CN201549223U - Trusted secure portable storage device - Google Patents
Trusted secure portable storage device Download PDFInfo
- Publication number
- CN201549223U CN201549223U CN2009201077999U CN200920107799U CN201549223U CN 201549223 U CN201549223 U CN 201549223U CN 2009201077999 U CN2009201077999 U CN 2009201077999U CN 200920107799 U CN200920107799 U CN 200920107799U CN 201549223 U CN201549223 U CN 201549223U
- Authority
- CN
- China
- Prior art keywords
- trusted
- credible
- storage device
- computing equipment
- trusted computing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
A trusted secure portable storage device relates to the technical field of information security and comprises a portable storage device and a trusted computing device mutually connected with the portable storage device. The portable storage device includes an access control unit, a cryptography service unit, a data storage unit and a USB interface and can be in identity binding with the trusted computing device in manners of digital signature and signature verification. The trusted computing device comprises a trusted application program, a trusted OS Kernel, a trusted Boot Loader, a trusted BIOS/EFI and a trusted cryptographic module TCM which are mutually connected, wherein the trusted cryptography module TCM is a trusted root of the trusted computing device, and a trusted computing environment is built based on the trusted root. Compared with the prior art, by arranging the identity binding of the portable storage device and the trusted computing device, the trusted secure portable storage device ensures that data in the portable storage device can only flow within local range, and effectively prevents data leakage.
Description
Technical field
The utility model relates to field of information security technology, particularly credible and secure flash memory device.
Background technology
In recent years, the mobile storage technical development is rapid, no matter be memory capacity, still the speed of read-write has all reached a very high level.At present, there are two kinds of movable storage devices liked by the consumer on the market, a kind of USB flash disk that is commonly called as, another kind is commonly called as portable hard drive.This two classes movable storage device provides portable data storage scheme for the user.USB flash disk memory capacity changes between 32MB and 64GB usually.USB flash disk is followed USB 1.1 and 2.0 standards usually with extraneous data transmission, and transfer rate reaches as high as 480Mbps.Because the influence of cost and price, the capacity of commercially available common U disk is generally not too large, is generally about several GB.In order to satisfy the requirement of low-cost high power capacity, the portable hard drive main flow that progressively comes into the market.Portable hard drive adopts hard disk commonly used in PC or the notebook as critical piece, adds data converting circuit and USB interface.Since very ripe on the seagate in PC or the notebook, just can obtain higher memory capacity with lower price, can reach a hundreds of GB usually.Portable hard drive adopts USB interface usually, has satisfied user plug and play, portable requirement.
USB flash disk of the prior art and portable hard drive are owing to adopt USB interface, and the user can go up use as PC, notebook computer and PDA etc. easily at the different equipment with USB interface, and this is providing a great convenience property of user and versatility.But for the user who safety of data and confidentiality is had specific demand, as research and development design department of army, secret department, government organs, enterprise etc., the portability of USB flash disk and portable hard drive and versatility have but been brought very big potential safety hazard.The enterprise staff that has can be copied out some confidential data of enterprise easily by USB flash disk or portable hard drive, causes confidential data to be divulged a secret.In order to prevent to divulge a secret, the enterprise that has adopts some physical means to block the USB interface in employee's the computer, thereby forbids that the user uses USB flash disk and portable hard drive, and this brings difficulty can for user's normal data transmission.Therefore, portable, the versatility of USB flash disk and portable hard drive and safety, the mutual contradiction of confidentiality make user or sacrifice portable and versatility, or sacrifice safety and confidentiality.
In recent years, along with the development of reliable computing technology, Trusted Computing equipment (credible PC, trusted servers, credible mobile phone etc.) progressively moves towards market.Trusted Computing equipment makes up credible calculating platform by embed credible and secure module (as TCM (Trusted CryptographyModule) module of general in the world TPM (TrustedPlatform Module) module and domestic independent research) in traditional calculations equipment as the safe root of system.This credible calculating platform can external reporting self identity, differentiate to be used for identity.But the technology report is not seen in the safe handling of credible calculating platform and flash memory device.
Summary of the invention
In order to solve above-mentioned problems of the prior art, the purpose of this utility model provides a kind of credible and secure flash memory device.It carries out identity binding with movable storage device and Trusted Computing equipment, guarantees that the data in the movable storage device can only circulate in subrange, effectively prevents leakage of data.
In order to reach the foregoing invention purpose, the technical solution of the utility model realizes as follows:
Credible and secure flash memory device, it comprise movable storage device and with the interconnective Trusted Computing equipment of movable storage device.Its design feature is that described movable storage device comprises:
Access control unit, have interconnective logarithm and reportedly be input into usb data host-host protocol, access-control protocol and digital signature and the authentication protocol that row is controlled, access control and Data Transmission Controlling service are provided, usb data host-host protocol logarithm reportedly is input into row control, access-control protocol is judged the access rights of outside Trusted Computing equipment, and digital signature and authentication protocol provide digital certificate, importing and derivation digital certificate, digital signature and the certifying digital signature service of signing and issuing;
The cryptography service unit, interconnecting with access control unit provides the cryptography service, comprises random number generator, digest algorithm, symmetric encipherment algorithm, rivest, shamir, adelman and the Digital Signature Algorithm and the digital signature verification algorithm that generate true random number;
Data storage cell interconnects with access control unit, storage data or information;
USB interface and interconnects in the access control unit, is the interface of movable storage device and external unit communication;
Described movable storage device and Trusted Computing equipment carry out identity binding in the mode of digital signature and signature authentication, Trusted Computing equipment comprises interconnective trusted application, credible OS Kernel, credible Boot Loader, credible BIOS/EFI and credible password module TCM, credible password module TCM makes up trusted computation environment as the trusted root of Trusted Computing equipment based on this trusted root.
In above-mentioned credible and secure flash memory device, identity binding between described movable storage device and the Trusted Computing equipment is meant that both sides obtain the other side's digital certificate respectively, the line number of going forward side by side word signature and signature authentication have only mutual authentication just can read or write data from the data storage cell of movable storage device by back Trusted Computing equipment.
In above-mentioned credible and secure flash memory device, a described Trusted Computing equipment can be bound one or more movable storage devices simultaneously, and a movable storage device can be bound one or more Trusted Computing equipment simultaneously.
In above-mentioned credible and secure flash memory device, comprise the external device access Agent in the described trusted application, the external device access Agent interconnects by the usb data host-host protocol of USB interface and movable storage device access control unit.
In above-mentioned credible and secure flash memory device, described trusted root is meant credible tolerance root, credible report root and trusted storage root.
In above-mentioned credible and secure flash memory device, described Trusted Computing equipment is meant credible PC, trusted servers or credible mobile phone.
In above-mentioned credible and secure flash memory device, described digest algorithm adopts MD5 algorithm, SHA algorithm or SM3 algorithm; Symmetric encipherment algorithm adopt DES algorithm, 3DES algorithm, IDEA algorithm or, SMS4 algorithm, SSF33 algorithm or SCB2 algorithm; Symmetric encipherment algorithm adopts RSA Algorithm or ECC algorithm; Digital Signature Algorithm and signature verification algorithm adopt DSA algorithm, RSA Algorithm, ECC signature or signature verification algorithm.
The utility model has been owing to adopted said structure, and mode and the Trusted Computing equipment of movable storage device by digital signature and signature authentication is carried out identity binding.Have only through identity binding, Trusted Computing equipment just can carry out read-write operation to the data storage cell in the movable storage device.The utility model has been taken into account the universal mobility and the level security of movable storage device, is applicable to the user that the data confidentiality is had relatively high expectations.
The utility model is described in further detail below in conjunction with the drawings and specific embodiments.
Description of drawings
Fig. 1 is a structural principle synoptic diagram of the present utility model;
Fig. 2 is the movable storage device structural representation of the utility model embodiment one;
Fig. 3 is the movable storage device structural representation of the utility model embodiment two.
Embodiment
Referring to Fig. 1, the utility model comprise movable storage device and with Trusted Computing equipment such as the interconnective credible PC of movable storage device, trusted servers or credible mobile phone.Movable storage device and Trusted Computing equipment carry out identity binding in the mode of digital signature and signature authentication, this identity binding is meant that both sides obtain the other side's digital certificate respectively, the line number of going forward side by side word signature and signature authentication have only mutual authentication just can read or write data from the data storage cell of movable storage device by back Trusted Computing equipment.A Trusted Computing equipment can be bound one or more movable storage devices simultaneously, and a movable storage device can be bound one or more Trusted Computing equipment simultaneously.Trusted Computing equipment comprises interconnective trusted application, credible OS Kernel, credible Boot Loader, credible BIOS/EFI and credible password module TCM.Credible password module TCM makes up trusted computation environment as the trusted root of Trusted Computing equipment based on this trusted root, and trusted root comprises credible tolerance root, credible report root and trusted storage root.Comprise the external device access Agent in the trusted application, the external device access Agent interconnects by the usb data host-host protocol of USB interface and movable storage device access control unit.Movable storage device comprises:
Access control unit, comprise that interconnective logarithm reportedly is input into usb data host-host protocol, access-control protocol and digital signature and the authentication protocol of row control, access control and Data Transmission Controlling service are provided, usb data host-host protocol logarithm reportedly is input into row control, access-control protocol is judged the access rights of outside Trusted Computing equipment, and digital signature and authentication protocol provide digital certificate, importing and derivation digital certificate, digital signature and the certifying digital signature service of signing and issuing;
The cryptography service unit, interconnecting with access control unit provides the cryptography service, comprises random number generator, digest algorithm, symmetric encipherment algorithm, rivest, shamir, adelman and the Digital Signature Algorithm and the digital signature verification algorithm that generate true random number; Digest algorithm adopts MD5 algorithm, SHA algorithm or SM3 algorithm; Symmetric encipherment algorithm adopt DES algorithm, 3DES algorithm, IDEA algorithm or, SMS4 algorithm, SSF33 algorithm or SCB2 algorithm; Symmetric encipherment algorithm adopts RSA Algorithm or ECC algorithm; Digital Signature Algorithm and signature verification algorithm adopt DSA algorithm, RSA Algorithm, ECC signature or signature verification algorithm;
Data storage cell interconnects with access control unit, storage data or information;
USB interface and interconnects in the access control unit, is the interface of movable storage device and external unit communication;
Referring to Fig. 2, the access control unit among the utility model embodiment one adopts the TIOMAP3530 chip, and TI OMAP3530 chip is the arithmetic processor of a integrated multiple function of Texas Instruments company, is responsible for various arithmetic sum logical operations.The cryptography service unit adopts the MT29C2G24MAKLAJA storage chip, and MT29C2G24MAKLAJA storage chip inside is divided into two zones, and first zone is used for the ephemeral data exchange area, is the data buffer area of processor when carrying out computing; Second zone is used to store the software code of embedded OS and various application program (comprising variety of protocol and cryptographic algorithm).Data storage cell adopts interconnective MT29F32G08QAAWP storage chip and JMF602 chip, MT29F32G08QAAWP storage chip monolithic capacity is 8GB, be the memory block of user's general data, adopt a plurality of chips can further enlarge memory capacity by array way; The JMF602 chip is a memory controller, is used for reading and writing and store control MT29F32G08QAAWP storage chip data.USB interface adopts the USB3316QFN chip, and the USB3316QFN chip is the USB controller, is used to control the inside and outside data and carries out alternately in the USB mode.Above-mentioned the utility model embodiment one is a kind of safe U disc scheme.
Referring to Fig. 3, by the replacement to data storage cell among the embodiment one, the utility model can conveniently be transplanted, and obtains a kind of safety mobile hard disc scheme.The chip that access control unit among the utility model embodiment two, cryptography service unit and USB interface adopt all with embodiment one in the same, only data storage cell is used interconnective data-interface change-over circuit and common 2.5 or 3.5 cun hard disks instead.By the safety mobile hard disc that this embodiment is realized, not only security, capacity is also big.
Authentication and binding procedure between movable storage device of the present utility model and the trusted computer are as follows:
(1) safe mobile memory apparatus and trusted computer are obtained the digital certificate that characterizes self identity from trusted third party.
(2) after safe mobile memory apparatus inserted trusted computer by USB interface, both sides submitted digital certificate to the other side respectively.
(3) validity of both sides' difference verification the other side digital certificate.As long as there is side's verification not pass through, bipartite data access stops.If verification is all passed through, change step (4).
(4) both sides all extract the other side's PKI from the other side's digital certificate, deposit internal storage region in.
(5) both sides all add the other side permission Access Control List (ACL) or the denied access control tabulation of self.As long as there is a side that the denied access control that the other side adds self is tabulated, bipartite data access stops.If both sides all add the other side the permission Access Control List (ACL) of self, change step (6).
(6) both sides set up the identity binding relation, and data can be read or write to trusted computer from the storage unit of movable storage device.
(7) when both sides begin communication next time, both sides are by digital signature and signature authentication, to confirm the other side's identity.After confirming identity, relation then can be carried out data transmission if both sides have set up identity binding, otherwise communication termination.
Claims (6)
1. credible and secure flash memory device, it comprise movable storage device and with the interconnective Trusted Computing equipment of movable storage device, it is characterized in that described movable storage device comprises:
Access control unit, have interconnective logarithm and reportedly be input into usb data host-host protocol, access-control protocol and digital signature and the authentication protocol that row is controlled, access control and Data Transmission Controlling service are provided, usb data host-host protocol logarithm reportedly is input into row control, access-control protocol is judged the access rights of outside Trusted Computing equipment, and digital signature and authentication protocol provide digital certificate, importing and derivation digital certificate, digital signature and the certifying digital signature service of signing and issuing;
The cryptography service unit, interconnecting with access control unit provides the cryptography service, comprises random number generator, digest algorithm, symmetric encipherment algorithm, rivest, shamir, adelman and the Digital Signature Algorithm and the digital signature verification algorithm that generate true random number;
Data storage cell interconnects with access control unit, storage data or information;
USB interface and interconnects in the access control unit, is the interface of movable storage device and external unit communication;
Described movable storage device and Trusted Computing equipment carry out identity binding in the mode of digital signature and signature authentication, Trusted Computing equipment comprises interconnective trusted application, credible OS Kernel, credible Boot Loader, credible BIOS/EFI and credible password module TCM, credible password module TCM makes up trusted computation environment as the trusted root of Trusted Computing equipment based on this trusted root.
2. credible and secure flash memory device according to claim 1, it is characterized in that, identity binding between described movable storage device and the Trusted Computing equipment is meant that both sides obtain the other side's digital certificate respectively, the line number of going forward side by side word signature and signature authentication have only mutual authentication just can read or write data from the data storage cell of movable storage device by back Trusted Computing equipment.
3. according to credible and secure flash memory device as claimed in claim 1 or 2, it is characterized in that, a described Trusted Computing equipment can be bound one or more movable storage devices simultaneously, and a movable storage device can be bound one or more Trusted Computing equipment simultaneously.
4. credible and secure flash memory device according to claim 3, it is characterized in that, comprise the external device access Agent in the described trusted application, the external device access Agent interconnects by the usb data host-host protocol of USB interface and movable storage device access control unit.
5. credible and secure flash memory device according to claim 4 is characterized in that, described trusted root is meant credible tolerance root, credible report root and trusted storage root.
6. credible and secure flash memory device according to claim 5 is characterized in that, described Trusted Computing equipment is meant credible PC, trusted servers or credible mobile phone.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009201077999U CN201549223U (en) | 2009-05-04 | 2009-05-04 | Trusted secure portable storage device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009201077999U CN201549223U (en) | 2009-05-04 | 2009-05-04 | Trusted secure portable storage device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN201549223U true CN201549223U (en) | 2010-08-11 |
Family
ID=42604402
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009201077999U Expired - Lifetime CN201549223U (en) | 2009-05-04 | 2009-05-04 | Trusted secure portable storage device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN201549223U (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101881997B (en) * | 2009-05-04 | 2011-12-14 | 同方股份有限公司 | Trusted safe mobile storage device |
| WO2012055166A1 (en) * | 2010-10-28 | 2012-05-03 | ***股份有限公司 | Removable storage device, and data processing system and method based on the device |
| CN102902634A (en) * | 2012-08-17 | 2013-01-30 | 北海华澜微电子有限公司 | Storage device with encryption-based protection function |
| CN106548061A (en) * | 2015-09-16 | 2017-03-29 | 伊姆西公司 | Server management method and management system |
| CN114091027A (en) * | 2021-12-01 | 2022-02-25 | 海光信息技术股份有限公司 | Information configuration method, data access method, related device and equipment |
-
2009
- 2009-05-04 CN CN2009201077999U patent/CN201549223U/en not_active Expired - Lifetime
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101881997B (en) * | 2009-05-04 | 2011-12-14 | 同方股份有限公司 | Trusted safe mobile storage device |
| WO2012055166A1 (en) * | 2010-10-28 | 2012-05-03 | ***股份有限公司 | Removable storage device, and data processing system and method based on the device |
| CN102456193A (en) * | 2010-10-28 | 2012-05-16 | ***股份有限公司 | Mobile storage equipment and data processing system and method based on same |
| CN102902634A (en) * | 2012-08-17 | 2013-01-30 | 北海华澜微电子有限公司 | Storage device with encryption-based protection function |
| CN102902634B (en) * | 2012-08-17 | 2015-05-27 | 杭州华澜微科技有限公司 | Storage device with encryption-based protection function |
| CN106548061A (en) * | 2015-09-16 | 2017-03-29 | 伊姆西公司 | Server management method and management system |
| US10496300B2 (en) | 2015-09-16 | 2019-12-03 | EMC IP Holding Company LLC | Method and apparatus for server management |
| CN114091027A (en) * | 2021-12-01 | 2022-02-25 | 海光信息技术股份有限公司 | Information configuration method, data access method, related device and equipment |
| CN114091027B (en) * | 2021-12-01 | 2023-08-29 | 海光信息技术股份有限公司 | Information configuration method, data access method, related device and equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101881997B (en) | Trusted safe mobile storage device | |
| CN102646077B (en) | A kind of method of the full disk encryption based on credible password module | |
| CN103065102B (en) | Data encryption mobile storage management method based on virtual disk | |
| CN100437618C (en) | Portable information safety device | |
| JP2021522595A (en) | Cryptographic cards, electronic devices, and cryptographic service methods | |
| CN100552690C (en) | Data managing method | |
| CN101102180B (en) | Inter-system binding and platform integrity verification method based on hardware security unit | |
| CN102207999A (en) | Data protection method based on trusted computing cryptography support platform | |
| CN201549223U (en) | Trusted secure portable storage device | |
| CN101562040A (en) | High-security mobile memory and data processing method thereof | |
| CN101251878A (en) | SD memory card by means of hardware to identifying identification | |
| CN107332671A (en) | A kind of safety mobile terminal system and method for secure transactions based on safety chip | |
| CN103186479A (en) | Double hard disc isolation encryption device, method and computer based on single operating system | |
| CN103336746A (en) | Safety encrypted USB (Universal Serial Bus) flash disk and data encryption method thereof | |
| CN105389526B (en) | Encrypted area and the mobile hard disk and its date storage method of non-encrypted area integration | |
| CN103617127A (en) | Memory device with subareas and memorizer area dividing method | |
| CN105809068A (en) | High-speed storage control SOC chip supporting adoption of hardware encryption algorithm | |
| CN105740733A (en) | Encrypted mobile hard disk and realization method thereof | |
| CN102222254A (en) | Intelligent safe digital card | |
| CN201150069Y (en) | Information safety equipment supporting multiple identification authentication | |
| CN102004705B (en) | USB storage device based on hardware encryption | |
| CN201917912U (en) | Monitoring and management system of USB (Universal Serial Bus) storage device | |
| CN203444482U (en) | Safe memorizer of portable computer | |
| CN113449349A (en) | Platform security mechanism | |
| JP2022526934A (en) | Validation of memory commands based on blockchain |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| AV01 | Patent right actively abandoned |
Granted publication date: 20100811 Effective date of abandoning: 20090504 |