CN111917803A - Cross-network data safety exchange equipment - Google Patents
Cross-network data safety exchange equipment Download PDFInfo
- Publication number
- CN111917803A CN111917803A CN202010933341.XA CN202010933341A CN111917803A CN 111917803 A CN111917803 A CN 111917803A CN 202010933341 A CN202010933341 A CN 202010933341A CN 111917803 A CN111917803 A CN 111917803A
- Authority
- CN
- China
- Prior art keywords
- trusted
- data
- untrusted
- trust
- transmission device
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0877—Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
- H04L9/0897—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses cross-network data security exchange equipment, which comprises a trusted end unit and a non-trusted end unit; the non-trust end unit comprises a non-trust end transmission device, a non-trust end operation device, a non-trust end storage device and a non-trust end isolation transmission device, the trust end unit comprises a trust end transmission device, a trust end operation device, a trust end storage device and a trust end isolation transmission device, the non-trust end isolation transmission device further comprises a non-trust end receiving device, the trust end isolation transmission device comprises a trust end sending device, and the non-trust end receiving device is in communication connection with the trust end sending device. In the invention, a receiving device is added to the untrusted end unit, a sending device is added to the trusted end unit to construct two independent data transmission channels, and the two channels work cooperatively, so that the problems of confidentiality and integrity in data transmission are solved, and the data exchange performance is improved.
Description
Technical Field
The invention relates to the technical field of data exchange equipment, in particular to cross-network data safety exchange equipment.
Background
With the continuous development of electronic information construction, a large number of special networks are built by users, the demand of cross-network information exchange and sharing is more and more strong, in order to meet information interaction and guarantee security, an isolation technology is adopted at present in large quantity, network security isolation equipment is deployed among networks with different security domains, data security exchange is realized by utilizing the isolation technology, a network with low security level and a network with high security level are isolated, various attack behaviors based on network protocols can be resisted, and security controllable data exchange among the networks with different security levels can be realized. The deployment of network security isolation hardware devices between different security domains to prevent cross-network attacks has become a necessary security defense means.
Safety guarantee is provided for cross-network information sharing, meanwhile, the safety of safety isolation equipment is required to be enhanced, and the 2.0 standard of network safety level protection system is released in 2019, wherein the provision of operation safety and storage safety guaranteed by using a hardware trusted computing technology becomes an important safety technology.
With the increasing complexity of network environment, the requirement for the security capability of the isolation device is gradually increased, the security of an important service system is ensured by adopting a unidirectional isolation optical gate, the unidirectional isolation device typically adopts a double-host + optical isolation component architecture, and a unidirectional physical transmission channel is constructed by the unidirectional isolation component to realize unidirectional isolation and data transmission between a trusted network and a non-trusted network. And technical protection measures related to network security, system security and data security are adopted in the data transmission and exchange process, so that the data storage and transmission security is protected, the data leakage is prevented, and the data security is protected.
As shown in fig. 1, in the prior art, a unidirectional isolation device uses unidirectional transmission of light to construct a unidirectional transmission channel between a non-trusted end unit and a trusted end unit, isolate a TCP transmission protocol, and use transmitting devices and receiving devices of isolation transmission devices on both sides to implement unidirectional data transmission; the transmission device of the untrusted end unit is connected with the data storage device to establish a source data acquisition channel; the transmission device of the trust end unit is connected with the data storage device to establish a data push channel; the arithmetic device realizes the functions of data preprocessing, protocol conversion, safety rule matching and the like by utilizing a CPU, a clock, bus data transmission and an operating system; the storage device uses volatile storage and non-volatile storage resources to realize temporary storage of data.
The existing one-way isolation equipment adopts a one-way isolation component to construct a one-way transmission channel, realizes service data exchange between a trusted end unit and a non-trusted end unit, can resist hacker attack means such as network sniffing, penetration attack and the like, and has higher safety. However, the prior art solutions also have some disadvantages and shortcomings in specific practice, and in severe cases, the normal operation of the service system cannot be satisfied. The method specifically comprises the following steps: (1) the transmission performance is low. The loss of the data transmission process is avoided, and the transmission performance of the one-way transmission device can only be reduced. (2) The data integrity is poor. Because the unidirectional transmission device has no feedback mechanism, once the data is lost or damaged, manual intervention is needed, and the data recovery cost is high; (3) the safety is not sufficient. The operating unit and the storage unit of the untrusted end device have no safety protection measures, and the system may be damaged and malicious codes are implanted under the condition that the system is attacked by unknown threats (such as zero-day bugs), so that the service system cannot normally operate, and data leakage risks exist.
Disclosure of Invention
Aiming at the defects of the prior art, the invention aims to provide an inter-network data security switching device.
In order to achieve the purpose, the invention adopts the following technical scheme:
a cross-network data security exchange device comprises a trust end unit and a non-trust end unit; the untrusted end unit comprises an untrusted end transmission device, an untrusted end operation device, an untrusted end storage device and an untrusted end isolation transmission device, wherein the untrusted end transmission device, the untrusted end operation device and the untrusted end isolation transmission device are sequentially connected, and the untrusted end storage device is connected with the untrusted end operation device; the trust end unit comprises a trust end transmission device, a trust end operation device, a trust end storage device and a trust end isolation transmission device, wherein the trust end isolation transmission device, the trust end operation device and the trust end transmission device are sequentially connected, and the trust end storage device is connected with the trust end operation device; the untrusted end transmission device is used for connecting a data storage device deployed in an untrusted end unit, and the trusted end transmission device is used for connecting a data storage device deployed in a trusted end unit; the untrusted end isolation transmission device comprises an untrusted end sending device, the trusted end isolation transmission device comprises a trusted end receiving device, and the untrusted end sending device is in communication connection with the trusted end receiving device; the untrusted end isolation transmission device also comprises an untrusted end receiving device, the trusted end isolation transmission device comprises a trusted end sending device, and the untrusted end receiving device is in communication connection with the trusted end sending device.
As a preferred scheme, the untrusted end unit includes a trusted reinforcing device therein, the untrusted end transmission device is connected to the untrusted end operation device through the trusted reinforcing device, and the trusted reinforcing device is further connected to the untrusted end storage device.
As another preferred scheme, the trusted terminal unit includes a trusted reinforcing device, the trusted terminal isolation transmission device is connected to the trusted terminal arithmetic device through the trusted reinforcing device, and the trusted reinforcing device is further connected to the trusted terminal storage device.
As another preferable scheme, the untrusted end unit and the trusted end unit both include a trusted reinforcing device; the untrusted end transmission device is connected with the untrusted end operation device through a trusted reinforcing device of the untrusted end unit, and the trusted reinforcing device of the untrusted end unit is also connected with the untrusted end storage device; the trust end isolation transmission device is connected with the trust end operation device through a trust reinforcing device of the trust end unit, and the trust reinforcing device of the trust end unit is also connected with the trust end storage device.
Further, the trusted encryption device is a TPM security chip.
Further, the untrusted end transmission device is connected with a data storage device deployed in the untrusted end unit in an ethernet or optical fiber form; the trusted side transmission device is connected with a data storage device arranged on the trusted side unit in an Ethernet or optical fiber mode.
Further, the non-trusted terminal sending device is connected with the trusted terminal receiving device in an optical fiber form, and the trusted terminal receiving device is connected with the non-trusted terminal sending device in an optical fiber form.
Further, the trusted terminal sending device is connected with the untrusted terminal receiving device in an optical fiber form, and the untrusted terminal receiving device is connected with the trusted terminal sending device in an optical fiber form.
The invention also provides a working method of the cross-network data security exchange equipment, which comprises the following specific processes:
the untrusted end transmission device executes a data acquisition process and acquires data from an external network from a data storage device deployed in the untrusted end unit;
the untrusted end operation device operates the data, and transmits the operated data to the untrusted end storage device for temporary storage;
the untrusted end computing device and the untrusted end isolation transmission device carry out interaction to prepare for sending data;
a non-trusted terminal sending device in the non-trusted terminal isolation transmission device unidirectionally transmits data to a trusted terminal receiving device in the trusted terminal isolation transmission device, and the trusted terminal sending device in the trusted terminal isolation transmission device returns auxiliary data to the non-trusted terminal receiving device in the non-trusted terminal isolation transmission device, wherein the auxiliary data comprises request response data and data transmission error correction;
a trust end receiving device in the trust end isolation transmission device interacts data with a trust end operation device after receiving the data;
after the operation on the data is completed, the trusted terminal arithmetic device transmits the data to the trusted terminal storage device for temporary storage, and then transmits the data to the trusted terminal transmission device for interaction with the data to prepare for sending the data;
the trusted side transmission means transmits the data to the data storage means deployed at the trusted side unit, from which the devices in the internal network can retrieve the data.
When the untrusted end unit is provided with the trusted reinforcing device, the untrusted end transmission device transmits data to the trusted reinforcing device of the untrusted end unit to realize trusted data calculation after receiving the data, and the trusted reinforcing device of the untrusted end unit transmits the data subjected to trusted data calculation to the untrusted end operation device for operation after the trusted authentication of the trusted reinforcing device of the untrusted end unit; before the untrusted end storage device reads and writes data, the trusted reinforcement device of the untrusted end unit checks whether a data processing program in the untrusted end storage device has corresponding data read-write permission, and the untrusted end storage device can successfully access the data after checking;
when the trusted terminal unit is provided with the trusted reinforcing device, the trusted reinforcing device of the trusted terminal unit performs trusted calculation on the data received by the trusted terminal isolation transmission device, and the data after the trusted calculation can be transmitted to the trusted terminal operation unit; when the trust end storage device reads and writes data, the trust reinforcing device of the trust end unit checks whether the data processing program in the trust end storage device has corresponding data read-write authority, and the trust end storage device can successfully access the data after checking.
The invention has the beneficial effects that:
1. a receiving device is added to a non-trust end unit, a sending device is added to a trust end unit to construct two independent data transmission channels, and the two channels work in a cooperative mode, so that the problems of confidentiality and integrity in data transmission are solved, and the data exchange performance is improved.
2. The trusted reinforcement device hardware is deployed in the untrusted end device through a PCI-E bus technology, so that the trusted computing technology can be utilized to realize static measurement and dynamic measurement of the whole chain from system boot, an operating system and an application program to subsequent dynamic operation based on a TPM security chip, the operation unit of the untrusted end device is protected from being damaged, the data integrity of a storage unit is protected, and the cross-network data security exchange equipment has the capability of resisting unknown threats.
Drawings
Fig. 1 is a schematic diagram of a conventional cross-network data security switching device;
fig. 2 is a schematic diagram illustrating a cross-network data security switching device according to embodiment 1 of the present invention.
Detailed Description
The present invention will be further described with reference to the accompanying drawings, and it should be noted that the present embodiment is based on the technical solution, and the detailed implementation and the specific operation process are provided, but the protection scope of the present invention is not limited to the present embodiment.
Example 1
The embodiment provides cross-network data security exchange equipment. First, related terms will be briefly described.
Cross-network data exchange: data exchange is performed between two mutually isolated security domains which are different.
Data tamper-proofing: technical safeguards to prevent data tampering during storage or transmission.
And (3) access control: and limiting the authorized user, program, process or other system in the computer network to access the system resource according to the access policy.
White list control mechanism: corresponding to the blacklist mechanism, only users, programs or processes in the whitelist are allowed to access the resources.
And (3) trusted computing: trust is to make an entity always behave as expected when it achieves a given goal, emphasizing the predictable and controllable outcome of the behavior. Trusted computing refers to computing that the system provides computing behavior that meets the desires of the demanders for computing, and that the system has the ability to prove its trustworthiness in computing.
The cross-network data security switching device of this embodiment, as shown in fig. 2, includes a trusted end unit and an untrusted end unit; the untrusted end unit comprises an untrusted end transmission device, an untrusted end operation device, an untrusted end storage device and an untrusted end isolation transmission device, wherein the untrusted end transmission device, the untrusted end operation device and the untrusted end isolation transmission device are sequentially connected, and the untrusted end storage device is connected with the untrusted end operation device; the trust end unit comprises a trust end transmission device, a trust end operation device, a trust end storage device and a trust end isolation transmission device, wherein the trust end isolation transmission device, the trust end operation device and the trust end transmission device are sequentially connected, and the trust end storage device is connected with the trust end operation device; the untrusted end transmission device is used for connecting a data storage device deployed in an untrusted end unit, and the trusted end transmission device is used for connecting a data storage device deployed in a trusted end unit; the untrusted end isolation transmission device comprises an untrusted end sending device, the trusted end isolation transmission device comprises a trusted end receiving device, and the untrusted end sending device is in communication connection with the trusted end receiving device.
In this embodiment, the untrusted-end isolated transmission device further includes an untrusted-end receiving device, the trusted-end isolated transmission device includes a trusted-end transmitting device, and the untrusted-end receiving device is in communication connection with the trusted-end transmitting device.
By adding the receiving device at the non-trust end unit and adding the sending device at the trust end unit, two independent data transmission channels are constructed, and the two channels work cooperatively, the problem of data integrity can be solved, and the data exchange performance is improved.
In this embodiment, the untrusted end unit further includes a trusted reinforcing device, the untrusted end transmission device is connected to the untrusted end computing device through the trusted reinforcing device, and the trusted reinforcing device is further connected to the untrusted end storage device.
Specifically, the trusted encryption device is a TPM security chip.
Specifically, the trusted reinforcing device and the untrusted end transmission device are connected by a wire.
It should be noted that the hardware form of the untrusted end unit is a host unit composed of a single motherboard and hardware devices such as a CPU, a memory, a hard disk, and a network card, and the untrusted end unit is installed with a trusted reinforcing device, and is connected to an external network by a wired connection through an untrusted end transmission device. The hardware form of the trust end unit is similar to that of the non-trust end unit, and the trust end unit is a host unit consisting of a single mainboard and hardware devices such as a CPU (central processing unit), a memory, a hard disk, a network card and the like related to the single mainboard and is in wired connection with an internal network through a trust end transmission device.
And the data storage devices are deployed in the untrusted end network and the trusted end network and are used for providing a data source and a data exchange purpose for the cross-network data security exchange equipment.
The untrusted end transmission device is a data storage device which is connected and deployed on the untrusted end unit in an Ethernet or optical fiber mode, and provides a data source transmission channel. The trust end transmission device is connected with a data storage device arranged on the trust end unit in an Ethernet or optical fiber mode, and provides a data push transmission channel.
The non-trust end arithmetic device and the trust end arithmetic device are composed of a CPU, an operating system, a computing process and the like, and provide functions of data processing, protocol conversion and the like.
The non-trust end storage device and the trust end storage device are both formed by volatile storage and nonvolatile storage, and provide a data temporary storage space for the data exchange process.
The non-trust end sending device is connected with the trust end receiving device in an optical fiber form to form a data one-way transmission channel, so that the data one-way sending is realized. The trusted terminal receiving device is connected with the untrusted terminal sending device in an optical fiber mode to form a data one-way transmission channel, and data one-way receiving is achieved.
The trusted terminal sending device is connected with the untrusted terminal receiving device in an optical fiber mode to form a data one-way transmission channel, so that one-way data sending is realized. The non-trust end receiving device is connected with the trust end sending device in an optical fiber form to form a data one-way transmission channel, so that the data one-way receiving is realized.
Example 2
This embodiment provides a working method of the inter-network data security switching device as described in embodiment 1, as shown in fig. 2, the specific process is as follows:
s1, the untrusted terminal transmission device executes a data acquisition process (a), and data from an external network is obtained from a data storage device deployed in the untrusted terminal unit;
s2, after the data are received by the untrusted end transmission device, the data are transmitted to the trusted reinforcement device to realize the trusted calculation of the data (b); after passing the credibility certification of the credibility reinforcing device, the credibility reinforcing device transmits the data after credibility calculation to the non-credible end operation device for operation (c);
s3, the untrusted end arithmetic device transmits the data after the arithmetic is completed to the untrusted end storage device for temporary storage (e); before the non-trusted side storage device reads and writes data, the trusted reinforcing device checks whether a data processing program in the non-trusted side storage device has corresponding data read-write authority (d), and the non-trusted side storage device can successfully access the data after checking;
s4, the operation device of the untrusted end and the isolation transmission device of the untrusted end carry out interaction to prepare for sending data (f);
s5, the data is transmitted to the trusting terminal receiving device (g) in the trusting terminal isolation transmission device in a unidirectional mode by the trusting terminal sending device in the trusting terminal isolation transmission device, and the trusting terminal sending device in the trusting terminal isolation transmission device returns request response data and auxiliary data (h) such as data transmission error correction to the trusting terminal receiving device in the trusting terminal isolation transmission device;
s6, the trusting end receiving device in the trusting end isolation transmission device interacts data (i) with the trusting end arithmetic device after receiving the data;
s7, after the operation on the data is completed, the trust end operation device transmits the data to the trust end storage device for temporary storage (j), and then the data and the data are transmitted to the trust end transmission device for interaction to prepare for sending the data (k);
s8, the trusted side transfer device sends the data to the data storage device (l) disposed in the trusted side unit, and the device in the internal network can obtain the data from the data storage device disposed in the trusted side unit.
In the above process, the process g and the process h respectively realize that the untrusted end unit unidirectionally transmits data to the trusted end unit and the trusted end unit unidirectionally transmits data to the untrusted end unit, so that support can be provided for bidirectional data exchange of the service system. The data transmission channels in the process g and the process h are independent of hardware, and the data time sequence and the session process are controlled by an upper software system. By the mechanism, the real-time monitoring of data integrity can be realized, and the transmission efficiency is greatly improved.
The non-trust end unit is provided with a trust reinforcing device, the trust reinforcing device is a small-sized system on chip containing a password operation part and a storage part, and the trust state of the system and data is ensured through technologies such as a secret key technology, a hardware access control technology, storage encryption and the like. After the trust chain is established, only the application program which is subjected to the trusted authentication accesses the operating system through the trust chain, and then accesses the hardware resource in the non-trusted terminal unit. The illegal program without the trusted authentication can not operate or access the hardware platform, the operating system and the application, so that the whole cross-network data security exchange equipment is not influenced by external attack, the security of the internal system, the security of data and the security of application are protected, and data leakage, application tampering threat and other unknown threats are prevented.
In the process, the cross-network data security exchange equipment realizes security protection based on trusted computing in the process of exchanging data from the external network data source to the internal network data source. When a program of non-trust end unit data acquisition and data transmission is started, the trusted reinforcing device extracts the hash value of the starting program and the hash value of the content in the white list library to be compared, if the record exists in the white list library, the record is allowed to be executed, otherwise, the program is refused to be executed.
In the process of data reading and writing, the trusted reinforcing device checks whether the data processing program has corresponding data reading and writing authority, and the untrusted end storage device can successfully access the data only under the condition that the application program passing the trusted authentication has the data access authority.
Example 3
This embodiment provides a cross-network data security switching apparatus, which is substantially the same as embodiment 1, and mainly differs in that in this embodiment, a trusted reinforcement device is installed in a trusted end unit, at this time, the trusted reinforcement device is disposed between a trusted end isolation transmission device and a trusted end operation device, the trusted end isolation transmission device is connected to the trusted end operation device through the trusted reinforcement device, and the trusted reinforcement device is further connected to a trusted end storage device.
When the device works, the trusted reinforcing device performs trusted calculation on the data received by the trusted terminal isolation transmission device, and the data after the trusted calculation can be transmitted to the trusted terminal operation unit; when the trusted side storage device reads and writes data, the trusted reinforcing device checks whether a data processing program in the trusted side storage device has corresponding data read-write permission, and the trusted side storage device can access the data successfully after checking.
Example 3
The present embodiment provides an inter-network data security switching apparatus, which is basically the same as that in embodiment 1, and mainly different from the embodiment 1 in that in the present embodiment, a non-trusted end unit and a trusted end unit are both installed with trusted reinforcing devices, the installation manners are respectively the same as those of the trusted reinforcing devices described in embodiment 1 and embodiment 3, and the operation processes are respectively the same as those described in embodiment 2 and embodiment 3.
Various corresponding changes and modifications can be made by those skilled in the art based on the above technical solutions and concepts, and all such changes and modifications should be included in the protection scope of the present invention.
Claims (10)
1. A cross-network data security exchange device comprises a trust end unit and a non-trust end unit; the untrusted end unit comprises an untrusted end transmission device, an untrusted end operation device, an untrusted end storage device and an untrusted end isolation transmission device, wherein the untrusted end transmission device, the untrusted end operation device and the untrusted end isolation transmission device are sequentially connected, and the untrusted end storage device is connected with the untrusted end operation device; the trust end unit comprises a trust end transmission device, a trust end operation device, a trust end storage device and a trust end isolation transmission device, wherein the trust end isolation transmission device, the trust end operation device and the trust end transmission device are sequentially connected, and the trust end storage device is connected with the trust end operation device; the untrusted end transmission device is used for connecting a data storage device deployed in an untrusted end unit, and the trusted end transmission device is used for connecting a data storage device deployed in a trusted end unit; the untrusted end isolation transmission device comprises an untrusted end sending device, the trusted end isolation transmission device comprises a trusted end receiving device, and the untrusted end sending device is in communication connection with the trusted end receiving device; the device is characterized in that the untrusted end isolation transmission device also comprises an untrusted end receiving device, the trusted end isolation transmission device comprises a trusted end sending device, and the untrusted end receiving device is in communication connection with the trusted end sending device.
2. The cross-network data security exchange device of claim 1, wherein the untrusted end unit includes a trusted reinforcing device therein, the untrusted end transmission device is connected to the untrusted end operation device through the trusted reinforcing device, and the trusted reinforcing device is further connected to the untrusted end storage device.
3. The cross-network data security exchange device of claim 1, wherein the trusted terminal unit includes a trusted reinforcing device, the trusted terminal isolation transmission device is connected to the trusted terminal arithmetic device through the trusted reinforcing device, and the trusted reinforcing device is further connected to the trusted terminal storage device.
4. The cross-network data security exchange device of claim 1, wherein the untrusted end unit and the trusted end unit each comprise a trusted reinforcing device; the untrusted end transmission device is connected with the untrusted end operation device through a trusted reinforcing device of the untrusted end unit, and the trusted reinforcing device of the untrusted end unit is also connected with the untrusted end storage device; the trust end isolation transmission device is connected with the trust end operation device through a trust reinforcing device of the trust end unit, and the trust reinforcing device of the trust end unit is also connected with the trust end storage device.
5. The cross-network data security exchange device of any one of claims 1 to 4, wherein the trusted encryption device is a TPM security chip.
6. The cross-network data security switching device according to claim 1, wherein the untrusted end transmission device is connected to a data storage device disposed in the untrusted end unit in an ethernet or optical fiber form; the trusted side transmission device is connected with a data storage device arranged on the trusted side unit in an Ethernet or optical fiber mode.
7. The cross-network data security switching device of claim 1, wherein the untrusted end sending means is connected to the trusted end receiving means by an optical fiber, and the trusted end receiving means is connected to the untrusted end sending means by an optical fiber.
8. The cross-network data security switching device of claim 1, wherein the trusted terminal sending means is connected to the untrusted terminal receiving means in an optical fiber form, and the untrusted terminal receiving means is connected to the trusted terminal sending means in an optical fiber form.
9. A method for operating an inter-network data security switching device according to any of the preceding claims, characterized in that the specific process is as follows:
the untrusted end transmission device executes a data acquisition process and acquires data from an external network from a data storage device deployed in the untrusted end unit;
the untrusted end operation device operates the data, and transmits the operated data to the untrusted end storage device for temporary storage;
the untrusted end computing device and the untrusted end isolation transmission device carry out interaction to prepare for sending data;
a non-trusted terminal sending device in the non-trusted terminal isolation transmission device unidirectionally transmits data to a trusted terminal receiving device in the trusted terminal isolation transmission device, and the trusted terminal sending device in the trusted terminal isolation transmission device returns auxiliary data to the non-trusted terminal receiving device in the non-trusted terminal isolation transmission device, wherein the auxiliary data comprises request response data and data transmission error correction;
a trust end receiving device in the trust end isolation transmission device interacts data with a trust end operation device after receiving the data;
after the operation on the data is completed, the trusted terminal arithmetic device transmits the data to the trusted terminal storage device for temporary storage, and then transmits the data to the trusted terminal transmission device for interaction with the data to prepare for sending the data;
the trusted side transmission means transmits the data to the data storage means deployed at the trusted side unit, from which the devices in the internal network can retrieve the data.
10. The working method of claim 9, wherein when the untrusted end unit is provided with a trusted reinforcing device, the untrusted end transmission device transmits data to the trusted reinforcing device of the untrusted end unit to implement trusted calculation of the data after receiving the data, and after the trusted reinforcing device of the untrusted end unit performs trusted authentication, the trusted reinforcing device of the untrusted end unit transmits the data after the trusted calculation to the untrusted end operation device for operation; before the untrusted end storage device reads and writes data, the trusted reinforcement device of the untrusted end unit checks whether a data processing program in the untrusted end storage device has corresponding data read-write permission, and the untrusted end storage device can successfully access the data after checking;
when the trusted terminal unit is provided with the trusted reinforcing device, the trusted reinforcing device of the trusted terminal unit performs trusted calculation on the data received by the trusted terminal isolation transmission device, and the data after the trusted calculation can be transmitted to the trusted terminal operation unit; when the trust end storage device reads and writes data, the trust reinforcing device of the trust end unit checks whether the data processing program in the trust end storage device has corresponding data read-write authority, and the trust end storage device can successfully access the data after checking.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010933341.XA CN111917803A (en) | 2020-09-08 | 2020-09-08 | Cross-network data safety exchange equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010933341.XA CN111917803A (en) | 2020-09-08 | 2020-09-08 | Cross-network data safety exchange equipment |
Publications (1)
Publication Number | Publication Date |
---|---|
CN111917803A true CN111917803A (en) | 2020-11-10 |
Family
ID=73267705
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010933341.XA Pending CN111917803A (en) | 2020-09-08 | 2020-09-08 | Cross-network data safety exchange equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111917803A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115277221A (en) * | 2022-07-29 | 2022-11-01 | 深圳市风云实业有限公司 | Transmission method and isolation device based on transparent data landing and protocol isolation |
CN116842578A (en) * | 2023-08-31 | 2023-10-03 | 武汉大数据产业发展有限公司 | Privacy computing platform, method, electronic equipment and medium in data element transaction |
CN115277221B (en) * | 2022-07-29 | 2024-06-07 | 深圳市风云实业有限公司 | Transmission method and isolation equipment based on transparent data landing and protocol isolation |
-
2020
- 2020-09-08 CN CN202010933341.XA patent/CN111917803A/en active Pending
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115277221A (en) * | 2022-07-29 | 2022-11-01 | 深圳市风云实业有限公司 | Transmission method and isolation device based on transparent data landing and protocol isolation |
CN115277221B (en) * | 2022-07-29 | 2024-06-07 | 深圳市风云实业有限公司 | Transmission method and isolation equipment based on transparent data landing and protocol isolation |
CN116842578A (en) * | 2023-08-31 | 2023-10-03 | 武汉大数据产业发展有限公司 | Privacy computing platform, method, electronic equipment and medium in data element transaction |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106815494B (en) | Method for realizing application program safety certification based on CPU time-space isolation mechanism | |
Checkoway et al. | Iago attacks: Why the system call API is a bad untrusted RPC interface | |
Loscocco et al. | The inevitability of failure: The flawed assumption of security in modern computing environments | |
US8560857B2 (en) | Information processing apparatus, a server apparatus, a method of an information processing apparatus, a method of a server apparatus, and an apparatus executable program | |
US8402267B1 (en) | Security enhanced network device and method for secure operation of same | |
CN108595982B (en) | Secure computing architecture method and device based on multi-container separation processing | |
CN114553540B (en) | Zero trust-based Internet of things system, data access method, device and medium | |
CN114584343B (en) | Data protection method and system for cloud computing center and readable storage medium | |
CN110401640B (en) | Trusted connection method based on trusted computing dual-system architecture | |
CN113014444A (en) | Internet of things equipment production test system and safety protection method | |
US20090064273A1 (en) | Methods and systems for secure data entry and maintenance | |
Shakevsky et al. | Trust Dies in Darkness: Shedding Light on Samsung's {TrustZone} Keymaster Design | |
KR20140019574A (en) | System for privacy protection which uses logical network division method based on virtualization | |
RU130429U1 (en) | TERMINAL AND PROTECTED COMPUTER SYSTEM INCLUDING TERMINAL | |
CN111917803A (en) | Cross-network data safety exchange equipment | |
Sadavarte et al. | Data security and integrity in cloud computing: Threats and Solutions | |
CN212727070U (en) | Cross-network data safety exchange equipment | |
US11783027B2 (en) | Systems and methods for managing state | |
CN111651740B (en) | Trusted platform sharing system for distributed intelligent embedded system | |
Salehi et al. | Cloud computing security challenges and its potential solution | |
KR20210123811A (en) | Apparatus and Method for Controlling Hierarchical Connection based on Token | |
Goyal et al. | Cloud Computing and Security | |
RU2334272C1 (en) | Device protecting against unauthorised access to information | |
KR102444356B1 (en) | Security-enhanced intranet connecting method and system | |
US20230351028A1 (en) | Secure element enforcing a security policy for device peripherals |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |