible for parsing the USB communication protocol with the tablet cpu (e.g., RK 3399).
The internal ethernet protocol stack module 110 is responsible for parsing the ethernet packet sent from the host and checking the correctness of the protocol packet.
And an internal network security processing module 111, which is responsible for checking the security processing of the network packets sent internally and externally.
An encryption/decryption module 112, which is responsible for encrypting data sent out and decrypting data received.
And an external network security processing module 113 which is responsible for processing security processing of network packets transmitted to and received from the external network.
And an external Ethernet protocol stack module 114, which is responsible for assembling the encrypted data into an Ethernet packet and sending the Ethernet packet to the 4G module.
And a USB host driver module 115, which is responsible for initialization, reconnection, data transceiving, and other operations of the communication module (e.g., 4G module).
The functional modules of the cryptographic security isolation module 100 according to embodiments of the present invention are described above, and may be implemented by hardware, software, firmware, or any combination thereof, as would be appreciated by one skilled in the art. The foregoing description is by way of example only, and is not intended as limiting. In other embodiments of the present invention, the crypto security isolation module 100 may include more, fewer, or different modules, and the connections, functions, inclusion, etc. between the modules may be different from those described and illustrated.
According to the embodiment of the invention, a FIFO queue is provided inside the chip of the crypto security isolation module 100 for data buffering and processing. Different queue processing is adopted for external and internal interfaces respectively, and isolation is realized by using an SM4 algorithm engine. FIG. 6 illustrates a data buffering and processing mechanism within cryptographic security isolation module 100, according to an embodiment of the present invention.
As shown in fig. 6, a communication module (e.g., a 4G communication module such as hua 909 s-821) is connected to an external high-speed communication interface of the chip, e.g., a USB host interface.
The external high-speed communication interface receives external data from the communication module, and the input and the output of the external high-speed communication interface are respectively connected to the external input FIFO and the external output FIFO.
After the input data enters the external input FIFO, the external ethernet protocol stack module 114 dispatches the input data to the external input protocol buffer for protocol checking and unpacking, and the external network security processing module 113 performs security checking.
The data processed by the external network security processing module 113 is sent to the external decryption FIFO for waiting for decryption.
The encryption/decryption module 112 (e.g., SM4 algorithm engine) decrypts the data in the external decryption FIFO and feeds into the internal decryption FIFO.
The internal network security processing module 111 dispatches the data to the internal output protocol buffer area for security check, and the internal ethernet protocol stack module 110 performs protocol packing after the check is passed, and sends the packed data to the internal output FIFO.
The internal high-speed communication interface (such as a USB device interface) sends the data in the internal output FIFO to a main control module of the tablet computer, such as a central processing unit RK 3399.
On the contrary, the internal data from the main control module of the tablet computer sequentially passes through the internal high-speed communication interface, the internal input FIFO, the internal input protocol buffer area and the internal encryption FIFO, is encrypted by the encryption/decryption module, and then sequentially passes through the external encryption FIFO, the external output protocol buffer area, the external output FIFO, the external high-speed communication interface and the communication module to be sent to the external network.
The foregoing describes a data buffering and processing mechanism within cryptographic security isolation module 100 in accordance with an embodiment of the present invention.
According to the embodiment of the present invention, an IP data packet encryption mechanism based on a symmetric key system is designed between the secure tablet terminal and the password security isolation gateway 300, so as to ensure the security of IP packet transmission. Fig. 7 illustrates such an IP packet encryption mechanism according to an embodiment of the present invention.
According to the embodiment of the present invention, the crypto security isolation module 100 establishes a connection relationship with the crypto security isolation gateway 300 through a key management center. Fig. 8 illustrates an exemplary timing diagram for establishing a connection relationship between a secure tablet terminal and a cryptographic security isolation gateway 300 according to an embodiment of the present invention.
The CMK is a key pre-distributed to the security tablet terminal by the key management center and is used for negotiating with the security access gateway to send the session key SK _ T and receive the session key SK _ R.
And in the valid period of the work secret key WK, the security tablet computer terminal can directly negotiate with the security access gateway.
The session key SK _ T is used for encrypting the IP message data sent by the security tablet computer terminal to the security access gateway.
And the session key SK _ R is used for decrypting the IP message data received by the security tablet computer terminal from the security access gateway.
After the handshake is successful, the security access gateway assigns an internal address to the cryptographic security isolation module 100.
The tablet computer uses this internal address to send data to the application service.
Reference is now made to fig. 9, which illustrates an IP packet data format in accordance with an embodiment of the present invention. The password security isolation module 100 encrypts and encapsulates the data packet in a tunnel manner as shown in fig. 9, and sends the data packet to the security access gateway.
As shown in fig. 9, the IP packet data format includes the following fields and their meanings:
an external IP header: a mobile network IP address header;
UDP header: an operator may adopt an NAT mode to connect with the Internet, and in order to keep smooth communication, a UDP mode is adopted to package data, so that NAT traversal is ensured;
SPI: the communication identifier negotiated in the handshake process between the password security isolation module 100 and the security access gateway is used for identifying the communication context and the corresponding session key inside both parties.
Sequence number: in order to prevent replay attack, different 4-byte length certificate serial numbers are identified for each data packet, the serial numbers are increased in a one-way mode from 0, and if the serial numbers exceed the range, the two parties handshake again to update the session key and restart the serial numbers from 0.
The internal IP data packet is encrypted by adopting an SM4 algorithm;
HMAC: and (4) computing the HMAC by adopting an SM3 algorithm, wherein the computed contents comprise the SPI, a serial number and ciphertext data.
According to the embodiment of the invention, the encryption and decryption processes of the IP message are as follows:
the security access gateway verifies and decrypts the data after receiving the data, and forwards the data packet to the application service;
the application service response data is sent to the tablet computer through the same path and mode.
While the above describes a cryptographic security isolation module and a mobile office security system in accordance with embodiments of the present invention, it should be noted that the above description is intended to be exemplary only and not limiting. In other embodiments of the present invention, the crypto security isolation module and the mobile office security system may include more, fewer, or different modules, and the connections, functions, inclusion, etc. between the modules may be different from those described and illustrated. For example, a single module, which generally has a plurality of functions, may be divided into a plurality of modules, and the plurality of modules may be combined into a single module.
The foregoing description of the embodiments of the invention has been presented for purposes of illustration and description, and numerous specific details are set forth, such as examples of specific components and modules, in order to provide a thorough understanding of the embodiments of the invention, which are not intended to be exhaustive or limiting of the invention. Individual elements or features of a particular embodiment are generally not limited to that particular embodiment, but, where applicable, are interchangeable and can be used in other embodiments, even if not specifically shown or described. Such variations are not to be regarded as a departure from the disclosure, and all such modifications are intended to be included within the scope of the present invention. In some example embodiments, well-known components, structures, and well-known techniques have not been described in detail.
The terminology used herein is for the purpose of describing particular example embodiments only and is not intended to be limiting. The names of the various components in this application are intended to be descriptive only and not as limitations of the invention. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. The terms "comprises," "comprising," "including," and "having," are inclusive and therefore specify the presence of stated features, entities, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, entities, steps, operations, elements, components, and/or groups thereof. The steps, processes, and operations described herein are not to be construed as necessarily requiring their performance in the particular order discussed or illustrated, unless an order of performance is explicitly stated.
When an element is referred to as being "on," "engaged to," "connected to" or "coupled to" another element, it can be directly on, engaged, connected or coupled to the other element or intervening elements may be present. Other words used to describe the relationship between elements should be interpreted in a similar manner (e.g., "between" and "directly between," "adjacent" and "directly adjacent," etc.). As used herein, "connected," "coupled," or similar terms, may refer to any one or more of a mechanical coupling, an electrical coupling, a communication coupling, without further explicit limitation. Further, as used herein, the term "and/or", "and/or" includes any and all combinations of one or more of the associated listed items.
The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are only illustrative of the present invention and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims (4)

1. A password security isolation module is arranged between a main control chip and a communication module of a tablet computer and is configured to physically isolate the main control chip of the tablet computer from an external network, so that all communication data of the tablet computer pass through the password security isolation module, are encrypted and then are transmitted to a server, and all return data from the server enter the main control module of the tablet computer after being decrypted by the password security isolation module;
the password security isolation module comprises:
an external high-speed communication interface connected with the communication module, an external input FIFO queue, an external output FIFO queue, an external input protocol buffer, an external output protocol buffer, an external decryption FIFO queue, an external encryption FIFO queue, an encryption/decryption module, an internal encryption FIFO queue, an internal decryption FIFO queue, an internal input protocol buffer, an internal output protocol buffer, an internal input FIFO queue, an internal output FIFO queue, an internal high-speed communication interface connected with a main control module of the tablet computer, an external Ethernet protocol stack module, an external network security processing module, an internal Ethernet protocol stack module, wherein,
the input and the output of the external high-speed communication interface are respectively connected to the external input FIFO queue and the external output FIFO queue, and the external high-speed communication interface receives external input data from a communication module, so that the external input data enters the external input FIFO queue, then the external input data is dispatched to the external input protocol buffer area by the external Ethernet protocol stack module, protocol check and unpacking are carried out, and after the external network security processing module carries out security check, the external input data is sent to the external decryption FIFO queue for waiting for decryption;
the encryption/decryption module decrypts the data in the external decryption FIFO queue and sends the data to the internal decryption FIFO queue;
the internal network security processing module dispatches the data in the internal decryption FIFO queue to the internal output protocol buffer area for security check, and the internal Ethernet protocol stack module performs protocol packing after the check is passed and sends the data to the internal output FIFO queue;
and the internal high-speed communication interface sends the data in the internal output FIFO queue to a main control module of the tablet personal computer.
2. The password security isolation module according to claim 1, wherein the internal data from the main control module of the tablet computer sequentially passes through the internal high-speed communication interface, the internal input FIFO queue, the internal input protocol buffer area, and the internal encryption FIFO queue, and is encrypted by the encryption/decryption module, and then sequentially passes through the external encryption FIFO queue, the external output protocol buffer area, the external output FIFO queue, the external high-speed communication interface, and the communication module, and is transmitted to the external network.
3. The cryptographic security isolation module of claim 1, further comprising:
the file management module is used for organizing and reading and writing internal file storage;
the SPI communication module is used for analyzing and verifying a communication protocol with a host end;
the key management module is used for generating, importing, exporting, storing, destroying and updating keys;
the password service module is used for providing password service for the host;
the algorithm detection module is used for detecting the correctness of the algorithm after power-on and detecting the correctness of the algorithm in the using process;
the random number detection module is used for detecting whether the random number generated by the random number generator meets the specification or not after being electrified and detecting whether the random number meets the specification or not in the use process;
the monitoring module is used for monitoring and starting the running conditions of all the modules;
the session management module is used for communicating handshake and communication session context management with the key management center and the password security isolation gateway;
the USB equipment driving module is used for analyzing a USB communication protocol of the tablet computer central processing unit host;
and the USB host driving module is used for initializing, reconnecting and receiving and transmitting data of the communication module.
4. A mobile office security system comprising:
a tablet computer main control module;
a cryptographic security isolation module as claimed in any one of claims 1 to 3;
a password security isolation gateway; and
a management center;
the password security isolation gateway and the password security isolation module establish a secure communication channel in an untrusted network environment together, control access of a secure tablet computer terminal and provide authentication information for application;
the management center realizes management and key distribution between the password security isolation module and the password security isolation gateway;
the tablet personal computer main control module provides a hardware platform and an operating system for mobile office, and all communication of the tablet personal computer main control module is realized through the password security isolation module.
CN201910610899.1A 2019-07-08 2019-07-08 Password security isolation module and mobile office security system Active CN110266725B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910610899.1A CN110266725B (en) 2019-07-08 2019-07-08 Password security isolation module and mobile office security system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910610899.1A CN110266725B (en) 2019-07-08 2019-07-08 Password security isolation module and mobile office security system

Publications (2)

Publication Number Publication Date
CN110266725A CN110266725A (en) 2019-09-20
CN110266725B true CN110266725B (en) 2021-10-22

Family

ID=67924988

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910610899.1A Active CN110266725B (en) 2019-07-08 2019-07-08 Password security isolation module and mobile office security system

Country Status (1)

Country Link
CN (1) CN110266725B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110548291A (en) * 2019-09-27 2019-12-10 深圳市大头互动文化传播有限公司 User encryption system based on game software
CN112073380B (en) * 2020-08-13 2022-02-08 中国电子科技集团公司第三十研究所 Secure computer system based on double-processor KVM switching and password isolation
CN112069555B (en) * 2020-08-13 2022-03-18 中国电子科技集团公司第三十研究所 Safe computer architecture based on double-hard-disk cold switching operation
CN112035866B (en) * 2020-11-04 2021-07-23 湖北芯擎科技有限公司 Data encryption method, device, equipment and computer readable storage medium
CN114697064A (en) * 2020-12-31 2022-07-01 宸芯科技有限公司 Data security interaction method and security chip among multiple data modules

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102111263A (en) * 2011-02-21 2011-06-29 山东中孚信息产业股份有限公司 Data stream encryption method
CN202711262U (en) * 2011-12-13 2013-01-30 杭州晟元芯片技术有限公司 Two-in-one chip with electronic signature and high speed flow encryption
CN103020535A (en) * 2012-12-06 2013-04-03 苏州国芯科技有限公司 Data encryption and decryption system with comparing function
CN105049459A (en) * 2015-09-18 2015-11-11 郑州信大捷安信息技术股份有限公司 Double-host safe mobile intelligent terminal and realization method thereof
CN105141625A (en) * 2015-09-18 2015-12-09 郑州信大捷安信息技术股份有限公司 Safety mobile intelligent terminal based on password isolation mode and realization method thereof
CN107621981A (en) * 2017-09-06 2018-01-23 广东欧珀移动通信有限公司 Resource allocation method and Related product

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9161226B2 (en) * 2011-10-17 2015-10-13 Blackberry Limited Associating services to perimeters

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102111263A (en) * 2011-02-21 2011-06-29 山东中孚信息产业股份有限公司 Data stream encryption method
CN202711262U (en) * 2011-12-13 2013-01-30 杭州晟元芯片技术有限公司 Two-in-one chip with electronic signature and high speed flow encryption
CN103020535A (en) * 2012-12-06 2013-04-03 苏州国芯科技有限公司 Data encryption and decryption system with comparing function
CN105049459A (en) * 2015-09-18 2015-11-11 郑州信大捷安信息技术股份有限公司 Double-host safe mobile intelligent terminal and realization method thereof
CN105141625A (en) * 2015-09-18 2015-12-09 郑州信大捷安信息技术股份有限公司 Safety mobile intelligent terminal based on password isolation mode and realization method thereof
CN107621981A (en) * 2017-09-06 2018-01-23 广东欧珀移动通信有限公司 Resource allocation method and Related product

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"基于物理隔离和密码技术实现安全移动办公系统的研究与应用";王永起;《中国管理信息化》;20170630;第136页左栏6-10行、22-24行、第137页左栏第8-12行,图5 *

Also Published As

Publication number Publication date
CN110266725A (en) 2019-09-20

Similar Documents

Publication Publication Date Title
CN110266725B (en) Password security isolation module and mobile office security system
US11792169B2 (en) Cloud storage using encryption gateway with certificate authority identification
US9219709B2 (en) Multi-wrapped virtual private network
US20130332724A1 (en) User-Space Enabled Virtual Private Network
US7536715B2 (en) Distributed firewall system and method
US20140366120A1 (en) Systems and Methods for Application-Specific Access to Virtual Private Networks
US9444807B2 (en) Secure non-geospatially derived device presence information
WO2008007432A1 (en) Relay device
EP1953954B1 (en) Encryption/decryption device for secure communications between a protected network and an unprotected network and associated methods
WO2018231519A1 (en) Cloud storage using encryption gateway with certificate authority identification
CN105516062B (en) Method for realizing L2 TP over IPsec access
KR101784240B1 (en) Communication security method and system using a non-address network equipment
US11588798B1 (en) Protocol free encrypting device
US20140052980A1 (en) Secure network systems and methods
Mahmmod et al. IPsec cryptography for data packets security within vpn tunneling networks communications
US20080059788A1 (en) Secure electronic communications pathway
KR100450774B1 (en) Method for end-to-end private information transmition using IPSec in NAT-based private network and security service using its method
CN114553577B (en) Network interaction system and method based on multi-host double-isolation secret architecture
JP4757088B2 (en) Relay device
Neacşu et al. An analysis of security threats in VoIP communication systems
JP4783665B2 (en) Mail server device
Tulimiero An All-Round Secure IoT Network Architecture
EP2989847B1 (en) Method and arrangement for protecting a trusted network
CN117062056A (en) End-to-end encryption method and system for 5G network service data based on IPSEC technology
CN117254976A (en) National standard IPsec VPN realization method, device and system based on VPP and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant