CN113553632A - Data security transmission interface equipment, system and method - Google Patents

Data security transmission interface equipment, system and method Download PDF

Info

Publication number
CN113553632A
CN113553632A CN202010330287.XA CN202010330287A CN113553632A CN 113553632 A CN113553632 A CN 113553632A CN 202010330287 A CN202010330287 A CN 202010330287A CN 113553632 A CN113553632 A CN 113553632A
Authority
CN
China
Prior art keywords
partition
data
command
access terminal
interface device
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010330287.XA
Other languages
Chinese (zh)
Inventor
石明明
王帆
王玉婷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CRSC Research and Design Institute Group Co Ltd
Original Assignee
CRSC Research and Design Institute Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CRSC Research and Design Institute Group Co Ltd filed Critical CRSC Research and Design Institute Group Co Ltd
Priority to CN202010330287.XA priority Critical patent/CN113553632A/en
Publication of CN113553632A publication Critical patent/CN113553632A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/82Protecting input, output or interconnection devices
    • G06F21/85Protecting input, output or interconnection devices interconnection devices, e.g. bus-connected or in-line devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F13/00Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
    • G06F13/38Information transfer, e.g. on bus
    • G06F13/42Bus transfer protocol, e.g. handshake; Synchronisation
    • G06F13/4282Bus transfer protocol, e.g. handshake; Synchronisation on a serial bus, e.g. I2C bus, SPI bus
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a data security transmission interface device, which comprises a first partition and a second partition; the first partition is provided with a bootstrap program; the second partition is to store encrypted data encrypted by the boot program. The data security transmission interface equipment stores the data and the bootstrap program in different partitions, the bootstrap program of the first partition can access the second partition, and the data written into the second partition is encrypted, so that the storage privacy is improved, the data leakage probability is reduced, and the equipment fault condition caused by malicious falsification or introduction of malicious files of the data written into the data storage partition is avoided.

Description

Data security transmission interface equipment, system and method
Technical Field
The invention belongs to the technical field of data security, and particularly relates to data security transmission interface equipment, a system and a method.
Background
Mobile interface devices are commonly used to enable quick and portable data copy transfer. In the prior art, mobile interface devices such as a mobile hard disk, a usb disk, and the like are commonly used. The mobile device generally uses a USB interface for data transmission. The USB serial bus technology is an interface technology applied in the field of PC, realizes the data communication between a computer and external equipment such as a USB flash disk, a mouse and the like, and is responsible for the periodic data stream transmission with constant transmission rate between a host and the USB flash disk.
A common interface device is a plug-and-play device, and the interface device is generally accessed directly through an interactive graphical user interface terminal, such as a Windows system, to read a file. This method results in poor data security of the interface device, and easily causes data theft. Meanwhile, the interface equipment is generally mobile equipment, is used for multiple times among a plurality of pieces of equipment, has poor privacy, is easy to cause virus infection, and poses great threat to industrial equipment with high safety requirements.
In addition, the encrypted content and the non-encrypted content in the existing encrypted U disk are stored in a common partition together, and virus invasion can be caused by performing read-write operation on the encrypted content and the non-encrypted content.
For special projects with high requirements on site construction in the field of rail transit, the requirements cannot be met by copying data by adopting the conventional mobile interface equipment.
Therefore, a data security transmission scheme for the interface device is needed.
Disclosure of Invention
In view of the above problems, the present invention provides a data secure transmission interface device,
the interface device comprises a first partition and a second partition;
the first partition is provided with a bootstrap program;
the second partition is to store encrypted data encrypted by the boot program.
Further, the first partition is a visible read-only partition;
the second partition is an encrypted hidden partition.
Further, the interface device performs reading and writing through a corresponding access terminal.
Further, the bootstrap program is used for receiving a control command of the access terminal;
the control command comprises a first command and a second command;
the bootstrap program establishes connection with the access terminal according to the first command;
and the bootstrap program realizes the data interaction between the interface equipment and the external equipment according to the second command.
Further, the bootstrap program encrypts data according to the write command and writes the encrypted data into the second partition;
and the bootstrap program decrypts the data of the second partition according to the read command and outputs the decrypted data.
Further, the interface device performs data interaction with the interface device in an asynchronous delegation mode based on the control command.
The invention also provides a data security transmission system, which comprises interface equipment and an access terminal;
the interface equipment comprises a first partition and a second partition, and the first partition is provided with a bootstrap program;
the access terminal is used for accessing the interface device through the bootstrap program, and the bootstrap program encrypts data and stores the encrypted data in the second partition.
Further, the access terminal accesses the interface device through a control command;
the control command comprises a first command and a second command;
the bootstrap program establishes connection with the access terminal according to the first command;
and the bootstrap program realizes the data interaction between the interface equipment and the external equipment according to the second command.
Further, the data interaction adopts an asynchronous entrusting mode.
Further, the system supports real-time bidirectional intercommunication between the interface device and the access terminal.
Further, the system encrypts the data according to the write-in command and writes the encrypted data into the second partition;
and the system decrypts the data of the second partition according to the read command and outputs the decrypted data.
The invention also provides a data security transmission method, which comprises the following steps:
the interface equipment receives a control command of an access terminal;
the bootstrap program in the first partition of the interface equipment controls the interface equipment to establish connection with the access terminal according to the control command;
and the boot program in the first partition reads and writes the encrypted data in the second partition of the interface equipment based on the control command.
Further, the reading and writing of the encrypted data in the second partition of the interface device by the bootstrap program in the first partition based on the control command specifically includes:
the bootstrap program in the first partition encrypts data sent by an access terminal to form encrypted data, and writes the encrypted data into a second partition of the interface device; alternatively, the first and second electrodes may be,
and the bootstrap program in the first partition reads the encrypted data from the second partition, decrypts the encrypted data, and sends the decrypted data to the access terminal.
Further, the controlling the interface device to establish a connection with the access terminal according to the control command specifically includes:
the bootstrap program in the first partition controls the interface equipment to establish connection with the access terminal based on a first command in the control commands;
and the boot program in the first partition reads and writes the encrypted data in the second partition of the interface equipment based on the second instruction in the control command.
The data security transmission interface equipment, the system and the method store the data and the bootstrap program in different partitions, the bootstrap program of the first partition can access the second partition, and the data written into the second partition is encrypted, so that the storage privacy is improved, the data leakage probability is reduced, and the equipment fault condition caused by malicious falsification or introduction of malicious files of the data written into the data storage partition is avoided.
The interface device reads and writes through a special access terminal, the first partition of the interface device can be identified only under the support of the access terminal, and the encrypted second partition data is finally accessed through a first command and a second command sent by the access terminal.
The application accesses the encrypted interface device through two commands, and can be used for a non-graphical user interface (desktop) operating system, such as a Linux operating system. Therefore, the access terminal is not infected by operation such as virus and malicious script, and the lossless and high-safety transmission of the data file on the Linux system environment system is guaranteed. The access terminal is based on a Linux system, adopts a command line mode to meet the requirements of site construction, and provides development of special and practical functions of an adaptive signal system. In the prior art, a desktop operating system occupies a large memory, has low stability, and does not support multiple platforms, and more industrial control systems adopt non-desktop Linux systems, such as train control and interlocking equipment of railways. The industrial Linux system has higher requirements on safety and stability and more file data, and the occupation of a CPU can be reduced by adopting Linux command line operation.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
FIG. 1a shows a data security transmission interface system based on Linux system according to the embodiment of the present invention;
FIG. 1b is a diagram illustrating a first partition of an access terminal identification interface device in accordance with an embodiment of the present invention;
FIG. 1c is a diagram illustrating file storage by an access terminal through a bootstrap program in an embodiment of the present invention;
fig. 2 shows a flow chart of data storage using an encrypted usb disk according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The embodiment of the invention takes the development of special and practical functions of an adaptive signal system as background, takes an encrypted USB flash disk as an example of interface equipment and takes a Shell command of a Linux system as an example of the type of an access terminal, and explains the data security transmission interface equipment, the data security transmission system and the data security transmission method.
An embodiment of the present invention provides a data security transmission system, as shown in fig. 1a, where the data security transmission system includes an interface device and a corresponding access terminal; the interface device enables access to the access terminal.
In the embodiment of the present invention, the interface device includes an interface unit and a storage unit, in the embodiment of the present invention, the interface unit is used for connecting with an external device, and an exemplary interface unit is a USB interface. The interface device may have a plurality of partitions, and a boot program may be provided in a first partition of the plurality of partitions, and the boot program may encrypt and decrypt data. The second partition of the plurality of partitions is an encrypted hidden partition.
After the interface device receives a data writing control command from an access terminal, the bootstrap program in the first partition encrypts data such as text, files, pictures, audio or video and the like sent to the interface device by the access terminal to form encrypted data. After the data is encrypted by the boot program in the first partition to form encrypted data, the encrypted data is sent to a second partition of the plurality of partitions, and the encrypted data is stored by the second partition.
And after the interface equipment receives a data reading control command from an access terminal, the bootstrap program in the first partition reads the encrypted data from the second partition, decrypts the encrypted data through a corresponding decryption algorithm to form decrypted data, and sends the decrypted data to the access terminal.
In the embodiment of the invention, the data transmission between the interface equipment and the access terminal is realized through a bootstrap program in an independent partition; and the boot program and the data are respectively stored in different hardware partitions, and the boot program controls the second partition to read and write the encrypted data, so that the data security is improved.
In order to further provide security of data reading and writing and prevent data in the interface device from being tampered, in the embodiment of the present invention, protocols corresponding to different partition identifications in the interface device are set. The first partition adopts a first protocol to realize an instruction interface, and the second partition adopts a second protocol to realize the instruction interface. The first protocol is a standard protocol instruction which can be identified by an operating system, and the second protocol is a special protocol which can be accessed only by the access terminal through a bootstrap program. The external device can only access the first partition through the standard first protocol, but cannot directly access the private hidden partition of the second protocol, so that the privacy of the data reading and writing partition is improved. The manner in which the different protocols of the two partitions implement the instruction interface is described in detail below.
The existing common storage media exchange data with the computer system through a standard communication protocol, for example, the standard USB devices in the prior art all use SCSI commands. Scsi (small Computer System interface), a small Computer System interface, is an independent processor standard for System-level interfaces between computers and their peripherals (hard disks, floppy drives, optical drives, printers, scanners, etc.). The SCSI standard defines the electrical characteristics of commands, communication protocols, and entities, with the largest applications being on storage devices (e.g., hard disks, tape drives).
When an IC Chip (Integrated Circuit Chip) in the storage medium implements an instruction set of a standard USB device using a SCSI protocol, the Linux operating system can automatically identify and access the USB device. The first partition of the interface device in the embodiment of the present invention may implement an instruction interface by using a standard SCSI protocol. After the interface device is connected with the access terminal, the access terminal can identify the interface device because the access terminal can identify the first partition storing the bootstrap program and the first partition adopts standard SCSI instructions. The second partition in the interface device is a hidden partition for the access terminal, so that the access terminal cannot display the second partition, i.e., cannot display the encrypted data stored in the second partition. In addition, in the embodiment of the invention, the second partition can only adopt the special protocol to realize the instruction interface, so the access terminal cannot directly operate the second partition of the interface equipment, and interacts with the interface of the special protocol through the bootstrap program of the first partition. The design mode effectively avoids the risk that data in the hidden partition is randomly accessed and even tampered. The hidden partition can be operated only by sending a specific special instruction through the first partition to obtain the decrypted storage file, so that the safety and the confidentiality of the data transmission process of the external equipment are guaranteed. In the embodiment of the present invention, the dedicated instruction interface of the second protocol refers to an interface of a second instruction executed after the access terminal establishes a connection with the usb disk through the first command. The second instruction is realized through functions of user-defined encryption, file conversion, file transmission and the like, and does not follow a standard protocol, so that the general operating system cannot operate, and the access terminal of the application calls a bootstrap program to execute the second instruction through the user-defined function. The execution of the first command and the second instruction will be described further below.
As shown in FIG. 1b, at any time, after the USB flash disk is directly inserted, the external device can only identify the content in the first partition, the file encryption, decryption, storage and reading must be completed through the bootstrap program, and finally the generated encrypted file is stored in the encrypted and hidden second partition. In fig. 1b, the access terminal is installed on the notebook as an example, but the installed device is not limited.
As shown in fig. 1c, the terminal is configured to access the interface device through a bootstrap program in the first partition, and the bootstrap program encrypts and stores data in the second partition. Correspondingly, when the data is read, the access terminal accesses the interface device through the bootstrap program in the first partition, decrypts the data and then reads the data.
The following further explains the principle of the system for encrypted usb disk data transmission via the access terminal.
The access terminal is a command line software tool and accesses the interface equipment through a control command. In the embodiment of the invention, the access terminal is a Shell command Console Tool, namely an FSShell Console Tool, which supports a Linux system to realize data transmission based on a universal serial bus and realizes the mutual transmission, deletion and other operations of the access terminal such as Linux local and the interface equipment files such as a U disk.
The access terminal realizes the safe storage of the file by calling the first partition bootstrap program and the data stream conversion and the data stream encryption of the file, and realizes the reading of the file by the decryption and the data stream conversion of the data file. For example, the data file may be stored in an access terminal such as a notebook computer or an industrial personal computer, an interface device such as an encrypted USB disk may be connected to the notebook computer through a USB interface, a wireless interface, or other interfaces, the access terminal may be opened, and the file stored in the local area of the Linux system may be converted into an encrypted stream file format through an encryption method and stored in the interface device.
The following describes the data processing flow in detail with reference to the command type of the access terminal. The control command issued by the access terminal to the interface device includes a first command and a second command. The bootstrap program of the first partition establishes connection with the access terminal according to the first command; and the bootstrap program realizes the data interaction between the interface equipment and the external equipment according to the second command. Without loss of generality, the external device is a first computer installed by the software tool of the access terminal, the interface device is plugged into the first computer, and the access terminal performs data interaction with a file system of the first computer, so that files in the first computer can be transmitted into the interface device or data in the interface device can be copied into the file system of the first computer. In another embodiment, the interface device may perform data interaction with a file system of a second computer through the access terminal, and the second computer is in data connection with the first computer, for example, the access terminal on the first computer may indirectly access a file on the second computer through sharing, ftp service, and the like, so as to perform interaction between the file system of the second computer and the interface device.
Illustratively, the first Command is a device operation Command (DEV Command), which provides a basic operation Command for an interface device mounted on the Linux system, and includes:
(1) device number command: the devlist is used for checking the number of external devices, such as USB flash disks and other interface devices, mounted on the current Linux system;
(2) device information command, devinfo: the system is used for viewing basic information such as the capacity of the interface equipment;
(3) device connection command, revopen: the designated interface equipment used for opening the mount is connected with the system where the access terminal is located, so that subsequent file operation of a second command is carried out; that is, in the embodiment of the present invention, only after the interface device is connected to the access terminal through the first command, the interface device may continue to be read and written through the second command, so that the read and write security of the interface device is improved. The process of the first command establishing the connection may add password authentication or the like to further improve security.
(4) Device close command, devclose/devexit: and the interface device is used for closing the connection relation between the interface device and the access terminal.
Illustratively, the second operation Command is a file operation Command (FS Command): providing basic operation commands of interface device files for the opened interface device, mainly comprising:
(1) file view command, ls/list/dir: the system is used for checking folders and files in the current interface equipment or the access terminal file system;
(2) directory switch command, cd: the device comprises a switching module, a switching module and a switching module, wherein the switching module is used for switching directories in folders of an interface device or an access terminal file system;
(3) file transfer command, cp/cpy/copy: the method and the device are used for realizing file transmission between the interface equipment and the system where the access terminal is located. According to different parameters of the file transmission command, the file transmission command is divided into a write command and a read command, wherein the write command is used for writing file data from the file system of the access terminal into the interface device, and the read command is used for reading the data in the interface device into the access terminal.
After the interface equipment receives a first command sent by the access terminal, a bootstrap program in the interface equipment controls the interface equipment to establish connection with the access terminal. The interface device recognizes the control command through the bootstrap program, and feeds back information of the encrypted data of the second partition hidden in the second partition to the access terminal connected thereto. Therefore, according to the command, the uploading and downloading functions of the data of the hidden encryption partition mounted in the interface equipment based on the Linux system can be realized.
In the embodiment of the invention, the access terminal is a special command control program, the corresponding interface equipment can be identified and accessed only when the access terminal enters a command control state by starting or calling the special access terminal, and the special access terminal provides a command identifier similar to a traditional general shell terminal, such as a cd command, so that the usability is improved on the basis of meeting the safety requirement. The access terminal does not directly access the file storage area of the interface device, namely the second partition, but interacts with the bootstrap program to feed back the file information of the second partition through the bootstrap program and perform data transmission through the bootstrap program, thereby greatly improving the security of the data stored by the interface device.
Further, the system encrypts the data according to the write-in command and writes the encrypted data into the second partition; and the system decrypts the data of the second partition according to the read command and outputs the decrypted data. In the embodiment of the invention, although the command identifier of the access terminal is similar to the general shell control command identifier, the command calling implementation of the access terminal is developed according to encryption transmission design. When a user calls an input command to write data, the system automatically encrypts the data and writes the encrypted data into the second partition, specifically, encrypts the data through an AES encryption algorithm and stores the encrypted data into the second partition, namely, the data encryption and writing processes are realized by calling the input command once, on one hand, the command calling is simplified, only a transmission calling process exists for the user, and on the other hand, the unencrypted data is prevented from being written into the second partition. Further, in the embodiment of the present application, the file is encrypted by the bootstrap program and then stored in the second partition.
The encryption step can be completed by the bootstrap program only when the terminal system is operated. The interface equipment consists of a read-only partition and an encryption partition, and the bootstrap program is stored in the read-only partition. The data transmission process does not pass through the storage-related drivers (such as file system drivers, volume drivers and the like) of an external operating system, and also does not pass through a resource browser (such as a system application program, a driver and a third-party tool) of the operating system, so that the protected files in the interface device cannot be accessed, and the security of the encrypted files is higher.
In the embodiment of the invention, an asynchronous entrusting mode is adopted for data interaction. By adopting the asynchronous processing mode, the user can also perform other local operations when the data security transmission system is used for operation, thereby eliminating the waiting time of the user.
An exemplary process for storing data using the encrypted usb disk is described below with reference to fig. 2:
(1) and mounting the interface equipment. And (4) inserting the USB flash disk into a computer, and carrying out normal mounting, such as mounting by using a mount command. After the USB flash disk is mounted, the devlist command can be executed through the access terminal, the number (device count) of the USB flash disks mounted on the Linux system and the names (device drivers) of the USB flash disks are displayed, and whether the USB flash disks are mounted successfully or not is checked. Only the number of the interface devices, namely the number of the special encrypted USB flash disks in the embodiment of the invention is displayed through the device number command. Accessing the devlist will display the drivers (drives) of the encryption interface device: and (4) name of the USB flash disk. And prompts for "revopen usb disk name". And accessing the devlist does not display the information of the common U disk.
(2) And establishing interface equipment connection. And establishing connection with the U disk through the access terminal, specifically, opening the U disk by using the above-mentioned revopen command, and establishing connection with the access terminal by the U disk bootstrap program according to the revopen command. When the designated USB flash disk mounted on the Linux system is opened through the revopen command, the USB flash disk is connected with the read-only encryption area on the encryption USB flash disk through inputting the password, so that the safety of the USB flash disk is further improved. In addition, after the connection is successful, the capacity information of the interface equipment, including the total capacity and the available space capacity of the USB flash disk, is automatically displayed in a default mode, and a user can conveniently and directly perform file transmission operation on the connected USB flash disk.
(3) And (3) carrying out file transmission processing: when a user transmits a Linux local file to an encrypted U disk, the system stores the local file into the encrypted U disk in a mode of file stream encryption algorithm AES processing in an asynchronous entrusting mode through a cp/cpy/copy command; when a user transmits the encrypted USB flash disk file to a local Linux, the system decrypts the encrypted USB flash disk file by using an asynchronous delegation mode and then stores the decrypted USB flash disk file to the local Linux in a file stream mode; when a user deletes a file, based on a shell command line of the Linux system, an operation command rm is deleted, and the system directly deletes the USB flash disk file in an asynchronous entrusting mode.
(4) The interface device is disconnected. And closing the connection relation between the interface equipment and the access terminal through a devclose command, and disconnecting the access terminal from the U disk.
By adopting an asynchronous entrusting mode, the system can execute a plurality of read-write tasks simultaneously, thereby supporting the real-time bidirectional mutual transmission of the interface equipment and the access terminal, and being efficient and easy to use. When the access terminal writes the encrypted file into the encrypted USB flash disk by using asynchronous IO, the system thread can define to delegate to encrypt in the execution process, the encryption is executed in the bootstrap program, when the bootstrap program realizes the file encryption, decryption or transmission process, the callback function of encryption, decryption or transmission is set in the main calling program of the bootstrap program, and the callback function is automatically executed after the encryption, decryption or transmission process is completed. The master call does not need to wait during encryption, decryption or transmission. And (4) asynchronously executing a callback function method in an asynchronous delegation mode to finish encryption and return a result. The parameter setting in the asynchronous callback method comprises a method for realizing the entrusting requirement, namely, the method for entrusting the requirement is used as the entrusting parameter, and if the method for entrusting the requirement returns a specific prompt after the encryption process is completed. So that other read and write tasks can be performed at the same time for encryption and decryption.
Reading and writing of file data is basically a very resource consuming process, and the larger the amount of data processed, the more obvious the influence of I/O on system performance. The asynchronous entrusting mode of the encryption, decryption and transmission processes avoids the condition that a program is in a 'paralyzed' state due to long-time waiting of I/O operation. The railway signal system aiming at safety, high efficiency and real-time performance can realize the encrypted transmission of large-data-volume files, and can not wait and be blocked, thereby improving the user experience.
In the embodiment of the invention, the data security transmission system, namely the control terminal, supports a Linux system and is based on universal bus data transmission, and the operations of conversion, encryption, decryption and the like of file data streams between the local Linux system and the USB flash disk encryption region can be realized in a train control and interlocking system under the Linux environment. Only under the support of the data safety transmission system terminal, the hidden encryption partition in the U disk terminal can be identified, so that the terminal is not infected by operation such as virus, malicious script and the like, and the lossless and high-safety transmission of data files on the control and interlocking system equipment in the environment of a Linux system is ensured. The terminal is based on a Linux system, adopts a shell command line mode to meet the requirements of site construction, and can be suitable for development of special and practical functions of an adaptive signal system. The access terminal is used as special software for the safe transmission of data, and can meet the special requirements of the system: the terminal can be operated on a train control, interlocking, TSRS and RBC maintenance system in the railway signal field, safe and lossless transmission of data files is realized on the premise that the terminal is not infected by operations such as viruses and malicious scripts, and meanwhile, the bearing with a practical function is required for site construction.
In the file transmission processing flow, a symmetric encryption algorithm AES is adopted to operate information such as sensitive files when files are encrypted and decrypted. Compared with DES (data Encryption Standard) and 3DES (triple EDS) data Encryption standard algorithms, the AES supports the key length of 128, 192 and 256 bits, and has the advantages of lower resource consumption and higher security level. As a new generation of data encryption standard, the AES has strong security, high performance, high efficiency, easy use and flexibility and can better meet the requirements of the current distributed open network on the data encryption security. The AES algorithm is adopted to encrypt the files in the Linux system on the notebook computer and the industrial personal computer, and on the basis, the data security transmission system improves the security and safety of sensitive files.
Although the interface device is illustrated in the form of a usb disk and the device to which the access terminal is attached is illustrated in the form of a notebook in the drawings of the present invention, the interface device is not limited to a usb disk and the device to which the access terminal is attached is not limited to a notebook. For example, the interface device in the embodiment may be a usb disk, a mobile hard disk, and the like, and the access terminal may be an industrial personal computer, and the like. Meanwhile, the operating system is not limited to Linux, but other systems providing a command line, such as a Windows system providing a dos command, are also possible. Preferably, aiming at the industrial control environment with higher safety requirement, the operating system adopts a Linux system, and the command line tool is shell-based control terminal software.
The connection of the present invention does not necessarily mean a direct electrical connection, but other types of connections, such as bluetooth, NFC, WIFI, etc., may also be used. The first and second embodiments are merely used for distinguishing one another, and do not necessarily indicate a sequential order.
Based on the same inventive concept, the embodiment of the invention also provides a data secure transmission method, which comprises the following steps:
the interface equipment receives a control command of an access terminal;
and the bootstrap program in the first partition of the interface equipment controls the interface equipment to establish connection with the access terminal according to the control command, and reads and writes encrypted data in the second partition of the interface equipment based on the control command. Specifically, the bootstrap program controls the interface device to establish connection with the access terminal according to a first command in the control commands; and reading and writing the encrypted data in the second partition of the interface equipment based on the second instruction in the control command.
The reading and writing of the encrypted data in the second partition of the interface device by the bootstrap program in the first partition based on the control command specifically includes:
the bootstrap program in the first partition encrypts data sent by an access terminal to form encrypted data, and writes the encrypted data into a second partition of the interface device; alternatively, the first and second electrodes may be,
and the bootstrap program in the first partition reads the encrypted data from the second partition, decrypts the encrypted data, and sends the decrypted data to the access terminal.
In the embodiment of the present invention, the interface device may be the interface device in the above embodiment, where the first partition uses a standard protocol SCSI, and the second partition uses a dedicated protocol, that is, the instruction interface is provided by a user-defined function in the boot program, instead of following the existing published standard protocol.
In addition, the data interaction between the interface device and the access terminal can adopt an asynchronous entrusting mode to improve the efficiency. The specific implementation manner of the data secure transmission method in the embodiment of the present invention may be obtained according to the contents in the embodiments of the data secure transmission interface device and system, and will not be described in detail.
The data security transmission interface device, the system and the method in the embodiment of the invention have the advantages that the device is subjected to partition management, the data storage area is hidden and encrypted, the bootstrap program is stored in the non-secret read-only partition, and the data read-write of the encryption area needs to pass through the bootstrap program of the read-only non-secret area, so that the data read-write safety is improved. The bootstrap program realizes final data interaction hierarchically through two control commands, and the safety and the expandability of the reading and writing process are further improved. In the invention, the access to the interface equipment is carried out through the special access terminal, thereby avoiding the phenomenon that the operating system of the external equipment randomly accesses the interface equipment to cause error reading and writing or malicious virus damage. The interface equipment can be used for industrial control of external equipment, and guarantees data privacy and system safety in the data interaction process.
Although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (14)

1. A data security transmission interface device is characterized in that,
the interface device comprises a first partition and a second partition;
the first partition is provided with a bootstrap program;
the second partition is to store encrypted data encrypted by the boot program.
2. Interface device according to claim 1,
the first partition is a visible read-only partition;
the second partition is an encrypted hidden partition.
3. Interface device according to claim 1,
and the interface equipment reads and writes through the corresponding access terminal.
4. Interface device according to claim 3,
the bootstrap program is used for receiving a control command of the access terminal;
the control command comprises a first command and a second command;
the bootstrap program establishes connection with the access terminal according to the first command;
and the bootstrap program realizes the data interaction between the interface equipment and the external equipment according to the second command.
5. Interface device according to claim 1,
the bootstrap program encrypts data according to the write-in command and writes the data into the second partition;
and the bootstrap program decrypts the data of the second partition according to the read command and outputs the decrypted data.
6. The interface device according to claim 4 or 5, wherein the interface device performs data interaction with the interface device in an asynchronous delegation manner based on a control command.
7. A data security transmission system is characterized by comprising an interface device and an access terminal;
the interface equipment comprises a first partition and a second partition, and the first partition is provided with a bootstrap program;
the access terminal is used for accessing the interface device through the bootstrap program, and the bootstrap program encrypts data and stores the encrypted data in the second partition.
8. The system of claim 7,
the access terminal accesses the interface equipment through a control command;
the control command comprises a first command and a second command;
the bootstrap program establishes connection with the access terminal according to the first command;
and the bootstrap program realizes the data interaction between the interface equipment and the external equipment according to the second command.
9. The system of claim 7 or 8, wherein the data interaction employs an asynchronous delegation mode.
10. The system of claim 9, wherein the system supports real-time bi-directional intercommunication of the interface device with the access terminal.
11. The system of claim 7,
the system encrypts data according to the write-in command and writes the encrypted data into the second partition;
and the system decrypts the data of the second partition according to the read command and outputs the decrypted data.
12. A method for secure transmission of data, the method comprising:
the interface equipment receives a control command of an access terminal;
the bootstrap program in the first partition of the interface equipment controls the interface equipment to establish connection with the access terminal according to the control command;
and the boot program in the first partition reads and writes the encrypted data in the second partition of the interface equipment based on the control command.
13. The method according to claim 12, wherein the boot program in the first partition reads and writes the encrypted data in the second partition of the interface device based on the control command, specifically:
the bootstrap program in the first partition encrypts data sent by an access terminal to form encrypted data, and writes the encrypted data into a second partition of the interface device; alternatively, the first and second electrodes may be,
and the bootstrap program in the first partition reads the encrypted data from the second partition, decrypts the encrypted data, and sends the decrypted data to the access terminal.
14. The method according to claim 12, wherein the controlling the interface device to establish a connection with the access terminal according to the control command specifically includes:
the bootstrap program in the first partition controls the interface equipment to establish connection with the access terminal based on a first command in the control commands;
and the boot program in the first partition reads and writes the encrypted data in the second partition of the interface equipment based on the second instruction in the control command.
CN202010330287.XA 2020-04-24 2020-04-24 Data security transmission interface equipment, system and method Pending CN113553632A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010330287.XA CN113553632A (en) 2020-04-24 2020-04-24 Data security transmission interface equipment, system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010330287.XA CN113553632A (en) 2020-04-24 2020-04-24 Data security transmission interface equipment, system and method

Publications (1)

Publication Number Publication Date
CN113553632A true CN113553632A (en) 2021-10-26

Family

ID=78129539

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010330287.XA Pending CN113553632A (en) 2020-04-24 2020-04-24 Data security transmission interface equipment, system and method

Country Status (1)

Country Link
CN (1) CN113553632A (en)

Similar Documents

Publication Publication Date Title
US9342711B2 (en) Systems and methods for controlling access to peripherals of a computer system by software applications
RU2365988C2 (en) Provision for protected input into system with highly reliable program execution environment
US10395044B2 (en) Method and apparatus for securing computer mass storage data
RU2365045C2 (en) Maintenance of secure input and output for entrusted agent in system with highly reliable environment of programs execution
EP1830300B1 (en) Device and method for data encryption on a storage device
US8156331B2 (en) Information transfer
US20220043901A1 (en) Method of data transfer between hosted applications
US20070136606A1 (en) Storage system with built-in encryption function
US20180107493A1 (en) Synchronous control method and device via external apparatus
TW200837602A (en) Cryptographic key containers on a USB token
US8966280B2 (en) Storage device, memory device, control device, and method for controlling memory device
CN102053925A (en) Realization method of data encryption in hard disk
JP2006190275A (en) Method for conquering shutdown of system management
JP5676145B2 (en) Storage medium, information processing apparatus, and computer program
CN107749862A (en) A kind of data encryption centrally stored method, server, user terminal and system
CN113553632A (en) Data security transmission interface equipment, system and method
CN101079090B (en) Apparatus for reproducing personal application environment
CN107292196A (en) The reading/writing method and device of I/O data
CN112052201A (en) USB device management and control method and system based on Linux kernel layer
CN112149167A (en) Data storage encryption method and device based on master-slave system
JPH10275115A (en) Data ciphering and storing method and system device
KR20190078198A (en) Secure memory device based on cloud storage and Method for controlling verifying the same
JP2022131749A (en) Electronic data management apparatus, electronic data management system, program therefor, and recording medium
JP5127989B2 (en) Data processing apparatus and data processing method
JP2007115103A (en) Portable storage device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination