CN102930229A - Office system for improving data security - Google Patents
Office system for improving data security Download PDFInfo
- Publication number
- CN102930229A CN102930229A CN201210458365XA CN201210458365A CN102930229A CN 102930229 A CN102930229 A CN 102930229A CN 201210458365X A CN201210458365X A CN 201210458365XA CN 201210458365 A CN201210458365 A CN 201210458365A CN 102930229 A CN102930229 A CN 102930229A
- Authority
- CN
- China
- Prior art keywords
- usb
- decryption
- encryption
- data
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000006870 function Effects 0.000 claims abstract description 39
- 230000005540 biological transmission Effects 0.000 claims abstract description 33
- 238000007726 management method Methods 0.000 claims abstract description 23
- 238000013500 data storage Methods 0.000 claims abstract description 7
- 230000005055 memory storage Effects 0.000 claims description 21
- 238000004891 communication Methods 0.000 claims description 10
- 230000008859 change Effects 0.000 claims description 8
- 238000012545 processing Methods 0.000 claims description 7
- 230000003993 interaction Effects 0.000 claims description 4
- 230000004044 response Effects 0.000 claims description 3
- GOLXNESZZPUPJE-UHFFFAOYSA-N spiromesifen Chemical compound CC1=CC(C)=CC(C)=C1C(C(O1)=O)=C(OC(=O)CC(C)(C)C)C11CCCC1 GOLXNESZZPUPJE-UHFFFAOYSA-N 0.000 claims description 3
- 238000000034 method Methods 0.000 description 19
- 230000008569 process Effects 0.000 description 9
- 238000005516 engineering process Methods 0.000 description 7
- 230000000694 effects Effects 0.000 description 4
- 238000013475 authorization Methods 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 1
- 239000012467 final product Substances 0.000 description 1
- 239000003999 initiator Substances 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses an office system for improving data security; the office system comprises a local area network, a removable storage device, a universal serial bus (USB) encryption and decryption bridge and a USB key device, wherein the local area network comprises a plurality of computers; one end of the USB encryption and decryption bridge is connected with a south bridge chip on a computer mainboard, and the other end of the USB encryption and decryption bridge is taken as a main interface for an exposed USB storage device; the USB encryption and decryption bridge comprises a USB encryption and decryption bridge function management module, wherein the USB encryption and decryption bridge function management module is located between the USB encryption and decryption bridge and the USB key device and used for responding an instruction of the USB key device, thereby configuring functions of the USB encryption and decryption bridge; the USB encryption and decryption bridge further comprises a first USB slave interface module, a USB main interface module, a data storage area, a first encryption and decryption module, a first flash storage module and a USB data transmission management module; and the USB key device further comprises a second USB slave interface module, a second encryption and decryption module and a second flash storage module. According to the office system, a working area can be set freely, thereby facilitating authority management efficiency and effectively preventing leakage of the data in the working area.
Description
Original applying number 201110020320X, on January 18 2011 applying date, denomination of invention is: the office system that is used for improving data security.
Technical field
The present invention relates to a kind of office system for improving data security, belong to the safe storage application.
Background technology
At present, the USB memory device is present most widely used movable storage device, comprises USB flash disk and portable hard drive etc.Increasing enterprises and institutions use the USB memory device as the instrument of daily exchange message, in use, the risk that has two aspects: on the one hand, the important business data of storing on enterprises and institutions' inner computer and internal information might leak by USB port; On the other hand, the similar information on the USB memory device in the situation of device losses, also might leak.In a single day these data leak, and will cause great loss to enterprise or individual.Therefore, data security has become main in an information security link.Utilize usb data stream encryption and decryption technology, can protect simultaneously the significant data on inner computer and the USB memory device.
At present for usb data protection, usually there is the technology such as hardware and software to realize the encryption storage of data.
(1) a lot of USB memory device manufacturers have released the USB memory device with encryption function, and this kind equipment needs the default password of verification before use, and cryptographic check is passed through, could normal use equipment.This mode can effectively be protected the data on the movable storage device, but the data on can't the protection calculation machine.
(1) the USB storage device data anti-disclosure system of software realization.This mode is by a server that certificate management software is installed, a plurality of internal network main frame----clients that client software has been installed, and a plurality ofly formed through the safe USB memory device after the initialization process of certificate server by the generic USB memory device.During use: difference erecting act management software and client software in the webserver and cabinet's main frame, at certificate server the USB memory device is carried out security initialization, initialized safe USB storage granting is used to internal user, this mode, safety management and data encrypting and deciphering all adopt software to realize.
On the one hand, in security, all there is the possibility that is cracked in server and client side's software, as long as a software is cracked, all can cause data to leak; On the other hand, in this scheme, the usb data encryption and decryption realizes by inner computer software, must cause the USB transfer efficiency to reduce, and affects transmission speed, and can take the inner computer ample resources.
Summary of the invention
The object of the invention provides a kind of office system for improving data security, and this office system can arrange arbitrarily working field, has made things convenient for rights management efficient, and has effectively avoided leaking of the interior data of working field; And the functional status of office system can be set flexibly.
For achieving the above object, the technical solution used in the present invention is:
A kind of office system for improving data security, comprising: LAN (Local Area Network) and some USB memory devices by some computing machines form also comprise: a USB encryption and decryption bridging device and usb key equipment;
Described USB encryption and decryption bridging device one end is connected with South Bridge chip on the described computer motherboard, and its other end is as the main interface of the USB memory device that exposes; This USB encryption and decryption bridging device further comprises:
The one USB links to each other with the computing machine south bridge from interface module, be used for and described computing machine between carry out data transmission by usb bus;
USB main interface module, be used for and described USB memory device between carry out data transmission and receive the second identification code and key from described usb key equipment by usb bus, perhaps with described USB memory device the transmission of data;
The data storage area is positioned at a described USB between interface module (USB Device) and the USB main interface module (USB Host), is used for storage from described USB main interface module and the USB data from interface module;
The first encryption and decryption module, be connected with described data storage area, when computing machine receives data from described USB memory device, adopt the key that receives from usb key equipment that the data from described USB main interface module (USB Host) are decrypted processing; When computing machine sends data to described USB memory device, adopt from the key of usb key equipment being encrypted processing from described USB from the data of interface module (USB Device);
The first flash memory storage module (FLASH), be used for the PKI of storage enciphering and deciphering algorithm and private key to and the first identification code of arranging, this PKI and private key are used for the encryption and decryption of the transmission of data between computing machine and the usb key equipment;
The usb data transport management module, be connected to a described USB from interface module (USB Device 1), USB main interface module (USB Host) and the first encryption and decryption module, when the second identification code from described usb key equipment equates with described the first identification code, then receive the key from described usb key equipment, USB is from the interior data of interface module (USB Device) in scheduling, the data interaction in USB main interface module (USB Host) interior data and the encryption and decryption module between the data; Otherwise, forbid carrying out data transmission with described USB memory device;
USB encryption and decryption bridging device function management module, it is positioned at USB encryption and decryption bridging device and usb key equipment, thereby the instruction configuration USB encryption and decryption bridging device that is used for response usb key equipment is in one of following functions: (a) USB encryption and decryption bridging device cuts out, close USB main interface module, host port is no longer worked, client computer can't pass through this port and USB memory device the transmission of data, (b) USB encryption and decryption bridging device is opened in non-encrypted mode, open the USB main interface module of USB encryption and decryption bridging device, do not enable encryption and decryption functions, client computer can be by this port and certain USB memory device the transmission of data, and data can be not encrypted or deciphering, (c) USB encryption and decryption bridging device is opened with cipher mode, open the host port of USB encryption and decryption bridging device, and enable encryption and decryption functions, client computer can pass through this port and USB memory device the transmission of data, and when from USB memory device reading out data the time, data are decrypted; In the time of on writing data to the USB memory device, data are encrypted, and (d) key of change encryption and decryption changes the key that the usb key device interior is preserved, and generates new key by the second true random number module, and is saved in the second flash memory storage module; This USB encryption and decryption bridging device function management module, the USB2.0 agreement is followed in communication, uses privately owned scsi command to carry out alternately, and the course of work is as follows:
(1), usb key equipment inserts a USB after interface module, USB encryption and decryption bridging device is enumerated it, and the equipment that recognizes is key devices,
(2), USB encryption and decryption bridging device reads the second identification code of usb key equipment by privately owned scsi command, and judges whether this second identification code effective, if effectively, then work on, otherwise ejects usb key equipment,
(3), whether encryption and decryption bridging equipment query usb key equipment have button to press, if having, then carries out corresponding function, and after being finished, feedback states information is to key devices,
USB encryption and decryption bridging device and usb key communication between devices adopt the digital envelope mode, based on 1024 asymmetric resolving Algorithms that add of RSA, and to the PKI of asymmetric arithmetic, adopt the symmetrical enciphering and deciphering algorithm of DES to carry out encryption and decryption;
Described usb key equipment further comprises:
The 2nd USB is from interface module, is used for being connected with the USB main interface module (USB Host) of described USB encryption and decryption bridging device, be used for and described USB encryption and decryption bridging device between carry out data and the second identification code is transmitted by usb bus;
The second encryption and decryption module adopts PKI that described key is encrypted, and adopts simultaneously private key that the data from described USB encryption and decryption bridging device are decrypted;
The second flash memory storage module (FLASH) is used for the functional status of preserving described key and described the second identification code and recording USB encryption and decryption bridging device;
Four buttons comprise the first button for close port, are used for opening the USB bridging device, with the second button of non-encrypted pattern, are used for opening the USB bridging device, with the 3rd button of encryption mode, are used for the 4th button of alternate key.
Further improved plan is as follows in the technique scheme:
1, in the such scheme, described the first encryption and decryption module further comprises:
The first asymmetric arithmetic RSA module is used for sensitive data is carried out encryption and decryption when being used for USB encryption and decryption bridging device and usb key devices communicating, and this sensitive data comprises the second identification code of key and usb key equipment;
The first symmetry algorithm module, this symmetry algorithm module memory storage SM1 or SM4 or 3DES algorithm;
The first true random number module is for generation of the random number of described the first asymmetric arithmetic RSA module needs.
2, in the such scheme, described the second encryption and decryption module further comprises:
The second asymmetric arithmetic RSA module is processed data when being used for USB encryption and decryption bridging device and usb key devices communicating;
The second symmetry algorithm module, this second symmetry algorithm module memory storage SM1 or SM4 or 3DES algorithm;
The second true random number module produces described key for generation of the random number of described asymmetric arithmetic RSA module needs and according to this random number.
Because technique scheme is used, the present invention compared with prior art has following advantages and effect:
The present invention proposes a kind of completely newly, be used for improving the office system of data security based on the USB port of hardware device, the whole system applying flexible, and in security, have great advantage.In this scheme, rights management and usb data stream encryption and decryption use hardware to realize, under the prerequisite that hardware is not destroyed, can guarantee its security, and affect hardly the usb data transfer efficiency, do not take any resource of computing machine.Guaranteeing that under the prerequisite of security, the present invention has good compatibility, the in the market computing machine of all USB2.0 interfaces can be supported in the computing machine aspect; And USB flash disk or the portable hard drive of each brand can be supported in the movable storage device aspect.
Description of drawings
Accompanying drawing 1 is system architecture synoptic diagram of the present invention;
Accompanying drawing 2 is USB encryption and decryption bridging device structural representation of the present invention;
Accompanying drawing 3 is usb key device structure synoptic diagram of the present invention.
Embodiment
The invention will be further described below in conjunction with drawings and Examples:
Embodiment: a kind of office system for improving data security comprises: by LAN (Local Area Network) and the movable storage device that some computing machines form, a USB encryption and decryption bridging device and usb key equipment;
Described USB encryption and decryption bridging device one end is connected with South Bridge chip on the described computer motherboard, and its other end is as the main interface that exposes the USB memory device; This USB encryption and decryption bridging device further comprises:
The one USB main interface module USB Device 1 links to each other with the computing machine south bridge, be used for and described computing machine between carry out data transmission by usb bus;
USB is from interface module USB Host, be used for and described USB memory device between carry out data and from the second identification code transmission of described usb key equipment, perhaps with described movable storage device the transmission of data by usb bus;
The data storage area between the interface module USB Host, is used for storage from a described USB main interface module and the USB data from interface module at described USB main interface module USB Device and USB;
The first encryption and decryption module is connected with described data storage area, when computing machine is accepted data from described movable storage device, adopts the key that receives to being decrypted processing from described USB from the data of interface module USB Host; When computing machine sends data to described movable storage device, adopt the key that receives that the data from described USB main interface module USB Device are encrypted processing;
The first flash memory storage module FLASH, be used for the PKI of storage enciphering and deciphering algorithm and private key to and the first identification code of arranging, this PKI and private key are used for the encryption and decryption of the transmission of data between computing machine and the usb key equipment;
The usb data transport management module, be connected to a described USB main interface module USB Device 1, USB from interface module USB Host and the first encryption and decryption module, when the second identification code from described usb key equipment equates with described the first identification code, then receive the key from described usb key equipment, data in the scheduling USB main interface module USB Device, USB is the data interaction between the data in data and the encryption and decryption module in the interface module USB Host; Otherwise, forbid carrying out data transmission with described movable storage device;
Described usb key equipment further comprises:
The 2nd USB main interface module is used for being connected from interface module USB Host with the USB of described USB encryption and decryption bridging device, be used for and described USB encryption and decryption bridging device between carry out data and the second identification code is transmitted by usb bus;
The second encryption and decryption module adopts PKI that described key is encrypted, and adopts simultaneously private key that the data from described USB encryption and decryption bridging device are decrypted;
The second flash memory storage module FLASH is used for preserving described key and described the second identification code.
Above-mentioned the first encryption and decryption module further comprises:
The first asymmetric arithmetic RSA module is processed data when being used for USB encryption and decryption bridging device and usb key devices communicating;
The first symmetry algorithm module, this symmetry algorithm module memory storage SM1 or SM4 or 3DES algorithm.
The first true random number module is for generation of the random number of described asymmetric arithmetic RSA module needs.
Above-mentioned the second encryption and decryption module further comprises:
The second asymmetric arithmetic RSA module is processed data when being used for USB encryption and decryption bridging device and usb key devices communicating;
The second symmetry algorithm module, this symmetry algorithm module memory storage SM1 or SM4 or 3DES algorithm.
The second true random number module is for generation of the random number of described asymmetric arithmetic RSA module needs.
Present embodiment foregoing specific works process is as follows.
Above-mentioned office system comprises following parts:
A usb key equipment that is used for management control, usb key equipment is the USB device that shows as external man-machine interface, is storing a key that produces by random number, this key is the authorization key of some USB encryption and decryption bridging devices.Usb key equipment is used for initialization USB encryption and decryption bridging device, and the use of management encryption and decryption equipment.
A plurality of clients, it is the inner computer that USB encryption and decryption bridging device has been installed, and is used for the read-write operation of USB memory device is carried out transparent encryption and decryption processing, realizes simultaneously the use control to the USB memory device.
Client must be carried out initialization by usb key equipment before using.In the initialization procedure, USB encryption and decryption bridging device will obtain key on the usb key equipment and unique ID of key devices, and preserve.
Some clients can form a working group, and working group between the client in the same working group, can transmit mutually data by unique usb key equipment control by the USB memory device.
USB encryption and decryption bridging utensil has specific explanations as follows:
(1) in use, USB encryption and decryption bridging device plays the effect of bridge joint in the usb data transmission course between computing machine South Bridge chip and USB memory device.
(2) USB encryption and decryption bridging device can only be identified usb key equipment and movable storage device, does not support the USB device of other types.
(3) USB encryption and decryption bridging device function is controlled by usb key equipment, and the employed key of encryption and decryption is provided by usb key equipment.
(4) when USB encryption and decryption bridging device and usb key devices communicating, adopt the privately owned order of USB, sensitive data is adopted the mode of the asymmetric digital envelope of RSA and two kinds of stacks of the symmetrical encryption and decryption of SM4, have powerful security.
(5) USB port of USB encryption and decryption bridging device is supported USB2.0 and USB1.1 agreement, follows Mass Storage equipment class standard, bulk only agreement, and SCSI agreement.
(6) the encryption and decryption process is transparent to the computer user.
(7) efficient is high, and speed is fast, adopts the SM1 algorithm, reaches more than the 30MB/s in USB memory device speed, and during the large file transmission, the encryption and decryption read or write speed can arrive more than the 25MB/S.
(8) in data transmission procedure, usb data receives, usb data sends and data encrypting and deciphering carries out simultaneously, has guaranteed to the full extent data transmission efficiency.
(9) concerning the computer user, the encryption and decryption process is transparent, does not affect any operation.Encryption and decryption equipment is controlled by key devices, need not to change any configuration of computing machine, and is convenient, flexible.
Usb key equipment has following characteristics:
Working group of (1) usb key equipment control, working group is that computing machine forms by some clients, usb key equipment is realized the management to working group by the USB encryption and decryption bridging device function on the client is set.The corresponding usb key equipment of working group.
(2) usb key equipment only has with USB encryption and decryption bridging device and cooperates and could use, and usb key equipment is inserted the generic USB main frame, without any effect.
(3) communicate by letter between usb key equipment and the USB encryption and decryption bridging device, follow the USB2.0 agreement, follow Mass Storage equipment class standard, bulk only agreement, and SCSI agreement.Adopt privately owned command mode, the mode to the sensitive data employing asymmetric digital envelope of RSA and two kinds of stacks of the symmetrical encryption and decryption of SM4 has powerful security.
(4) each usb key equipment has the second unique identification code ID2, this second identification code ID2 length is 32bit, in the device fabrication process, generate, adopt the mode of time calibrating, guarantee its uniqueness, the second identification code ID2 is kept in the second flash memory storage module FLASH2 of usb key equipment.
(5) usb key equipment adopts the true random number module to produce key, and key is kept in the second flash memory storage module FLASH2.This key for USB encryption and decryption bridging device as the data encrypting and deciphering key.
(6) usb key equipment has four buttons, and correspondence can cooperate with USB encryption and decryption bridging device, carries out four kinds of operations:
A: close USB encryption and decryption bridging device, this moment USB encryption and decryption bridging device to the USB memory device that inserts without response.
B: with non-encryption and decryption pattern, open USB encryption and decryption bridging device, this moment, USB encryption and decryption bridging device had the same function with computing machine generic USB port.
C: with the encryption and decryption pattern, open USB encryption and decryption bridging device, this moment, USB encryption and decryption bridging utensil had the function of encryption and decryption, the operation that can be encrypted or decipher the data of transmitting.
D: the key on the change usb key equipment, usb key equipment will by real random number generator, produce new key, and be saved among the FLASH.
(7) usb key equipment has four pilot lamp, and corresponding four buttons represent whether the operation of corresponding button is correctly finished.
Method of work
Based on the using method of the data anti-disclosure system of usb key equipment, USB encryption and decryption bridging device,
Comprise the following steps:
(1) some clients that install USB encryption and decryption bridging device, usb key equipment and movable storage device form a working field.USB encryption and decryption bridging device is under original state, and usb host port is closed, and therefore USB port is unavailable in working field this moment.
(2) by connecting the USB encryption and decryption bridging device of usb key equipment and a certain client, select " opening USB encryption and decryption bridging device, in the encryption and decryption mode " by the usb key device keys, wait for arranging and finish.
(3) adopt same way as, dispose all clients.
(4) USB that movable storage device is inserted client is from interface module, and this moment, movable storage device can't normally use, and needed this movable storage device of format, can use this movable storage device to transmit data after the success.
(5) in the normal use procedure, data copy movable storage device to from client, can be through the encryption of USB encryption and decryption bridging device, and data are stored on the movable storage device with the ciphertext form.
(6) in the normal use procedure, data copy client to from movable storage device, can be through the deciphering of USB encryption and decryption bridging device, and data are stored on the client hard disk with the plaintext form.
(7) client of same usb key equipment control has identical encryption and decryption key, can be mutually between copies data; This key can be changed at any time, uses " change key " function of usb key equipment, at first changes the key of usb key device storage, and is rear by " in the encryption and decryption mode, opening bridging device " this function, and new key synchronization is arrived each client.
(8) add a client to working field, use usb key equipment, a client that installs USB encryption and decryption bridging device is configured, by " in the encryption and decryption mode; open bridging device " this function, the ID of encryption and decryption key and usb key equipment is synchronized to client gets final product.
(9) under the special circumstances, client copy clear data can be set to memory device, use " in non-encryption and decryption mode; open bridging device " function of usb key equipment, dispose certain client copies data is not carried out encryption and decryption, in this case, data copy movable storage device to from client, be not encrypted, what movable storage device was stored is the data plaintexts, all can also correctly read on any common computer.
(10) under the special circumstances, can close the USB port of client, use " closing bridging device " function of usb key equipment to realize.
The explanation of USB encryption and decryption bridging device:
USB main interface module USB Host:USB host function module is supported USB1.1 and USB2.0 agreement, can pass through USB main interface module USB Host receive data, or sends the interior data of FIFO by the Host port.The host interface of USB encryption and decryption bridging device can only be identified usb key equipment and movable storage device, and host interface is subjected to the control of usb key equipment.Encryption and decryption bridging chip USB Host interface is exposed at the counter body outside outward, as the main interface of external USB memory device.Host interface is responsible for communicating with movable storage device and usb key equipment.
The one USB supports USB1.1 and USB2.0 agreement from interface module USB Dev1:USB functions of the equipments module, can receive by the Device port, or pass through the data that a USB main interface module USB Dev1 sends.The one USB of USB encryption and decryption bridging device links to each other with the computing machine south bridge from interface module USB Dev1, be responsible for and computing machine between communicate by usb bus.
The first flash memory storage module FLASH1: memory module is responsible for preserving relevant information, comprises the ID of usb key equipment, key and the current functional status of USB encryption and decryption bridging device that data encrypting and deciphering uses.
Symmetrical encryption and decryption module: comprise SM1, SM4 and DES etc., Main Function is that the usb data to transmission carries out encryption and decryption, and when USB encryption and decryption bridging device and usb key equipment communicate, and the PKI of digital envelope is carried out encryption and decryption.
(5) asymmetric encryption and decryption RSA module: asymmetric RSA module, when USB encryption and decryption bridging device and usb key devices communicating, be used for sensitive data is carried out encryption and decryption, sensitive data comprises the identification code ID of encryption and decryption key and usb key equipment etc.Adopt the digital envelope mode.
Digital Envelope Technology is a kind of common technology in safety communication field, is used for initiator (A), responder (B) both sides' important information exchange, can guarantee one key of communication data.
(1), A generates asymmetric public private key pair at random.
(2), A side sends to B side with PKI.
(3), the data encryption that B side need to be transmitted with the PKI of A side of B side.
(4), the data after B side will encrypt send it back A side.
(5), the data that B side sends it back are deciphered with private key by A side.
(6), data decryption is B side expressly.
Adopt 1024 RSA enciphering and deciphering algorithms.
(6) true random number module:
USB encryption and decryption bridging device comprises a hardware real random number generator, can produce true random number, is used for generating the needed random data of RSA Algorithm.
(7) usb data transport management module:
The usb data transport management module is responsible for client and movable storage device data interaction management, is responsible for USB Host module, USB Device module and the encryption and decryption module of scheduling USB encryption and decryption bridging device.
The order of receiving from client USB main frame is transmitted to movable storage device by encryption and decryption bridging equipment USB main frame.
When writing data toward movable storage device, the data of receiving from client are transmitted to movable storage device after encrypting.
During from the movable storage device reading out data, being transmitted to client behind the data deciphering of reading from movable storage device.
During from the movable storage device reading state, the state of reading from movable storage device directly is transmitted to client.
(8) USB encryption and decryption bridging device function management module:
This module is responsible for carrying out alternately with usb key equipment, the function of configuration USB encryption and decryption bridging device.Between USB encryption and decryption bridging device and the usb key equipment, the USB2.0 agreement is followed in communication, uses privately owned scsi command to carry out alternately.Process is as follows:
(1), after usb key equipment inserted client, USB encryption and decryption bridging device was enumerated it, and the equipment that recognizes is key devices.
(2), USB encryption and decryption bridging device reads the ID of key devices by privately owned scsi command, and judges whether this ID is effective, if effectively, then work on, otherwise ejects key devices.
(3), whether encryption and decryption bridging equipment query key devices has button to press, if having, then carries out corresponding function, and after being finished, feedback states information is to key devices.
USB encryption and decryption bridging device and usb key communication between devices adopt the digital envelope mode, based on 1024 asymmetric resolving Algorithms that add of RSA, and to the PKI of asymmetric arithmetic, adopt the symmetrical enciphering and deciphering algorithm of DES to carry out encryption and decryption.
USB encryption and decryption bridging device is to be integrated in specific USB2.0 high speed host computer host port on the client, and built-in state core safe MCU can carry out encryption and decryption with the data stream of Mass Storage equipment class, and this port can only be enumerated Mass Storage kind equipment.
In the course of the work, USB encryption and decryption bridging device is between computing machine USB main frame and movable storage device.For the user of client, USB encryption and decryption bridging device is transparent, and at ordinary times operation, the encryption and decryption process is that the user is sightless.
Support USB host interface, usb key equipment interface and corresponding protocol stack.Support the USB2.0 high speed protocol, support Mass Storage Bulk only agreement.Mass Storage equipment class standard is only supported in the excuse of USB main frame.Other types equipment, main frame can not be finished and enumerate and initialization procedure.
USB encryption and decryption bridging device uses the SM1 symmetry algorithm with DATA Partial encryption or deciphering in the scsi command in the USB Mass Stoage device talk.Support by usb key renewal of the equipment SM1 encryption key.With usb key device talk agreement be Mass Stoage agreement, by privately owned scsi command.Use Digital Envelope Technology with the data transmission of usb key equipment, cipher mode is that RSA(adopts the 1024bit key).
USB encryption and decryption bridging device adopts the SM1 algorithm, and when the speed of hard disk reached the above large file transmission of 30MB/s, the USB main frame of USB encryption and decryption bridging device and the data transmit-receive speed of device port can reach 25MB/S.
The usb key description of equipment:
(1)?USB?Dev:
The USB device functional module is supported USB1.1 and USB2.0 agreement, can be Device port receive data from interface module by the 2nd USB, or is that the Device port sends data by the 2nd USB from interface module.The Device port of usb key equipment links to each other with the USB main interface module of USB encryption and decryption bridging device, be responsible for and USB encryption and decryption bridging device between communicate by usb bus.
(2) second flash memory storage module FLASH2:
The second flash memory storage module FLASH2 is responsible for preserving relevant information, in the usb key equipment generative process, can generate the second identification code ID2 of usb key equipment, this second identification code ID2 has uniqueness, each equipment is different, adopt the mode of time calibrating, ID2 is in generative process for this second identification code, is saved among the second flash memory storage module FLASH2; The key that data encrypting and deciphering uses automatically generates by true random number, and is kept among the second flash memory storage module FLASH2 when usb key equipment powers on for the first time.
(3) symmetrical encryption and decryption module:
The symmetrical enciphering and deciphering algorithm of DES, Main Function are when USB encryption and decryption bridging device and usb key equipment communicate, and the PKI of digital envelope is carried out encryption and decryption.
(4) asymmetric encryption and decryption RSA module:
Asymmetric RSA module when USB encryption and decryption bridging device and usb key devices communicating, is used for sensitive data is carried out encryption and decryption, and sensitive data comprises the second identification code ID2 of encryption and decryption key and usb key equipment etc.Adopt the digital envelope mode.
(5) second true random number modules:
Usb key equipment comprises a hardware real random number generator, can produce true random number, is used for generating the needed random data of RSA Algorithm.
(6) USB encryption and decryption bridging device function management module:
This module is responsible for carrying out alternately with USB encryption and decryption bridging device, the function of configuration USB encryption and decryption bridging device.Between USB encryption and decryption bridging device and the usb key equipment, the USB2.0 agreement is followed in communication, uses privately owned scsi command to carry out alternately.
USB encryption and decryption bridging device function management module, encryption and decryption equipment has following configurable functionality: USB encryption and decryption bridging device cuts out, USB encryption and decryption bridging device is with non-encrypted mode is opened, encryption and decryption equipment opened and change by USB encryption and decryption bridging device with cipher mode key.Above functional configuration must cooperate realization with USB encryption and decryption bridging device.
(7) button and LED:
Usb key equipment has four buttons, and supporting led state display lamp with it.
It is to carry out which kind of operation that four buttons can be selected.There are simultaneously 4 pilot lamp indication operations whether successful.
| Button 1 | Pilot lamp 1 | Close port |
| Button 2 | Pilot lamp 2 | Open the USB bridging device, with non-encrypted pattern |
| Button 3 | Pilot lamp 3 | Open the USB bridging device, with encryption mode |
| Button 4 | Pilot lamp 4 | Alternate key |
Usb key equipment is the USB device that shows as external man-machine interface, is storing a key that produces by random number.This key is the authorization key of some USB encryption and decryption bridging devices, working group of usb key equipment control, and needs add the client of this working group, need the mandate through usb key equipment.
Mutual by with USB encryption and decryption bridging device of usb key equipment, the function of configuration USB encryption and decryption bridging device reaches the purpose of control client usb host interface.
Usb key equipment is as follows to the configurable function of USB encryption and decryption bridging device:
(1) close USB encryption and decryption bridging device:
Close the host port of USB encryption and decryption equipment, host port is no longer worked, client computer can't pass through this port and movable storage device the transmission of data.
(2) open USB encryption and decryption bridging device, with non-encrypted pattern:
Open the host interface of USB encryption and decryption bridging device, do not enable encryption and decryption functions.Client computer can pass through this port and certain memory device the transmission of data, and data can encrypted or deciphering.
(3) open USB encryption and decryption bridging device, with the encryption and decryption pattern:
Open the host port of USB encryption and decryption bridging device, and enable encryption and decryption functions, client computer can pass through this port and movable storage device the transmission of data, and when from the movable storage device reading out data time, data are decrypted; In the time of on writing data to movable storage device, data are encrypted.
(4) alternate key:
Change the key that the usb key device interior is preserved, generate new key by real random number generator, and be saved in the FLASH memory module.
The effect of usb key equipment is by USB encryption and decryption bridging device being carried out functional configuration, forming a working field that is comprised of a plurality of clients, and manage this working field.A working field, corresponding controller.
Between usb key equipment and the USB encryption and decryption bridging device, connect by USB, follow the USB2.0 agreement, follow Mass Storage equipment class standard, bulk only agreement, and SCSI agreement; Adopt the privately owned order of SCSI and USB encryption and decryption bridging device to carry out communication; When transmitting encryption key, adopt Digital Envelope Technology, cipher mode is that RSA(adopts the 1024bit key); The second unique identification code ID2 that each usb key equipment has real random number generator to generate, the mode of demarcating the second identification code ID2 service time generates.
Above-described embodiment only is explanation technical conceive of the present invention and characteristics, and its purpose is to allow the personage who is familiar with technique can understand content of the present invention and according to this enforcement, can not limit protection scope of the present invention with this.All equivalences that Spirit Essence is done according to the present invention change or modify, and all should be encompassed within protection scope of the present invention.
Claims (3)
1. office system that be used for to improve data security, comprising: LAN (Local Area Network) and some USB memory devices by some computing machines form is characterized in that: also comprise: a USB encryption and decryption bridging device and usb key equipment;
Described USB encryption and decryption bridging device one end is connected with South Bridge chip on the described computer motherboard, and its other end is as the main interface of the USB memory device that exposes; This USB encryption and decryption bridging device further comprises:
The one USB links to each other with the computing machine south bridge from interface module, be used for and described computing machine between carry out data transmission by usb bus;
USB main interface module, be used for and described USB memory device between carry out data transmission and receive the second identification code and key from described usb key equipment by usb bus, perhaps with described USB memory device the transmission of data;
The data storage area is positioned at a described USB between interface module (USB Device) and the USB main interface module (USB Host), is used for storage from described USB main interface module and the USB data from interface module;
The first encryption and decryption module, be connected with described data storage area, when computing machine receives data from described USB memory device, adopt the key that receives from usb key equipment that the data from described USB main interface module (USB Host) are decrypted processing; When computing machine sends data to described USB memory device, adopt from the key of usb key equipment being encrypted processing from described USB from the data of interface module (USB Device);
The first flash memory storage module (FLASH), be used for the PKI of storage enciphering and deciphering algorithm and private key to and the first identification code of arranging, this PKI and private key are used for the encryption and decryption of the transmission of data between computing machine and the usb key equipment;
The usb data transport management module, be connected to a described USB from interface module (USB Device 1), USB main interface module (USB Host) and the first encryption and decryption module, when the second identification code from described usb key equipment equates with described the first identification code, then receive the key from described usb key equipment, USB is from the interior data of interface module (USB Device) in scheduling, the data interaction in USB main interface module (USB Host) interior data and the encryption and decryption module between the data; Otherwise, forbid carrying out data transmission with described USB memory device;
USB encryption and decryption bridging device function management module, it is positioned at USB encryption and decryption bridging device and usb key equipment, thereby the instruction configuration USB encryption and decryption bridging device that is used for response usb key equipment is in one of following functions: (a) USB encryption and decryption bridging device cuts out, close USB main interface module, host port is no longer worked, client computer can't pass through this port and USB memory device the transmission of data, (b) USB encryption and decryption bridging device is opened in non-encrypted mode, open the USB main interface module of USB encryption and decryption bridging device, do not enable encryption and decryption functions, client computer can be by this port and certain USB memory device the transmission of data, and data can be not encrypted or deciphering, (c) USB encryption and decryption bridging device is opened with cipher mode, open the host port of USB encryption and decryption bridging device, and enable encryption and decryption functions, client computer can pass through this port and USB memory device the transmission of data, and when from USB memory device reading out data the time, data are decrypted; In the time of on writing data to the USB memory device, data are encrypted, and (d) key of change encryption and decryption changes the key that the usb key device interior is preserved, and generates new key by the second true random number module, and is saved in the second flash memory storage module; This USB encryption and decryption bridging device function management module, the USB2.0 agreement is followed in communication, uses privately owned scsi command to carry out alternately, and the course of work is as follows:
(1), usb key equipment inserts a USB after interface module, USB encryption and decryption bridging device is enumerated it, and the equipment that recognizes is key devices,
(2), USB encryption and decryption bridging device reads the second identification code of usb key equipment by privately owned scsi command, and judges whether this second identification code effective, if effectively, then work on, otherwise ejects usb key equipment,
(3), whether encryption and decryption bridging equipment query usb key equipment have button to press, if having, then carries out corresponding function, and after being finished, feedback states information is to key devices,
USB encryption and decryption bridging device and usb key communication between devices adopt the digital envelope mode, based on 1024 asymmetric resolving Algorithms that add of RSA, and to the PKI of asymmetric arithmetic, adopt the symmetrical enciphering and deciphering algorithm of DES to carry out encryption and decryption;
Described usb key equipment further comprises:
The 2nd USB is from interface module, is used for being connected with the USB main interface module (USB Host) of described USB encryption and decryption bridging device, be used for and described USB encryption and decryption bridging device between carry out data and the second identification code is transmitted by usb bus;
The second encryption and decryption module adopts PKI that described key is encrypted, and adopts simultaneously private key that the data from described USB encryption and decryption bridging device are decrypted;
The second flash memory storage module (FLASH) is used for the functional status of preserving described key and described the second identification code and recording USB encryption and decryption bridging device;
Four buttons comprise the first button for close port, are used for opening the USB bridging device, with the second button of non-encrypted pattern, are used for opening the USB bridging device, with the 3rd button of encryption mode, are used for the 4th button of alternate key.
2. office system according to claim 1, it is characterized in that: described the first encryption and decryption module further comprises:
The first asymmetric arithmetic RSA module is used for sensitive data is carried out encryption and decryption when being used for USB encryption and decryption bridging device and usb key devices communicating, and this sensitive data comprises the second identification code of key and usb key equipment;
The first symmetry algorithm module, this symmetry algorithm module memory storage SM1 or SM4 or 3DES algorithm;
The first true random number module is for generation of the random number of described the first asymmetric arithmetic RSA module needs.
3. office system according to claim 1, it is characterized in that: described the second encryption and decryption module further comprises:
The second asymmetric arithmetic RSA module is processed data when being used for USB encryption and decryption bridging device and usb key devices communicating;
The second symmetry algorithm module, this second symmetry algorithm module memory storage SM1 or SM4 or 3DES algorithm;
The second true random number module produces described key for generation of the random number of described asymmetric arithmetic RSA module needs and according to this random number.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210458365.XA CN102930229B (en) | 2011-01-18 | 2011-01-18 | Office system for improving data security |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210458365.XA CN102930229B (en) | 2011-01-18 | 2011-01-18 | Office system for improving data security |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110020320XA Division CN102081713B (en) | 2011-01-18 | 2011-01-18 | An Office System for Preventing Data Leakage |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102930229A true CN102930229A (en) | 2013-02-13 |
| CN102930229B CN102930229B (en) | 2015-06-03 |
Family
ID=47645026
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210458365.XA Active CN102930229B (en) | 2011-01-18 | 2011-01-18 | Office system for improving data security |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102930229B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103297736A (en) * | 2013-06-13 | 2013-09-11 | 深圳南方汉邦数字技术有限公司 | System and method for data storage and network transmission of video monitoring |
| CN105447394A (en) * | 2015-11-23 | 2016-03-30 | 浪潮集团有限公司 | Intelligent password key with local data encryption function |
| CN113569272A (en) * | 2021-09-27 | 2021-10-29 | 深圳市永达电子信息股份有限公司 | Secure computer implementation method and secure computer |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050050344A1 (en) * | 2003-08-11 | 2005-03-03 | Hull Jonathan J. | Multimedia output device having embedded encryption functionality |
| US20070028112A1 (en) * | 2005-07-29 | 2007-02-01 | Mackelden John M | Data transfer device |
| CN101196855A (en) * | 2007-12-29 | 2008-06-11 | 北京华大恒泰科技有限责任公司 | Mobile encrypted memory device and cipher text storage area data encrypting and deciphering processing method |
| CN101561751A (en) * | 2009-04-30 | 2009-10-21 | 苏州国芯科技有限公司 | USB encryption and decryption bridging chip |
-
2011
- 2011-01-18 CN CN201210458365.XA patent/CN102930229B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050050344A1 (en) * | 2003-08-11 | 2005-03-03 | Hull Jonathan J. | Multimedia output device having embedded encryption functionality |
| US20070028112A1 (en) * | 2005-07-29 | 2007-02-01 | Mackelden John M | Data transfer device |
| CN101196855A (en) * | 2007-12-29 | 2008-06-11 | 北京华大恒泰科技有限责任公司 | Mobile encrypted memory device and cipher text storage area data encrypting and deciphering processing method |
| CN101561751A (en) * | 2009-04-30 | 2009-10-21 | 苏州国芯科技有限公司 | USB encryption and decryption bridging chip |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103297736A (en) * | 2013-06-13 | 2013-09-11 | 深圳南方汉邦数字技术有限公司 | System and method for data storage and network transmission of video monitoring |
| CN105447394A (en) * | 2015-11-23 | 2016-03-30 | 浪潮集团有限公司 | Intelligent password key with local data encryption function |
| CN105447394B (en) * | 2015-11-23 | 2018-02-23 | 浪潮集团有限公司 | Intelligent password key with local data encryption function |
| CN113569272A (en) * | 2021-09-27 | 2021-10-29 | 深圳市永达电子信息股份有限公司 | Secure computer implementation method and secure computer |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102930229B (en) | 2015-06-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102081713B (en) | An Office System for Preventing Data Leakage | |
| CN106169041B (en) | A kind of safety encryption mobile hard disk and its data transmission method based on USBKEY authentication | |
| CN101196855B (en) | Mobile encrypted memory device and cipher text storage area data encrypting and deciphering processing method | |
| CN105099711B (en) | A kind of small cipher machine and data ciphering method based on ZYNQ | |
| CN103020493B (en) | A kind of software protection of anti-copy and running gear and method | |
| CN109145568A (en) | A kind of full algorithm cipher card and its encryption method based on PCI-E interface | |
| CN101983385A (en) | Distribution of storage area network encryption keys across data centers | |
| CN103746815B (en) | Safety communicating method and device | |
| CN105871902A (en) | Data encryption and isolation system | |
| CN101321065B (en) | USB data safety transmission technique with double-factor identity validation function | |
| CN109104275A (en) | A kind of HSM equipment | |
| CN106255975A (en) | Method and system for securing electronic data exchange between an industrial programmable device and a portable programmable device | |
| CN1791111B (en) | Method and apparatus for implementing security over multiple interfaces | |
| CN102693385A (en) | Embedded terminal based on SD (secure digital) trusted computing module and implementation method thereof | |
| CN116886356B (en) | Chip-level transparent file encryption storage system, method and equipment | |
| CN102201044A (en) | Universal serial bus (USB) security key | |
| CN102270182B (en) | Encrypted mobile storage equipment based on synchronous user and host machine authentication | |
| CN102930229B (en) | Office system for improving data security | |
| CN110750326B (en) | Disk encryption and decryption method and system for virtual machine | |
| CN105389526A (en) | Mobile hard disk integrating encrypted area and non-encrypted area and data storage method for mobile hard disk | |
| CN205792703U (en) | Data encryption and shielding system | |
| EP4086800A1 (en) | Integrated circuit module for information security | |
| US20040034768A1 (en) | Data encryption device based on protocol analyse | |
| CN109960943A (en) | A kind of encryption device | |
| CN118174880A (en) | Intelligent chip special for Internet of things safety |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 215011 Zhuyuan Road 209, New District, Suzhou City, Jiangsu Province Patentee after: Suzhou Guoxin Technology Co., Ltd. Address before: 215011 Zhuyuan Road 209, New District, Suzhou City, Jiangsu Province Patentee before: C*Core Technology (Suzhou) Co., Ltd. |