CN113569272B - Secure computer implementation method and secure computer - Google Patents

Secure computer implementation method and secure computer Download PDF

Info

Publication number
CN113569272B
CN113569272B CN202111133712.7A CN202111133712A CN113569272B CN 113569272 B CN113569272 B CN 113569272B CN 202111133712 A CN202111133712 A CN 202111133712A CN 113569272 B CN113569272 B CN 113569272B
Authority
CN
China
Prior art keywords
data
intranet
equipment
encryption
usb
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111133712.7A
Other languages
Chinese (zh)
Other versions
CN113569272A (en
Inventor
戚建淮
崔宸
唐娟
曾昌鹏
刘建辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Y&D Electronics Information Co Ltd
Original Assignee
Shenzhen Y&D Electronics Information Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Y&D Electronics Information Co Ltd filed Critical Shenzhen Y&D Electronics Information Co Ltd
Priority to CN202111133712.7A priority Critical patent/CN113569272B/en
Publication of CN113569272A publication Critical patent/CN113569272A/en
Application granted granted Critical
Publication of CN113569272B publication Critical patent/CN113569272B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/72Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits

Abstract

The invention relates to a secure computer implementation method, which comprises the following steps: arranging an encryption chip between a hard disk and a mainboard so as to encrypt data written into the hard disk and decrypt data flowing out of the hard disk in real time; controlling the data encryption, directional leading-in and leading-out between the USB equipment and the intranet system; controlling the directional data transmission between the computers in the intranet; and controlling the internal network system to export the data of the external network in a directional manner. The invention also relates to a secure computer. The implementation of the safety computer and the realization method thereof can conveniently and quickly realize hardware encryption and software encryption, thereby realizing the forced isolation of a hardware system from the two aspects of hardware and software, ensuring the integrity and confidentiality of information and realizing the safety communication between the safety computer and USB equipment, the inside of an intranet network and an extranet.

Description

Secure computer implementation method and secure computer
Technical Field
The invention relates to the field of security computers, in particular to a security computer implementation method and a security computer.
Background
The performance of the storage system is closely related to the performance of the hard disk used by the storage system, and the common computer is matched with the hard disks with different gears aiming at the storage systems with different performances when leaving the factory, so that the performance of the system is improved. While the performance advantage of the integrated security computer is guaranteed, the confidentiality grade of the hard disk and the communication management and control technology need to be improved, so that the basic requirements of the security computer for internal and external network isolation and the safety requirements of information are met, the stability of the system is improved, and the reliable operation of the system is guaranteed.
The common method of communication management and control at present is to add communication security middleware between an operating system and an application program system and separately extract common parts of functions of security, communication and the like in a security computer. Interfaces for communication security, protocol management, etc. are typically combined to form responsive communication management. In the aspect of hard disk encryption, encryption protection is performed by using passwords, and then password complexity analysis is added.
Therefore, the prior art cannot realize the forced isolation of the hardware system in the internal and external network integrated security computer, and the encryption isolation and confidentiality means is single only by the password, so that the requirement of comprehensive protection cannot be realized. And the security of its communication link is difficult to guarantee.
Disclosure of Invention
The technical problem to be solved by the present invention is to provide a secure computer implementation method and a secure computer, which can conveniently and quickly implement hardware encryption and software encryption, thereby implementing forced isolation of a hardware system from both hardware and software, ensuring integrity and confidentiality of information, and implementing secure communication.
The technical scheme adopted by the invention for solving the technical problems is as follows: constructing a secure computer-implemented method comprising the steps of:
s1, arranging an encryption chip between a hard disk and a mainboard so as to encrypt data written into the hard disk and decrypt data flowing out of the hard disk in real time;
s2, controlling the data encryption and directional import and export between the USB equipment and the intranet system;
s3, controlling the directional data transmission between the computers in the intranet;
and S4, controlling the data orientation export of the internal network system to the external network.
In the secure computer implementation method of the present invention, the step S1 further includes the following steps:
s11, welding the startup KEY on the mainboard, and directly inserting the encryption card on the hard disk interface;
s12, connecting the mainboard and the encryption chip by a hard disk data line;
s13, inserting and managing USBKEY on the USB interface outside the case;
s14, the encryption chip is in wired connection communication with the management USBKEY and encrypts the transmitted data.
In the secure computer implementation method of the present invention, the step S2 further includes the following steps:
s21, acquiring an authorized safe USB device list by adopting a safe management and control system;
s22, inserting the USB equipment into a USB interface in an intranet mode;
s23, when the safety management and control system judges that the USB device is a safety device, the encryption import and export of data are allowed;
s24, when the safety management and control system judges that the USB device is an authorized device, the data in the USB device is allowed to be imported, otherwise, the USB device is displayed as an unauthorized device.
In the secure computer implementation method of the present invention, the step S23 further includes the following steps:
s231, when the safety management and control system judges that the USB equipment is the safety equipment, encrypting and transmitting intranet data to the USB equipment through the safety management and control system, and decrypting and transmitting the encrypted data of the USB equipment to the intranet system;
s232, virus checking and killing and sensitive data checking are carried out on the data imported into the intranet system;
in the step S231, the data packet is added to the NFQUEUE queue by adding the corresponding ITABLES rule, and the data is encrypted and decrypted in the NFQUEUE by using an exclusive or algorithm and an SM4 algorithm.
In the secure computer implementation method of the present invention, the step S21 further includes the following steps:
s211, the intranet system acquires the authorized safe USB equipment list from an intranet server;
s212, the intranet system transmits the authorized safe USB equipment list to the safety management and control system.
In the secure computer implementation method of the present invention, the step S3 further includes the following steps:
s31, acquiring directional export configuration information from the intranet server at regular time by adopting a safety management and control system;
s32, selecting an export device by the user based on the orientation export configuration information;
and S33, distributing the data directionally derived from the deriving device to a receiving device through the intranet server according to the directionally derived configuration information.
In the secure computer implementation method of the present invention, the step S33 further includes the following steps:
s331, acquiring identity mark information of a receiving device, a transmission node and a server according to the orientation derivation configuration information;
s332, establishing a database according to the identity mark information;
s333, establishing a receiving equipment identity identification table, a transmission node identity identification table and a server identity identification table according to the information in the database;
s334, analyzing the receiving equipment identity recognition table, the transmission node identity recognition table and the server identity recognition table to select a data transmission path;
and S335, transmitting the data to the receiving equipment according to the data transmission path.
In the secure computer implementation method of the present invention, the step S4 further includes the following steps:
s41, the intranet server receives the data extranet export request and pushes the data extranet export request to be audited by an administrator;
s42, the administrator distributes data access authorization codes after passing the audit, and the intranet system transmits data to the security partition of the intranet server through the oriented transmission of the data between the intranet computers;
s43, after the data access authorization code is verified, the data is transmitted to the terminal equipment which sends out the data extranet export request;
and S44, after the transmission is finished, the intranet server automatically deletes the data.
In the method for realizing the safety computer, the data extranet export request is audited by a first-level administrator, a second-level administrator and a third-level administrator; and storing the data transmission record into the intranet server, and clearing the transmitted data by the intranet server at regular time.
Another technical solution adopted by the present invention to solve the technical problem is to construct a secure computer, wherein the secure computer is implemented according to the secure computer implementation method described above.
The implementation of the safety computer and the realization method thereof can conveniently and quickly realize hardware encryption and software encryption, thereby realizing the forced isolation of a hardware system from the two aspects of hardware and software, ensuring the integrity and confidentiality of information and realizing the safety communication between the safety computer and USB equipment, the inside of an intranet network and an extranet.
Drawings
The invention will be further described with reference to the accompanying drawings and examples, in which:
FIG. 1 is a flow chart of a first preferred embodiment of a secure computer implemented method of the present invention;
FIG. 2 illustrates the architecture of the hard disk encryption system of the present invention;
fig. 3 is a flowchart illustrating a process of controlling data encryption oriented import and export between a USB device and an intranet system according to a preferred embodiment of the present invention;
FIG. 4A is a schematic diagram of XOR algorithm encryption and decryption;
fig. 4B is a schematic diagram of SM4 algorithm encryption and decryption;
FIG. 5 illustrates a flow chart of an intranet network orientation controllable derivation in accordance with a preferred embodiment of the present invention;
FIG. 6 shows a flow diagram of data-directed export of an intranet system to an extranet according to a preferred embodiment of the present invention;
FIG. 7 shows a schematic block diagram of a preferred embodiment of the security computer of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
FIG. 1 is a flow chart of a first preferred embodiment of the secure computer implemented method of the present invention. As shown in fig. 1, in step S1, an encryption chip is disposed between a hard disk and a motherboard to encrypt data written to the hard disk and decrypt data flowing out of the hard disk in real time. In a preferred embodiment of the invention, the startup KEY is welded on the mainboard, and the encryption card is directly inserted into the hard disk interface; connecting the mainboard and the encryption chip by using a hard disk data line; inserting a management USBKEY on a USB interface outside the case; the encryption chip is in wired connection communication with the management USBKEY and encrypts the transmitted data.
In a preferred embodiment of the present invention, the architecture of the hard disk encryption system of the secure computer is shown in FIG. 2. As shown in fig. 2, an encryption chip is used between the hard disk and the motherboard, so that encryption and decryption operations can be performed on data of the hard disk transparently in real time. A safety management and control system is installed in an operating system of the safety computer, is a bridge for communication between upper application software and a hard disk encryption chip, and simultaneously controls the running behavior of other software of the computer. The upper-layer behavior management application software and the remote control software are communicated to obtain rule parameters set by a user, and simultaneously report the hardware ID and the program running log information of the computer, and in addition, if the hardware information is changed or an encryption system is damaged, the computer cannot be normally logged in or automatically shut down and restarted.
In the preferred embodiment, the encryption card is convenient and reliable to install, can be directly inserted into a hard disk interface, and then is connected with the mainboard through a hard disk data line. The management USBKEY is adopted, the encryption card and the management USBKEY are communicated in a wired connection mode, data transmitted in communication are encrypted, an encrypted secret key is one-time encrypted, the universality is high, and the secret key value cannot be analyzed outside. The key loading condition can be prompted by a buzzer on the encryption card and a lamp on the USBKEY. The encryption chip is arranged between the mainboard and the hard disk, a high-performance hard password operation processor is embedded, data written into the hard disk are transparently encrypted in real time, and data flowing out of the hard disk are decrypted. The hard disk encryption system can encrypt/decrypt the content of the whole hard disk in real time, including hiding sectors; hard disk information can be shielded to the upper layer, and disk control instructions can be filtered; supporting an international standard or a national cipher block encryption algorithm; CPU interference is not needed, the transparent software is provided for the upper layer, and the performance of the computer is hardly influenced; and the independent key management unit cannot acquire the key from the outside, so that the safety is high and the anti-cracking performance is strong. And the hard disk data one-key self-destruction can be realized by destroying the secret key. An encryption card adopting a CPU intelligent card key is arranged on a front panel of the case; the encryption card is directly inserted into the hard disk interface, and the secret key is loaded in a wired mode, so that the encryption card is conveniently buried in the case deeply. The solid state disk encryption box has the appearance consistent with that of a standard 2.5-inch hard disk, and can be applied to computer equipment with compact space, such as an all-in-one machine and the like. And a private key distribution and modification tool or a related application development kit is provided, so that secondary development of users is facilitated.
In a preferred embodiment of the present invention, the boot KEY stores boot authorization information, such as a time value and a password. Wherein, the time charging process is as follows. The applicant executes the program on the encryption security computer to generate an authorization application form, and the authorizer generates a time authorization form on the own security computer according to the authorization application form. The applicant: and installing the time authorization book on the encrypted security computer.
Hardware encryption can be conveniently and rapidly realized by arranging the hard disk encryption system, data transmitted by communication are encrypted by adopting a key encryption mode of managing the USBKEY one-time pad, the safety is high, and the key value cannot be analyzed by the outside; the key loading condition can be prompted by a buzzer on the encryption card and a lamp on the USBKEY. The encryption chip is embedded with a high-performance hard password operation processor, transparently encrypts data written into the hard disk in real time, decrypts data flowing out of the hard disk, and further enhances the security level.
In step S2, the data encryption and directional import/export between the USB device and the intranet system is controlled. In the preferred embodiment of the invention, a safety management and control system is adopted to obtain an authorized safety USB device list; inserting the USB equipment into a USB interface in an intranet mode; when the safety management and control system judges that the USB equipment is safety equipment, the encryption import and export of data are allowed; when the safety management and control system judges that the USB equipment is authorized equipment, the data in the USB equipment is allowed to be imported, otherwise, the USB equipment is displayed as unauthorized equipment.
In a further preferred embodiment of the present invention, when the security management and control system determines that the USB device is a security device, the security management and control system encrypts and transmits intranet data to the USB device, and decrypts and transmits encrypted data of the USB device to the intranet system; and virus killing and sensitive data inspection are carried out on the data imported into the intranet system. Further, in the preferred embodiment, the data packet is added to the NFQUEUE queue by adding the corresponding ITABLES rule, and the data is encrypted and decrypted in the NFQUEUE queue by using the xor algorithm and SM4 algorithm.
Fig. 3 is a flowchart illustrating a process of controlling data encryption oriented import and export between a USB device and an intranet system according to a preferred embodiment of the present invention.
As shown in fig. 3, the intranet system obtains the authorized secure USB device list from an intranet server. And the intranet system transmits the authorized safe USB equipment list to the safe management and control system. Then, inserting USB equipment into the USB interface in the intranet mode, and carrying out identity identification safety authentication on the USB equipment by the safety management and control system. Firstly, judging whether the USB equipment is safety equipment or not, and if so, supporting a user to carry out an intranet system data importing and exporting step. If not, judging whether the USB equipment is authorized equipment or not, if so, allowing the data in the USB equipment to be imported, otherwise, displaying that the USB equipment is unauthorized equipment.
The user performs the procedure of importing and exporting data of the intranet system as follows. The data of the intranet system is encrypted and transmitted through the safety management and control system and led out to the USB equipment, and the encrypted data of the USB equipment is decrypted and transmitted through the safety management and control system and led into the intranet system. And (4) carrying out virus killing and sensitive data inspection on the data imported into the intranet system, and writing the virus file and the sensitive data into the isolation area.
In the preferred embodiment of the present invention, the data packet is added into the NFQUEUE queue by adding the corresponding ITABLES rule, and the data is encrypted and decrypted in the NFQUEUE queue by using the xor algorithm and SM4 algorithm.
In the preferred embodiment of the present invention, the xor algorithm is as shown in fig. 4A, and performs xor operation on the data and the 16-byte xor string, the xor string is read from the configuration file, and the final result is used as the ciphertext. When decrypting, only the ciphertext and the same XOR string need to be subjected to XOR operation, and then the plaintext data can be recovered.
In the preferred embodiment of the present invention, as shown in fig. 4B, the SM4 algorithm performs SM4 operation on data of an integral multiple of 16 bytes before plaintext data, reads a symmetric key from a configuration file, performs xor operation on the remaining bytes and a 16-byte specified xor string, and finally concatenates two parts of ciphertext to obtain the whole ciphertext. If the plaintext length is less than 16 bytes, the result of the XOR operation between the plaintext data and the 16-byte specified XOR string is directly used as the ciphertext. And during decryption, performing SM4 operation on data with the integral multiple length of the first 16 bytes of the ciphertext data, reading the symmetric key from the configuration file, performing XOR operation on the remaining bytes and the specified 16-byte XOR string, and finally splicing the two parts of plaintext to obtain the whole plaintext. If the cipher text is less than 16 bytes in length, the result of the exclusive OR operation of the cipher text data and the 16 byte specified exclusive OR string is directly used as the plain text.
In step S3, the directional transmission of data between the intranet computers is controlled. In the preferred embodiment of the invention, a safety management and control system is adopted to obtain the directional derivation configuration information from the intranet server at regular time; selecting, by a user, an export device based on the directional export configuration information; and distributing the data directionally derived from the deriving device to a receiving device through the intranet server according to the directionally derived configuration information.
For example, all the secure computer intranets are connected with an intranet server to configure the directional export of the secure computer intranets, and the security management and control system can acquire the directional export configuration information from the intranet server at regular time. The safety management and control system reads the configuration information of the directional export path and informs the intranet system of the configuration information, the safety computer equipment capable of directionally exporting is displayed, a user selects other intranet computers to be exported to conduct controllable directional export of data, and directional export needs to guarantee that only data transmission can be conducted, and other tasks such as calculation, import and the like cannot be conducted. The data exported directionally pass through the background server, the server distributes the data according to the configuration information, the data are transmitted to other intranet safety computers, the safety computers can see the transmission progress of the data, and meanwhile, the received safety computers ensure time division single task control and cannot run other tasks.
Fig. 5 shows a flow chart of network direction controllable derivation. As shown in fig. 5, the identity flag information of the receiving device, the transmission node, and the server is obtained according to the orientation derivation configuration information; establishing a database according to the identity mark information; establishing a receiving equipment identity identification table, a transmission node identity identification table and a server identity identification table according to the information in the database; analyzing the receiving equipment identity identification table, the transmission node identity identification table and the server identity identification table to select a data transmission path; and transmitting the data to the receiving equipment according to the data transmission path.
In step S4, the intranet system is controlled to export data to the extranet. In the preferred embodiment of the invention, an intranet server receives a data extranet export request and pushes the data extranet export request to an administrator for auditing; the administrator distributes data access authorization codes after passing the audit, and the intranet system transmits data to the security partition of the intranet server through the oriented data transmission among the intranet computers; after the data access authorization code is verified, transmitting the data to a terminal device which sends out a data extranet export request; and after the transmission is finished, the intranet server automatically deletes the data. In a preferred embodiment of the present invention, the data extranet export request is audited by a primary administrator, a secondary administrator, and a tertiary administrator; and storing the data transmission record into the intranet server, and clearing the transmitted data by the intranet server at regular time.
As shown in fig. 6, the user sends a data extranet export request to the intranet server. The intranet server pushes an extranet export request to a primary administrator, a secondary administrator and a tertiary administrator respectively. And if the audit is not passed, sending an audit not passed notice. The intranet system receives the notice that the audit is not passed. Data export cannot take place. The deriving step is performed after all administrators have approved the audit. And after the verification is passed, the administrator distributes the data access authorization code, and the intranet system transmits data to the security partition of the intranet server through network oriented data. The network-oriented data transmission process may refer to the embodiment corresponding to step S3, and will not be described in detail herein. A system administrator enters the intranet server through terminal login verification and can check the safety subareas of the intranet server. When the user inputs the data access authorization code, the system administrator can transmit the file to the local administrator terminal, and the record of the transmitted data is stored in the intranet server system. And after the data transmission is finished, the intranet server automatically deletes the transmitted files, and the intranet server detects that the files exist in the half-year files and automatically deletes the files.
The invention makes changes from hardware composition and software system control on the basis of the internal and external network safety integrated machine, and more safely and effectively ensures that a link between a safety computer terminal and the communication of the safety computer terminal is safe and reliable. The hardware environment of hardware integrated dual-network dual-system independent operation is in an all-in-one machine, the function control of a communication interface is further added, network controllable directional leading-in and leading-out are carried out on an intranet link, and the intranet system supports controllable safe USB communication. And in the aspect of hardware, the hard disk encryption and decryption and USBKEY authorization authentication of an intranet system and an intranet server are added.
FIG. 7 shows a schematic block diagram of a preferred embodiment of the security computer of the present invention. The secure computer may be implemented by a person skilled in the art on the basis of a normal secure computer according to the method described above. Based on the teachings of the present invention, those skilled in the art can construct a secure computer that implements the present invention, and will not be reiterated here.
Accordingly, the present invention can be realized in hardware, software, or a combination of hardware and software. The present invention can be realized in a centralized fashion in at least one computer system, or in a distributed fashion where different elements are spread across several interconnected computer systems. Any kind of computer system or other apparatus adapted for carrying out the methods of the present invention is suited. A typical combination of hardware and software could be a general purpose computer system with a computer program that, when being loaded and executed, controls the computer system such that it carries out the methods described herein.
The present invention may also be implemented by a computer program product, comprising all the features enabling the implementation of the methods of the invention, when loaded in a computer system. The computer program in this document refers to: any expression, in any programming language, code or notation, of a set of instructions intended to cause a system having an information processing capability to perform a particular function either directly or after either or both of the following: a) conversion to other languages, codes or symbols; b) reproduced in a different format.
While the invention has been described with reference to specific embodiments, it will be understood by those skilled in the art that various changes may be made and equivalents may be substituted without departing from the scope of the invention. In addition, many modifications may be made to adapt a particular situation or material to the teachings of the invention without departing from its scope. Therefore, it is intended that the invention not be limited to the particular embodiment disclosed, but that the invention will include all embodiments falling within the scope of the appended claims.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention are intended to be included within the scope of the present invention.

Claims (7)

1. A secure computer implementation method, comprising the steps of:
s1, arranging an encryption chip between a hard disk and a mainboard so as to encrypt data written into the hard disk and decrypt data flowing out of the hard disk in real time;
s2, controlling the data encryption and directional import and export between the USB equipment and the intranet system;
s3, controlling the directional data transmission between the computers in the intranet;
s4, controlling the data of the internal network system to be directed and exported to the external network;
the step S2 further includes the steps of:
s21, acquiring an authorized safe USB device list by adopting a safe management and control system;
s22, inserting the USB equipment into a USB interface in an intranet mode;
s23, when the safety management and control system judges that the USB device is a safety device, the encryption import and export of data are allowed;
s24, when the safety management and control system judges that the USB equipment is authorized equipment, allowing the data in the USB equipment to be imported, otherwise, displaying that the USB equipment is unauthorized equipment;
the step S3 further includes the steps of:
s31, acquiring directional export configuration information from the intranet server at regular time by adopting a safety management and control system;
s32, selecting an export device by the user based on the orientation export configuration information;
s33, distributing the data directionally derived from the deriving device to a receiving device through the intranet server according to the directionally derived configuration information;
the step S4 further includes the steps of:
s41, the intranet server receives the data extranet export request and pushes the data extranet export request to be audited by an administrator;
s42, the administrator distributes data access authorization codes after passing the audit, and the intranet system transmits data to the security partition of the intranet server through the oriented transmission of the data between the intranet computers;
s43, after the data access authorization code is verified, the data is transmitted to the terminal equipment which sends out the data extranet export request;
and S44, after the transmission is finished, the intranet server automatically deletes the data.
2. The secure computer implemented method of claim 1, wherein the step S1 further comprises the steps of:
s11, welding the startup KEY on the mainboard, and directly inserting the encryption card on the hard disk interface;
s12, connecting the mainboard and the encryption chip by a hard disk data line;
s13, inserting management USBKEY on the USB interface outside the case;
s14, the encryption chip is in wired connection communication with the management USBKEY and encrypts the transmitted data.
3. The secure computer implemented method of claim 1, wherein the step S23 further comprises the steps of:
s231, when the safety management and control system judges that the USB equipment is the safety equipment, encrypting and transmitting intranet data to the USB equipment through the safety management and control system, and decrypting and transmitting the encrypted data of the USB equipment to the intranet system;
s232, virus checking and killing and sensitive data checking are carried out on the data imported into the intranet system;
in the step S231, the data packet is added to the NFQUEUE queue by adding the corresponding ITABLES rule, and the data is encrypted and decrypted in the NFQUEUE by using an exclusive or algorithm and an SM4 algorithm.
4. The secure computer implemented method of claim 1, wherein the step S21 further comprises the steps of:
s211, the intranet system acquires the authorized safe USB equipment list from an intranet server;
s212, the intranet system transmits the authorized safe USB equipment list to the safety management and control system.
5. The secure computer implemented method of claim 1, wherein the step S33 further comprises the steps of:
s331, acquiring identity mark information of a receiving device, a transmission node and a server according to the orientation derivation configuration information;
s332, establishing a database according to the identity mark information;
s333, establishing a receiving equipment identity identification table, a transmission node identity identification table and a server identity identification table according to the information in the database;
s334, analyzing the receiving equipment identity recognition table, the transmission node identity recognition table and the server identity recognition table to select a data transmission path;
and S335, transmitting the data to the receiving equipment according to the data transmission path.
6. The secure computer implemented method of claim 1, wherein in step S4, the data extranet export request is audited by a primary administrator, a secondary administrator, and a tertiary administrator; and storing the data transmission record into the intranet server, and clearing the transmitted data by the intranet server at regular time.
7. A secure computer, characterized in that it is implemented according to the method of any one of claims 1 to 6.
CN202111133712.7A 2021-09-27 2021-09-27 Secure computer implementation method and secure computer Active CN113569272B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111133712.7A CN113569272B (en) 2021-09-27 2021-09-27 Secure computer implementation method and secure computer

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111133712.7A CN113569272B (en) 2021-09-27 2021-09-27 Secure computer implementation method and secure computer

Publications (2)

Publication Number Publication Date
CN113569272A CN113569272A (en) 2021-10-29
CN113569272B true CN113569272B (en) 2022-01-11

Family

ID=78174765

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111133712.7A Active CN113569272B (en) 2021-09-27 2021-09-27 Secure computer implementation method and secure computer

Country Status (1)

Country Link
CN (1) CN113569272B (en)

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101038568B (en) * 2007-04-16 2010-05-19 丁万年 Method and device for encrypting date of external computer hard disk
CN102930229B (en) * 2011-01-18 2015-06-03 苏州国芯科技有限公司 Office system for improving data security
KR101451369B1 (en) * 2011-04-29 2014-10-16 엘에스아이 코포레이션 Encrypted transport solid­state disk controller
CN102279916A (en) * 2011-09-08 2011-12-14 深圳市中威讯安科技开发有限公司 Safety tablet computer
CN105871902A (en) * 2016-05-25 2016-08-17 安徽问天量子科技股份有限公司 Data encryption and isolation system
CN107026850B (en) * 2017-03-17 2018-07-31 中科曙光南京研究院有限公司 A kind of intranet and extranet document exchange method
CN108040009B (en) * 2017-11-15 2021-01-26 平安科技(深圳)有限公司 Data directional transmission method, data directional transmission control device and computer readable storage medium
CN209330161U (en) * 2019-01-22 2019-08-30 深圳市永达电子信息股份有限公司 One kind three uses trusted computer system
CN110572357B (en) * 2019-07-25 2020-09-18 中国科学院信息工程研究所 Device and method for realizing safety information export
CN110598428B (en) * 2019-08-22 2021-08-06 中国电子科技集团公司第二十八研究所 USB (Universal Serial bus) equipment management and control system based on Linux user space

Also Published As

Publication number Publication date
CN113569272A (en) 2021-10-29

Similar Documents

Publication Publication Date Title
US20190286630A1 (en) System and method for conducting searches at target devices
US7540018B2 (en) Data security for digital data storage
US7320076B2 (en) Method and apparatus for a transaction-based secure storage file system
CN103246842B (en) For verifying the method and apparatus with data encryption
US7215771B1 (en) Secure disk drive comprising a secure drive key and a drive ID for implementing secure communication over a public network
KR101954863B1 (en) Online wallet apparatus, and method for generating and verifying online wallet
US9721071B2 (en) Binding of cryptographic content using unique device characteristics with server heuristics
US7644285B1 (en) Recovery access to secure data
US20020112161A1 (en) Method and system for software authentication in a computer system
KR101078546B1 (en) Apparatus for coding and decoding of security data file based on data storage unit idedtification, system for electronic signature using the same
US8156548B2 (en) Identification and authentication system and method
JPH1198134A (en) Method for detecting fraudulent alteration and copy of cookie, and program storage medium
KR20170019308A (en) Method for providing trusted right information, method for issuing user credential including trusted right information, and method for obtaining user credential
CN114244508A (en) Data encryption method, device, equipment and storage medium
JP2009199147A (en) Communication control method and communication control program
CN113569272B (en) Secure computer implementation method and secure computer
CN110445804A (en) A kind of safe handling protection system about outgoing document
CN107967432B (en) Safe storage device, system and method
KR101327193B1 (en) A user-access trackable security method for removable storage media
US11088832B2 (en) Secure logging of data storage device events
CN108345801B (en) Ciphertext database-oriented middleware dynamic user authentication method and system
Bakker Mutual authentication with smart cards
JP5361850B2 (en) Access management system
CN115361140A (en) Method and device for verifying security chip key
CN116707795A (en) Information protection method for safety access gateway and safety access gateway

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant