CN112131555B - Local data guard type safety management device and method for 5G mobile terminal - Google Patents
Local data guard type safety management device and method for 5G mobile terminal Download PDFInfo
- Publication number
- CN112131555B CN112131555B CN202011054803.7A CN202011054803A CN112131555B CN 112131555 B CN112131555 B CN 112131555B CN 202011054803 A CN202011054803 A CN 202011054803A CN 112131555 B CN112131555 B CN 112131555B
- Authority
- CN
- China
- Prior art keywords
- data
- application program
- trusted
- module
- storage device
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 26
- 238000004891 communication Methods 0.000 claims abstract description 14
- 230000015654 memory Effects 0.000 claims description 20
- 238000007726 management method Methods 0.000 claims description 19
- 238000013500 data storage Methods 0.000 claims description 14
- 230000003993 interaction Effects 0.000 claims description 9
- 230000006870 function Effects 0.000 claims description 6
- 238000004458 analytical method Methods 0.000 claims description 4
- 238000012360 testing method Methods 0.000 abstract description 3
- 238000005516 engineering process Methods 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 101100226364 Arabidopsis thaliana EXT1 gene Proteins 0.000 description 2
- 238000000926 separation method Methods 0.000 description 2
- 101100226366 Arabidopsis thaliana EXT3 gene Proteins 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 208000034420 multiple type III exostoses Diseases 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/72—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to a local data guard type safety management device and method of a 5G mobile terminal, wherein a safety module is connected in series on a communication link between an application processor and a communication processor in the device; the storage equipment is connected with the security module and used for storing local data; the security module is used for performing guard type security management on the local data of the mobile terminal, and determining whether the application program requesting to access the storage device can access the storage device according to whether the application program requesting to access the storage device in the application processor is credible or not; the data to be stored generated by the trusted application program is stored in the storage device after indiscriminate encryption; or reading and decrypting the data to be read of the trusted application program from the storage device and outputting the data to the application processor; and the communication processor is used for compressing and encoding the data to be transmitted to the air interface after the data to be transmitted to the outside in the application processor are encrypted. The invention realizes the full-disc encryption of the local data flow test and reduces the risk of data leakage.
Description
Technical Field
The invention relates to the technical field of communication, in particular to a local data guard type safety management device and method for a 5G mobile terminal.
Background
The safe storage of the local data file is realized, and the risk of local data information leakage caused by malicious software, loopholes of an operating system and the like possibly existing in the mobile terminal needs to be prevented. The conventional method for implementing local data storage of a mobile terminal generally adopts a specific software technology means, such as HOOK technology (API HOOK), etc., to change the data transmission process in the mobile terminal system, monitor and intercept the data before the data reaches the destination, and then transmit the data after processing the data. The hook technology supports operations such as building, opening, modifying, copying and storing the monitoring file.
At present, the local data security storage of the mobile terminal is usually realized by depending on operating system software, and in view of huge code quantity of the mobile terminal operating system (such as android, iOS and the like) at present, version upgrade is frequent, the security storage technology is realized on the basis that the software is distributed in an application layer, a framework layer, a kernel layer and the like of the system, and the API function called by the security storage technology is realized on the basis of multiple packaging. Meanwhile, the operating system has the possibility of malicious software attack, the correct implementation of the local data secure storage is difficult to ensure, and the risks that the local data is bypassed and not trusted secure storage exist. The conventional guard encryption method is characterized in that an encryption machine is inserted into a data access port to realize encryption and decryption of data, and the method has limited universality due to the specificity of equipment and can only support specific storage equipment.
Disclosure of Invention
In view of the above analysis, the present invention is directed to a device and a method for local data gate security management of a 5G mobile terminal; the problem of local data security is solved.
The invention discloses a local data guard type safety management device of a 5G mobile terminal, which is characterized in that a safety module is connected in series on a communication link between an application processor and a communication processor; the storage equipment is connected with the security module and used for storing local data;
The security module is used for performing guard type security management on the local data of the mobile terminal, and determining whether the application program requesting to access the storage device can access the storage device according to whether the application program requesting to access the storage device in the application processor is credible or not; the data to be stored generated by the trusted application program is stored in the storage device after indiscriminate encryption; or reading and decrypting the data to be read of the trusted application program from the storage device and outputting the data to the application processor;
The security module is also used for compressing and encoding data to be sent out in the application processor and then sending the data to the air interface through the communication processor.
Furthermore, the security module is internally provided with an operating system, and the built-in operating system is used for carrying out encryption and decryption control on data, judging whether an application program is credible or not, and carrying out drive configuration on a connected storage device so as to support plug and play of the storage device.
Further, the security module separates a control channel for the application to access the storage device from a data channel.
Further, the control channel mainly transmits a local data security read-write instruction, and the read-write instruction information transmitted by the application processor through the control channel is terminated at the security module and does not directly control the read-write of the storage device; the read-write control of the storage device must be realized by the security module under the analysis of the read-write instruction information by the security module;
the data channel is mainly used for transmitting local data, the security module performs indiscriminate encryption on data to be stored in the data channel and then stores the data into the storage device, and the data to be read in the data channel is decrypted and then output to the application processor.
Further, the security module comprises a driving module, an encryption service module, a storage service module and a core control module;
the driving module is used for configuring driving programs of different types of storage devices;
The encryption service module is used for running a mainstream encryption algorithm, realizing encryption and decryption of local data and supporting configuration of the encryption algorithm according to actual needs;
The storage service module is used for selecting a storage device corresponding to the application program data read-write, and adopting a corresponding driver according to the type of the storage device;
The core control module is used for realizing the control function of safe reading and writing of local data; the encryption service module and the storage service module cooperate and control the encryption service module to judge whether the application program is credible or not.
Further, the system also comprises a trusted control module, wherein the trusted control module is connected with the core control module and is used for carrying out trusted judgment configuration on the security module; and the security module judges whether the application program can access the storage device according to the configured credibility judgment condition.
Further, the trusted judgment configuration method comprises the following steps:
The first type of configuration-artificial configuration; the method comprises the steps that application program information and storage device information to be accessed by an application program are obtained manually through a human-computer interaction interface of a trusted control module, whether the application program is trusted or not is determined manually, and a security module responds to a read-write request of the trusted application program;
Second class configuration-apply whitelist; a white list of an application program running in an application processor is preset in a trusted control module, whether the application program is trusted or not is determined by a security module according to the white list, and a trusted application program read-write request is responded;
Third class configuration-indifferent agreement; and setting all the application programs to be trusted, responding the read-write memory requests of all the application programs indiscriminately by the security module, and auditing the read-write memory requests for subsequent memory read-write backtracking.
The invention also discloses a safety management method based on the guard type safety management device, which is characterized by comprising a data storage step and a data reading step;
The data storage step includes:
an application program running in the application processor generates data to be stored;
the application program sends a data storage instruction to the security module; the security module judges whether the application program is credible or not and determines whether the application program can access the storage equipment or not;
And if the data to be stored is trusted, the data to be stored is stored in the storage device after indiscriminate encryption.
The data reading step includes:
in the running process of an application program running in the application processor, data needs to be read from the storage equipment, and a data reading instruction is sent to the security module;
the security module judges whether the application program is credible or not and determines whether the application program can access the storage equipment or not;
if the data to be read is trusted, the data to be read is read out from the storage device, decrypted and then output to the application processor.
Further, for the first type of configuration of the trusted judgment configuration, the artificial configuration; and manually acquiring application program information and storage device information to be accessed by the application program through a human-computer interaction interface of the trusted control module, and manually determining whether the application program is trusted.
Further, for a second type of configuration, the application whitelist, of the trusted judgment configuration; the method comprises the steps that a white list of an application program running in an application processor is preset in a trusted control module, and whether the application program is trusted or not is determined by a security module according to the white list.
The invention has at least one of the following beneficial effects:
The method and the device realize the full-disc encryption of local data flow test and solve the problem of trusted local secure storage of the mobile terminal. The separation of the control channel and the data channel is realized, the data of the data channel is ensured to realize indifferent encryption, and the data which is only written into the storage device is ensured to be encrypted. In this way, there is no risk of data leakage even if there is physical removal of the memory.
The security module is internally provided with an operating system, can be configured with a storage driver, supports a plurality of different storage devices, supports plug and play, and avoids the condition that a specific memory uses a specific security module.
The method is not limited by the existing mobile terminal operating system, and can be used in mobile terminals of Android, windows Phone and Linux operating systems.
Drawings
The drawings are only for purposes of illustrating particular embodiments and are not to be construed as limiting the invention, like reference numerals being used to refer to like parts throughout the several views.
Fig. 1 is a schematic diagram illustrating the connection of local data gate security management devices of a 5G mobile terminal in this embodiment.
Detailed Description
Preferred embodiments of the present application are described in detail below with reference to the attached drawing figures, which form a part of the present application and are used in conjunction with embodiments of the present application to illustrate the principles of the present application.
The embodiment discloses a local data guard type safety management device of a 5G mobile terminal, as shown in fig. 1, a safety module (SU) is connected in series on a communication link between an Application Processor (AP) and a Communication Processor (CP); and is connected to a storage device for storing local data via a security module (SU).
The security module is positioned on a necessary path for storing and reading the local data of the 5G mobile terminal and is used for performing guard type security management on the local data of the mobile terminal, and determining whether the application program requesting to access the storage device can access the storage device according to whether the application program requesting to access the storage device in the application processor is credible or not; the data to be stored generated by the trusted application program is stored in the storage device after indiscriminate encryption, or the data to be read of the trusted application program is read out from the storage device and decrypted and then is output to the application processor;
The security module (SU) is further configured to encrypt data to be sent to the outside in the Application Processor (AP), compress the data by the Communication Processor (CP), encode the data, and send the data to the air interface.
All locally stored data and data transmitted wirelessly by the Communication Processor (CP) are encrypted by means of the security module (SU).
Specifically, the security module (SU) is provided with an operating system inside, and the built-in operating system can drive and configure the storage device of the mobile terminal without depending on an Application Processor (AP), and the built-in operating system is used for controlling encryption and decryption of data, judging whether an application program is credible or not, and driving and configuring the connected storage device, so that plug and play of specific or multiple different storage devices is supported.
The built-in operating system of the security module (SU) is modified by adopting a customized operating system, and the security module has the characteristics of real time, tiny performance and the like and can perform security assessment.
The security module (SU) decouples the control channel of the application access storage device from the data channel.
Specifically, in the driving of data interaction between the application processor and the security module, two independent stacks are adopted, one stack is used for receiving and transmitting control commands, and the other stack is used for receiving and transmitting data, so that a separated control channel and a data channel are formed;
The control channel mainly transmits a local data security read-write instruction, and the read-write instruction information sent by the Application Processor (AP) through the control channel is terminated at the security module and does not directly control the read-write of the storage device; the read-write control of the storage device must be realized by the security module (SU) under the analysis of the read-write instruction information by the security module; the identification and early warning of illegal storage or reading instructions are realized through a security module (SU);
The data channel is mainly used for transmitting local data, the security module performs indiscriminate encryption on data to be stored in the data channel and then stores the data into the storage device, and the data to be read in the data channel is decrypted and then output to the application processor. The security module (SU) performs indifferently encryption on the data stored via the data channel, ensuring that all the data written into the storage device are encrypted data. In this way, there is no risk of data leakage even if there is a physical removal of the storage device.
More specifically, an application program on the Application Processor (AP) side generates data, and forms data to be stored through a file system through calling of an API on the Application Processor (AP) side. An application program at the side of the Application Processor (AP) applies for an encrypted data storage service to the security module (SU) through a control channel, wherein the control information comprises destination information of data stored at the side of the Application Processor (AP), namely destination storage equipment which needs to be written in. After the security module (SU) judges that the application program is trusted, the security module (SU) acquires the encrypted data storage service permission of the security module (SU), and the data to be stored of the Application Processor (AP) is written into the target storage device after the security module (SU) encrypts the data.
When an application program in an Application Processor (AP) needs to call data in a memory, the application program at the Application Processor (AP) side applies for decrypting data reading service to a security module (SU) through a control channel, and the control information comprises destination information of the data read at the Application Processor (AP) side, namely a destination storage device needing to be read. After the security module (SU) judges that the application program is trusted, i.e. the application is legal, the security module reads data from the read target storage device, decrypts the data, and outputs the decrypted data to an Application Processor (AP).
More preferably, the security module (SU) can update the built-in operating system through an external interface and compile a driver for configuring the storage device according to the need.
The security module (SU) has a custom interface to enable built-in operating system upgrades, debugging. The interface adopts a special customized protocol, so that the universal equipment cannot communicate with SU, and the encryption method is prevented from being cracked. According to the actual application requirement of the security module (SU), the driver service can be deleted, and each driver of the storage device can be configured.
In addition, the operating system of the security module (SU) is independent of the Application Processor (AP), so that the security is ensured by the operating system, and the security module has security functions of security self-checking, security guiding and the like, and provides a highly-trusted execution environment for security services of the mobile terminal.
Specifically, the security module (SU) includes a driving module, a core control module, an encryption service module, and a storage service module;
The driving module is used for configuring driving programs of different types of storage devices, including but not limited to hard disks supporting formats such as NTFS, FAT32, EXT4 and the like, and internal memories and external memory cards supporting formats such as EXT3, EXT4 and the like, so that plug and play is supported, and the situation that a specific security module is used by a specific storage device is avoided.
The encryption service module is used for realizing encryption and decryption of local data, supporting a mainstream encryption algorithm and carrying out algorithm configuration according to requirements. In data storage, encryption of the data stream is achieved. When the data is read, decryption of the data stream is realized.
Compared with the mainstream storage service, the file is encrypted, and the encrypted object is content such as text images and the like and is mainly realized at an application layer of an operating system; the encryption service module adopts a streaming data encryption method to carry out indiscriminate encryption processing on all data passing through the security module, thereby improving the reliability of encryption service.
The storage service module is used for selecting corresponding storage equipment and adopting a corresponding driving program according to the type of the storage equipment to write the encrypted data into the storage equipment.
The core control module is used for realizing the control function of safe reading and writing of local data; the encryption service module and the storage service module cooperate and control the encryption service module to judge whether the application program is credible or not.
More specifically, the driving module is connected with a storage service module of the Application Processor (AP) to establish a control channel and a data channel;
The method comprises the steps that transmission of control instructions between a storage service module and a core control module of an Application Processor (AP) is realized through a control channel, wherein the control instructions comprise data storage instructions and data reading instructions;
and realizing the bidirectional transmission of data between a storage service module and an encryption service module of an Application Processor (AP) through a data channel, and carrying out data encryption storage or decryption reading.
When data is encrypted and stored, the encryption service module encrypts the data transmitted by the data channel indiscriminately and stores the encrypted data into corresponding storage equipment;
When the data is decrypted and read, the encryption service module acquires the data to be read by the storage service module of the Application Processor (AP) from the storage equipment, decrypts the data, and outputs the data to the storage service module through a data channel.
In the process of encrypting, storing and decrypting data, the data is controlled by a core control module of a security module (SU), an Application Processor (AP) does not participate in control, so that the application layer noninductive operation is realized, and the Application Processor (AP) only needs to perform normal read-write operation and has no encryption and decryption operation pressure.
Similarly, the Application Processor (AP) performs encryption processing on the data to be externally transmitted in the security module (SU), and the Application Processor (AP) does not participate in control, so that the application layer noninductive operation is realized, and the Application Processor (AP) only needs normal read-write operation and has no encryption and decryption operation pressure.
Preferably, the system also comprises a trusted control module, wherein the trusted control module is connected with the core control module and has a man-machine interaction function, the man-machine interaction interface comprises but is not limited to a touch display screen and keys, the display screen can display the operating information of the read-write memory in progress, and the information comprises but is not limited to executed application and read-write files; the trusted control module performs trusted judgment configuration on the core control module; and according to policy deployment, enabling a security module (SU) to judge whether the application program can access the storage device according to the configured credible judgment condition.
Specifically, the trusted judgment configuration method comprises the following steps:
The first type of configuration-artificial configuration; the method comprises the steps that application program information and storage device information to be accessed by an application program are obtained manually through a human-computer interaction interface of a trusted control module, whether the application program is trusted or not is determined manually, and a security module responds to a read-write request of the trusted application program;
Second class configuration-apply whitelist; a white list of an application program running in an application processor is preset in a trusted control module, whether the application program is trusted or not is determined by a security module according to the white list, and a trusted application program read-write request is responded;
Third class configuration-indifferent agreement; and setting all the application programs to be trusted, responding the read-write memory requests of all the application programs indiscriminately by the security module, and auditing the read-write memory requests for subsequent memory read-write backtracking.
The embodiment realizes the full-disc encryption of the local data flow test and solves the problem of the local safe storage trust of the mobile terminal. The separation of the control channel and the data channel is realized, the data of the data channel is ensured to realize indifferent encryption, and the data which is only written into the storage device is ensured to be encrypted. In this way, there is no risk of data leakage even if there is physical removal of the memory. An operating system is arranged in the security module, a storage driver can be configured, a plurality of different storage devices are supported, plug and play is supported, and the condition that a specific security module is used by a specific memory is avoided. The method is not limited by the existing mobile terminal operating system, and can be used in mobile terminals of Android, windows Phone and Linux operating systems.
The embodiment also comprises a local data guard type safety management method of the 5G mobile terminal, which comprises a data storage step and a data reading step;
The data storage step includes:
an application program running in the application processor generates data to be stored;
the application program sends a data storage instruction to the security module; the security module judges whether the application program is credible or not and determines whether the application program can access the storage equipment or not;
And if the data to be stored is trusted, the data to be stored is stored in the storage device after indiscriminate encryption.
The data reading step includes:
in the running process of an application program running in the application processor, data needs to be read from the storage equipment, and a data reading instruction is sent to the security module;
the security module judges whether the application program is credible or not and determines whether the application program can access the storage equipment or not;
if the data to be read is trusted, the data to be read is read out from the storage device, decrypted and then output to the application processor.
For the first type of configuration of the trusted judgment configuration, artificial configuration; and manually acquiring application program information and storage device information to be accessed by the application program through a human-computer interaction interface of the trusted control module, and manually determining whether the application program is trusted.
For a second type of configuration, an application whitelist, of trusted judgment configurations; a white list of an application program running in an application processor is preset in a trusted control module, and whether the application program is trusted or not is determined by a security module according to the white list;
Third class configuration for trusted judgment configuration—indifferent agreement; and setting all the application programs to be trusted, responding the read-write memory requests of all the application programs indiscriminately by the security module, and auditing the read-write memory requests for subsequent memory read-write backtracking.
The effects and technical details of the method embodiment are similar to those of the apparatus embodiment, and specific details refer to the apparatus embodiment and are not described in detail herein.
The present invention is not limited to the above-mentioned embodiments, and any changes or substitutions that can be easily understood by those skilled in the art within the technical scope of the present invention are intended to be included in the scope of the present invention.
Claims (6)
1. A local data guard type safety management device of a 5G mobile terminal is characterized in that a safety module is connected in series on a communication link between an application processor and a communication processor; the storage equipment is connected with the security module and used for storing local data;
The security module is used for performing guard type security management on the local data of the mobile terminal, and determining whether the application program requesting to access the storage device can access the storage device according to whether the application program requesting to access the storage device in the application processor is credible or not; the data to be stored generated by the trusted application program is stored in the storage device after indiscriminate encryption; or reading and decrypting the data to be read of the trusted application program from the storage device and outputting the data to the application processor;
The safety module is also used for compressing and encoding data to be transmitted outside in the application processor and then transmitting the data to an air interface through the communication processor;
The security module is internally provided with an operating system, encryption and decryption control is carried out on data, whether an application program is credible or not is judged through the internal operating system, and drive configuration is carried out on a connected storage device, so that plug and play of the storage device is supported;
the security module separates a control channel for the application program to access the storage device from a data channel;
The control channel mainly transmits a local data security read-write instruction, and the read-write instruction information transmitted by the application processor through the control channel is terminated at the security module and does not directly control the read-write of the storage device; the read-write control of the storage device must be realized by the security module under the analysis of the read-write instruction information by the security module;
the data channel is mainly used for transmitting local data, the security module performs indiscriminate encryption on the data to be stored in the data channel and then stores the data into the storage device, and the data to be read in the data channel is decrypted and then output to the application processor;
the security module comprises a driving module, an encryption service module, a storage service module and a core control module;
the driving module is used for configuring driving programs of different types of storage devices;
The encryption service module is used for running a mainstream encryption algorithm, realizing encryption and decryption of local data and supporting configuration of the encryption algorithm according to actual needs;
The storage service module is used for selecting a storage device corresponding to the application program data read-write, and adopting a corresponding driver according to the type of the storage device;
The core control module is used for realizing the control function of safe reading and writing of local data; the encryption service module and the storage service module cooperate and control the encryption service module to judge whether the application program is credible or not.
2. The guard type safety management device according to claim 1, further comprising a trusted control module, wherein the trusted control module is connected with the core control module and performs trusted judgment configuration on the safety module; and the security module judges whether the application program can access the storage device according to the configured credibility judgment condition.
3. The entrance guard type security management apparatus as claimed in claim 2, wherein the trusted judgment configuration method comprises:
The first type of configuration-artificial configuration; the method comprises the steps that application program information and storage device information to be accessed by an application program are obtained manually through a human-computer interaction interface of a trusted control module, whether the application program is trusted or not is determined manually, and a security module responds to a read-write request of the trusted application program;
Second class configuration-apply whitelist; a white list of an application program running in an application processor is preset in a trusted control module, whether the application program is trusted or not is determined by a security module according to the white list, and a trusted application program read-write request is responded;
Third class configuration-indifferent agreement; and setting all the application programs to be trusted, responding the read-write memory requests of all the application programs indiscriminately by the security module, and auditing the read-write memory requests for subsequent memory read-write backtracking.
4. A security management method based on the guard type security management apparatus of any one of claims 1 to 3, characterized by comprising a data storage step and a data reading step;
The data storage step includes:
an application program running in the application processor generates data to be stored;
the application program sends a data storage instruction to the security module; the security module judges whether the application program is credible or not and determines whether the application program can access the storage equipment or not;
If the data to be stored is trusted, the data to be stored is stored in the storage device after indiscriminate encryption;
The data reading step includes:
in the running process of an application program running in the application processor, data needs to be read from the storage equipment, and a data reading instruction is sent to the security module;
the security module judges whether the application program is credible or not and determines whether the application program can access the storage equipment or not;
if the data to be read is trusted, the data to be read is read out from the storage device, decrypted and then output to the application processor.
5. The security management method according to claim 4, wherein for a first type of configuration of trusted decision configuration, an artificial configuration; and manually acquiring application program information and storage device information to be accessed by the application program through a human-computer interaction interface of the trusted control module, and manually determining whether the application program is trusted.
6. The security management method of claim 4, wherein for a second type of configuration of trusted decision configuration, an application whitelist; the method comprises the steps that a white list of an application program running in an application processor is preset in a trusted control module, and whether the application program is trusted or not is determined by a security module according to the white list.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011054803.7A CN112131555B (en) | 2020-09-28 | 2020-09-28 | Local data guard type safety management device and method for 5G mobile terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011054803.7A CN112131555B (en) | 2020-09-28 | 2020-09-28 | Local data guard type safety management device and method for 5G mobile terminal |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112131555A CN112131555A (en) | 2020-12-25 |
| CN112131555B true CN112131555B (en) | 2024-05-14 |
Family
ID=73843301
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011054803.7A Active CN112131555B (en) | 2020-09-28 | 2020-09-28 | Local data guard type safety management device and method for 5G mobile terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112131555B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103778384A (en) * | 2014-02-24 | 2014-05-07 | 北京明朝万达科技有限公司 | Identity authentication based virtual terminal safety environment protection method and system |
| CN109086100A (en) * | 2018-07-26 | 2018-12-25 | 中国科学院信息工程研究所 | A kind of high safety is credible mobile terminal safety architectural framework and security service method |
| CN110569650A (en) * | 2019-08-26 | 2019-12-13 | 北京明朝万达科技股份有限公司 | mobile storage device authority management method and system based on domestic operating system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8041947B2 (en) * | 2006-03-23 | 2011-10-18 | Harris Corporation | Computer architecture for an electronic device providing SLS access to MLS file system with trusted loading and protection of program execution memory |
-
2020
- 2020-09-28 CN CN202011054803.7A patent/CN112131555B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103778384A (en) * | 2014-02-24 | 2014-05-07 | 北京明朝万达科技有限公司 | Identity authentication based virtual terminal safety environment protection method and system |
| CN109086100A (en) * | 2018-07-26 | 2018-12-25 | 中国科学院信息工程研究所 | A kind of high safety is credible mobile terminal safety architectural framework and security service method |
| CN110569650A (en) * | 2019-08-26 | 2019-12-13 | 北京明朝万达科技股份有限公司 | mobile storage device authority management method and system based on domestic operating system |
Non-Patent Citations (1)
| Title |
|---|
| 基于用户授权的安全移动存储模型研究;吴俊军;余鹏飞;王同洋;张新访;;计算机工程与科学(第10期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112131555A (en) | 2020-12-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107533621B (en) | Mobile payment device and method | |
| CN105354507B (en) | A kind of data safety time slot scrambling under cloud environment | |
| KR100861104B1 (en) | Apparatus and method for preservation of usb keyboard | |
| US8862803B2 (en) | Mediating communciation of a univeral serial bus device | |
| CN104008330B (en) | Based on file is centrally stored and anti-data-leakage system of isolation technology and its method | |
| CN101901318B (en) | Trusted hardware equipment and using method thereof | |
| WO2016109154A1 (en) | Trusted computing | |
| TW200928750A (en) | System and method for updating read-only memory in smart card memory modules | |
| WO2016109153A1 (en) | Secure host interactions | |
| US20190089681A1 (en) | Secure communication method and apparatus for vehicle, vehicle multimedia system, and vehicle | |
| US9344406B2 (en) | Information processing device, information processing method, and computer program product | |
| CN103051456B (en) | The method and system of application program in a kind of management intelligent SD card | |
| WO2016109151A1 (en) | Secure host communications | |
| KR20190039603A (en) | Security processor chip and terminal device | |
| WO2017166362A1 (en) | Esim number writing method, security system, esim number server, and terminal | |
| US20140040631A1 (en) | Memory controller, nonvolatile memory device, nonvolatile memory system, and access device | |
| JP2017511619A (en) | Secure voice and data method and system | |
| CN113596009A (en) | Zero trust access method, system, zero trust security proxy, terminal and medium | |
| CN105678165A (en) | Sandboxing keyboard system of mobile terminal and data transmitting method of sandboxing keyboard system | |
| CN109657490B (en) | Transparent encryption and decryption method and system for office files | |
| KR101518689B1 (en) | User Terminal to Detect the Tampering of the Applications Using Core Code and Method for Tamper Detection Using the Same | |
| CN109960935B (en) | Method, device and storage medium for determining trusted state of TPM (trusted platform Module) | |
| KR101566141B1 (en) | User Terminal to Detect the Tampering of the Applications Using Signature Information and Method for Tamper Detection Using the Same | |
| CN112131555B (en) | Local data guard type safety management device and method for 5G mobile terminal | |
| CN105260678A (en) | Mobile equipment and equipment operating method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |