Summary of the invention
Fundamental purpose of the present invention provides a kind of movable storage device and the safety certifying method of reading and writing identification equipment, has interface generality, but have the movable storage device of unique recognition feature and different read-write recognition function equipment combinations, and can discern mutually, authentication.
Still a further object of the present invention provides the safety certifying method of a kind of movable storage device and read-write identification equipment, and the mode by the hardware and software combination realizes identification and authentication.
Another object of the present invention provides a kind of movable storage device and the safety certifying method of reading and writing identification equipment; it can guarantee the security and the validity of canned data on the movable storage device; realize copyright protection; the data security access; the data equipment room is shared, rights management, user identity identification, other work such as affirmations grade of subscriber service class.
The logical following technical scheme of the present invention realizes the foregoing invention purpose: a kind of movable storage device and the safety certifying method of reading and writing identification equipment, be provided with the electric interfaces of mutual coupling between movable storage device and the read-write identification equipment, both are by the interface Data transmission, on the read-write identification equipment central control unit is set, be used to read on the memory device data and with the data write storage device, central control unit connects establishes the function treatment device; At movable storage device one storage space is set and is used to deposit unique identifying information, and offer security mechanism memory block and safety encipher data field; Movable storage device has the electric interfaces that combines with the read-write identification equipment, both are respectively equipped with the security certificate algorithm of mutual coupling, when storage device configurations is on the read-write identification equipment, read-write identification equipment identification memory device, and carry out authentication, behind authentication, corresponding operation is implemented in the safety encipher data field of memory device.And the authentication between memory device and the read-write identification equipment is two-way in the present invention, and memory device is according to the authenticating result to the read-write identification equipment, and open corresponding storage space is read or write operation for the read-write identification equipment; The read-write identification equipment is according to the authentication to memory device, for memory device provides corresponding service.
For guaranteeing safety, the read-write identification equipment is provided with the IC chip, is used for security certificate algorithm or the key depositing unique identifying information at least or deposit the security mechanism memory block.Simultaneously, preferably, memory device is provided with the IC chip, the security certificate algorithm that is used for depositing unique identifying information at least or deposits the security mechanism memory block.
Further, the safety encipher data field of memory device is one or more; Wherein at least one safety encipher data field is provided with private safety encipher data field and public safety encipher data field; wherein private safety encipher data field is used to manage the data confidentiality of application-specific or service, and public safety encipher data field is used to read and write the shared and authority protection of data of identification equipment.And security mechanism memory block internal memory is placed with the version header, and whether the read-write identification equipment has security algorithm according to version header checking memory device; If have, then start safety certification and handle, if do not have, then do not start safety certification and handle.
Memory device security mechanism memory block internal memory is placed with customer identification information, and the read-write identification equipment is according to customer identification information identification memory device user's legitimacy, so that activate memory device.Customer identification information activates the movable storage device password for the user.
Memory device security mechanism memory block internal memory is placed with equipment purview certification information, have the super key of opening memory device equipment purview certification information in the read-write identification equipment, the read-write identification equipment is determined the rights of using of read-write identification equipment for memory device according to equipment purview certification information.Particularly, equipment purview certification information comprises authentication document version, date and time information, is used to indicate the version and the date of authentication document; Equipment purview certification information comprises the public safety encipher of equipment room data field access keys, and the read-write identification equipment obtains private key according to the private key table, utilizes the data of the public safety encipher of this secret key decryption equipment room data field; Or equipment purview certification information comprises the public safety encipher of equipment room data field access right, is used to indicate the authority that the read-write identification equipment is visited the data of public safety encipher data field; When the authority information of reading and writing identification equipment and this information matches, addressable this memory device of read-write identification equipment.Have, equipment purview certification information comprises private safety encipher data field access right again, and whether be used to indicate read-write equipment has authority visit private safety encipher data field.
In addition, all with the form storage of file, read-write equipment all carries out with the form of file the data manipulation of memory device all data in the memory device.
In the present invention, the enciphered message in the memory device is specific service provider joining procedure or password or copyright protection information.
Be provided with the private key table of application-specific or service in the read-write identification equipment.Specific service application or service which comprises at least private key and indicate for having the application program of corresponding authority, and this is used used private key and indicates, and accesses by the private key table; The free space title; The free space size.
Therefore, when data in the public safety encipher of the memory device data field are read in read-write identification equipment application access, the built-in super key of read-write identification equipment, the equipment authority of depositing in the deciphering memory device security mechanism memory block; The read-write identification equipment reads this document, confirms that whether the read-write identification equipment has access right to public safety encipher data field, if do not have, then stops; If have, then obtain the public safety encipher data field access keys of preserving in the memory device purview certification file, use this key to finish data manipulation in public safety encipher data field.
When reading and writing the private safety encipher data field of identification equipment application access memory device, the read-write identification equipment is obtained built-in super key, the equipment power authentication document that deposit deciphering movable storage device security mechanism memory block; Read-write identification equipment fetch equipment power authentication document confirms whether this read-write identification equipment has access rights to private safety encipher data field; As do not have corresponding authority, stop; If any authority, then check application program whether to have the application authorization certificate; As not having, stop; If any, then this certificate is authenticated; As not being legal certificate, stop; Legal certificate is obtained corresponding secret key according to the certificate content in the private key table of read-write identification equipment in this way; Obtain the addressable data segment of application program according to the certificate content; Use this key to finish data manipulation in private safety encipher data field.
For the memory device that does not have security authentication mechanism, can set up by the read-write identification equipment.When the read-write identification equipment is confirmed not set up security authentication mechanism in the memory device, in this memory device, write earlier safety certification version header, the user imports activating pin or obtains the purview certification certificate data from machine-processed provider, after using super secret key encryption, be stored in the specific region of memory device, format public encrypted data region, private encrypted data region and conventional data district according to user's selection or default value, finish the process of making the memory device security authentication mechanism.
Wherein reading and writing identification equipment is different keyboards, MP3, PDA, electronic dictionary, digital telephone, digital camera, recording pen.
According to the technique scheme analysis as can be known, the present invention has following obvious advantage:
Utilize movable storage device and read-write recognition function equipment to have built-in security mechanism; be used to guarantee the security and the validity of canned data on the movable storage device; solution such as copyright protection; the data security access; the data equipment room is shared, rights management, user identity identification, other work such as affirmations grade of subscriber service class.
On movable storage device, have specific equipment purview certification file and shielded data content; simultaneously on the read-write recognition function equipment of movable storage device, have corresponding data content recognizer; mechanism by appointment; read-write recognition function equipment carries out purview certification according to equipment purview certification file; determine to have authority and just can correctly discern shielded data content on the movable storage device, just can provide corresponding service according to the data content of being discerned by the information Recognition algorithm.
Same movable storage device can be by different read-write recognition function equipment read-writes, and different read-write recognition function equipment can obtain to provide corresponding service simultaneously to the effective data content of this read-write recognition function equipment by the information Recognition algorithm.And a common read-write recognition function equipment that does not possess authority or information Recognition algorithm cannot correctly be discerned shielded data content on the movable storage device.
Specific application or service (application program with corresponding authority) can be by shielded data contents on the read-write recognition function device access movable storage device.
Embodiment
Below in conjunction with accompanying drawing and specific embodiments the present invention is done detailed description further.
As shown in Figure 1, 2, have specific customer identification information on the movable storage device, the specific fetch equipment of movable storage device is called read-write recognition function equipment.Movable storage device has storage and authentication function; Read-write recognition function equipment can be read and write this movable storage device, and realizes certain specific function, for example voice playing, take pictures etc.Flash broad among each figure is a memory device; Flash broad Reader is the read-write identification equipment.
Further, read-write identification equipment structure and characteristics are as follows:
The read-write identification equipment is embodied in different electronic products, can be: keyboard read-write identification, MP3 read-write identification, PDA read-write identification, STB read-write identification, disk read-write identification (as Fig. 6), Smart PDA read-write identification, electronic dictionary, digital telephone, digital camera, recording pen ... or the like.The read-write identification equipment has the flag information of self:
1, unique device id number, each read-write identification equipment have unique device id number.
2, the sign of device type, the read-write identification equipment comprises Mp3, PDA, electronic dictionary, digital camera, types such as recording pen, each type are segmented again becomes different models, different manufacturers, and the read-write identification equipment of same model, same manufacturer is same classification.
Have again, have the super key that is used for opening movable storage device equipment purview certification file in the read-write identification equipment, be used for deciphering the equipment purview certification file of movable storage device;
Read-write is had the key list that adds, decipher private information in the identification equipment, is used to add, decipher the information of the private safety encipher data field of the safety encipher district of movable storage device storing;
The read-write identification equipment has the functional module that can finish encryption and decryption, finish the authentication of equipment purview certification information and can understand the equipment purview certification information that deposit the security mechanism memory block of movable storage device, and authenticates the rights of using of this read-write identification equipment to this movable storage device.The read-write identification equipment can utilize the mode of software or hardware independence or combination, carries out encrypting and decrypting work for the information on the movable storage device.Such encrypting and decrypting, purview certification algorithm can be qualified any algorithm (for example: DES, RSA, PKI mechanism).
The read-write identification equipment can be understood the enciphered message of depositing in the movable storage device according to corresponding authority, and carries out respective handling.When reading movable storage device, can read following information such as: MP3 type read-write identification equipment: unique sign, have the song of copyright protection, some particular network service supplier's access username and password.Information type according to after the deciphering provides corresponding service: if unique sign can utilize these to indicate the number of the account of serving as the user's download relevant payment; If have the song of copyright protection, song can be read and play; If specific network service supplier's access username and password when the user gets involved in network, can provide a specific service of user automatically as authentication card.
On the other hand, movable storage device structure and characteristics are as follows:
1, has security mechanism memory block and one or more safety enciphers data field in the movable storage device.
2, version header, customer identification information and equipment purview certification information have been deposited in the security mechanism memory block of movable storage device.
3, the version header comprises the essential information of security mechanism in this movable storage device, is to be used to verify whether this movable storage device has one of sign of security mechanism;
4, customer identification information is used to discern this movable storage device user's legitimacy, can be that a user activates the movable storage device password;
5, equipment purview certification file is used to authenticate the rights of using of read-write identification equipment to this movable storage device, equipment purview certification information is one section ciphered data, all read-write identification equipments can utilize super key to understand this one piece of data, and determine the rights of using of read-write identification equipment to this movable storage device by authentication.
Particularly, equipment power authentication document comprises following content:
1, authentication document version, date: indicate this authentication document version, date;
2, the public safety encipher of equipment room data field access keys: the data that are used for public safety encipher data field between decryption device;
3, the public safety encipher of equipment room data field access right: whether the read-write identification equipment that indicates each classification (the read-write identification equipment of same model and manufacturer is same classification) has the right to visit public safety encipher data field;
4, private safety encipher data field access right: whether the read-write identification equipment that indicates each classification has the right to visit private safety encipher data field.
In the information of the safety encipher data area stores of movable storage device all is data through encrypting, and these information only have the read-write identification equipment of corresponding authority and just can decipher and correctly read.The safety encipher data field is divided into private safety encipher data field and public safety encipher data field again, wherein:
1, the characteristics of private safety encipher data field: capacity is little, the safety coefficient height.Ciphered data leaves private safety encipher data field in the private key table, is used for the realization of the data confidentiality of application-specific or service.
2, the characteristics of the public safety encipher of equipment room data field: capacity is big, and safety coefficient is lower than private safety encipher data field, and data content wherein is readable, (data content that can limit when movable storage device has IC wherein is not reproducible).Can be used for reading and writing that data between the identification equipment is shared and the realization of copyright protection.
Safety encipher data field in the movable storage device can be a Zone Full, also can be specific subregion, if Zone Full, then: all information just can read after all must be decrypted, all within shielded scope; If the subregion then except the safety encipher data field, also has common data area.
Movable storage device can have one
ICProtect its security mechanism and safety encipher data field not to be destroyed by other fetch equipment of non-read-write identification equipment.If movable storage device is not with IC; can guarantee the security and the validity of canned data on the movable storage device equally; other fetch equipment of non-read-write identification equipment can't correctly be read and write shielded data content on the movable storage device, but might destroy these data contents.
Movable storage device has file management system:
1, all data are all stored with the form of file in the movable storage device;
2, the read-write identification equipment also all carries out with the form of file the data manipulation of movable storage device;
3, file layout is identical;
Enciphered message on the movable storage device can be the joining procedure or the password of characteristic service provider; also can be information protected by copyright ... if there is not the customizing messages of these encryptions; to not become movable storage device; if non-moving memory device satisfies basic demand simultaneously, can be configured to movable storage device by particular device.
And specific application or service involved in the present invention refer to have the application program of corresponding authority more.These application authorization files comprise following content at least:
1, private key ID: this uses used private key ID, can check in private key by the private key table;
2, free space title: this uses free space title (Access Filename);
3, free space size: this uses the free space size;
In sum, in concrete implementation procedure, have following several situation:
| The read-write identification equipment | Memory device | Whether memory device has IC |
?A1 | Mechanism is arranged | Mechanism is arranged | Have |
A2 | Mechanism is arranged | Mechanism is arranged | Do not have |
B1 | Mechanism is arranged | There is not mechanism | Have |
B2 | Mechanism is arranged | There is not mechanism | Do not have |
C | There is not mechanism | Mechanism is arranged | Have |
Embodiment one:
The IC of movable storage device read-write identification and the IC of movable storage device authenticate mutually that (authentication comprises various possible authentication modes, for example: inter-device authentication, on-line authentication), find that the other side has mechanism and this moment the IC that the movable storage device read-write is discerned is made as leading IC; As shown in Figure 4.
When application program will be visited the public safety encipher data field of movable storage device, the IC of movable storage device read-write identification finished following steps, as shown in Figure 5:
The read-write identification equipment is obtained built-in super key, the equipment purview certification file that deposit deciphering movable storage device security mechanism memory block;
Read-write identification equipment fetch equipment purview certification file confirms whether this read-write identification equipment has access rights to public safety encipher data field.As do not have corresponding authority, stop.
As this read-write identification equipment the safety encipher data field there are access rights, then obtain the public safety encipher data field access keys of preserving in the equipment purview certification file.
Use public safety encipher data field access keys to finish data manipulation in public safety encipher data field.
When application program will be visited the private safety encipher data field of movable storage device, the IC of movable storage device read-write identification finished following steps, as shown in Figure 6:
The read-write identification equipment is obtained built-in super key, the equipment power authentication document that deposit deciphering movable storage device security mechanism memory block;
Read-write identification equipment fetch equipment power authentication document confirms whether this read-write identification equipment has access rights to private safety encipher data field.As do not have corresponding authority, stop.
As this read-write identification equipment private safety encipher data field there are access rights, then check application program whether to have the application authorization certificate.As not having, stop.
Have the application authorization certificate as application program, this certificate is authenticated.As not being legal certificate, stop.(authentication comprises various possible authentication modes, for example :)
Legal certificate is obtained corresponding secret key according to the certificate content in the private key table of read-write identification equipment in this way.
Obtain the addressable data segment of application program according to the certificate content.
Use this key to finish data manipulation in private safety encipher data field.
Embodiment two:
The version header that deposit movable storage device security mechanism memory block is read in movable storage device read-write identification, judges that movable storage device meets security mechanism.
Embodiment three:
The position that the version header is deposited in movable storage device security mechanism memory block is read in movable storage device read-write identification, judges that movable storage device does not meet security mechanism.
The IC of movable storage device read-write identification finishes following steps:
Set-up mechanism (being equivalent to make card) calls the card program of making, and version header, customer identification information and equipment purview certification information is write movable storage device, as shown in Figure 7.
This moment, movable storage device met security mechanism, and other is with embodiment one.
Movable storage device read-write identification does not meet security mechanism, must the install software bag (realize all mechanism by software, needs are online to obtain authentication, verifying software and hardware whether be legal copy).
The IC of movable storage device finds that movable storage device read-write identification does not meet security mechanism.This moment, whether the read-write identification of IC checking movable storage device and institute's installed software bag thereof of movable storage device were legal.As not being to stop.
As movable storage device read-write identification and institute's installed software bag thereof is legal, and when application program will be visited the public safety encipher data field of movable storage device, the related software in the software package was finished following steps:
1,, obtains built-in super key, the equipment power authentication document that deposit deciphering movable storage device security mechanism memory block according to the setting of software package;
2, fetch equipment power authentication document confirms whether this read-write identification equipment has access rights to public safety encipher data field.As do not have corresponding authority, stop.
3, as this read-write identification equipment the safety encipher data field there are access rights, then the public safety encipher data field access keys of preserving in the acquisition equipment power authentication document.
4, use public safety encipher data field access keys to finish data manipulation in public safety encipher data field.
When application program will be visited the private safety encipher data field of movable storage device, the related software in the software package was finished following steps:
1, obtains built-in super key, the equipment power authentication document that deposit deciphering movable storage device security mechanism memory block;
2, fetch equipment power authentication document confirms whether this read-write identification equipment has access rights to private safety encipher data field.As do not have corresponding authority, stop.
3, as this read-write identification equipment private safety encipher data field there are access rights, then check application program whether to have the application authorization certificate.As not having, stop.
4, have the application authorization certificate as application program, this certificate is authenticated.As not being legal certificate, stop.(authentication comprises various possible authentication modes, for example :)
5, legal certificate is in this way obtained corresponding secret key according to the certificate content in the private key table of read-write identification equipment.
6, obtain the addressable data segment of application program according to the certificate content.
7, use this key to finish data manipulation in private safety encipher data field.
Data security access embodiment, as shown in Figure 3:
Read-write identification equipment device A is arranged.At the demand of the application program of device A, can data encrypt the safety encipher data field (the public safety encipher of private safety encipher data field or equipment room data field) that back safety deposit movable storage device in; Also encrypted data deciphering back safety can be read.
Concrete steps:
1, the user activates movable storage device;
2, the IC of device A checks the version header, judges that movable storage device meets security mechanism;
3, the IC of device A obtains built-in super key, and the equipment power authentication document of deciphering movable storage device is confirmed the access rights of device A to the safety encipher data field;
4, if there are access rights the public safety encipher of equipment room data field, data can be encrypted with the general shared key among the IC and deposit public safety encipher data field in, have only the read-write identification equipment could visit these data;
5,, data can be used the encrypted private key that obtains through IC deciphering application authorization certificate can deposit private safety encipher data field in if there are access rights private safety encipher data field;
6, data in the public safety encipher data field can be read with the general shared key deciphering among the IC;
7, data in the private safety encipher data field can be read through the private key deciphering that IC deciphering application authorization certificate obtains.
It should be noted last that, above embodiment is only unrestricted in order to technical scheme of the present invention to be described, although the present invention is had been described in detail with reference to preferred embodiment, those of ordinary skill in the art is to be understood that, can make amendment or be equal to replacement technical scheme of the present invention, and not breaking away from the spirit and scope of technical solution of the present invention, it all should be encompassed in the middle of the claim scope of the present invention.