CN202217282U - Safety data memory system based on finger print universal serial bus (USB) flash disk and virtual machine - Google Patents

Safety data memory system based on finger print universal serial bus (USB) flash disk and virtual machine Download PDF

Info

Publication number
CN202217282U
CN202217282U CN2011202516295U CN201120251629U CN202217282U CN 202217282 U CN202217282 U CN 202217282U CN 2011202516295 U CN2011202516295 U CN 2011202516295U CN 201120251629 U CN201120251629 U CN 201120251629U CN 202217282 U CN202217282 U CN 202217282U
Authority
CN
China
Prior art keywords
flash disk
usb flash
virtual machine
disk
fingerprint
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2011202516295U
Other languages
Chinese (zh)
Inventor
陈虎
陈思桐
奚建清
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
South China University of Technology SCUT
Original Assignee
South China University of Technology SCUT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by South China University of Technology SCUT filed Critical South China University of Technology SCUT
Priority to CN2011202516295U priority Critical patent/CN202217282U/en
Application granted granted Critical
Publication of CN202217282U publication Critical patent/CN202217282U/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The utility model discloses a safety data memory system based on a finger print universal serial bus (USB) flash disk and a virtual machine, which comprises a USB flash disk and a computer management end for backing up, restoring and encrypting mapping files in the USB flash disk, changing USB flash disk logging passwords and finger prints, and generating a secret key. The USB flash disk comprises a finger print identification module, a main control chip, a USB port for connecting the computer management end and an external FLASH chip for storing a boot strap program, a bottom layer operation system and a virtual machine managing device. The main control chip is respectively connected with the finger print identification module, the external FLASH chip and the USB port. The safety data memory system reduces possibility of catching virus of the USB flash disk, prevents important information from losing, and enables users to have a plurality of virtual machine encrypted backups. If the users need to open a virtual machine which is suspected to have virus, a virtual machine with lower safety level is adopted. Contents with high safety requirements can be stored on a safe virtual machine.

Description

A kind of secure data storage system based on fingerprint U disk and virtual machine
Technical field
The utility model relates to technical field of data storage, is specifically related to a kind of secure data storage system based on fingerprint U disk and virtual machine.
Background technology
Under the environment that today, this high speed information expanded; Mobile storage instrument such as USB flash disk because itself have easy to use, transmission fast, advantages such as security performance height, in exchanges data frequent day by day today, no matter be the individual; Or specialty or enterprise customer; All tend to carry out with USB flash disk the preservation of significant data, this use pattern itself proposes new requirement to properties of product, i.e. security is even more important.
Much human select will important or secret file storage in USB flash disk, rather than be placed on the hard disk the inside of computing machine for a long time, so become the most important thing of protected data safety with the mobile storage instrument headed by the USB flash disk.
But information security is an insoluble problem all the time.There are problems in conventional authentication and cipher mode based on password and have more and more satisfied not the specific (special) requirements of some responsive occasion.Biometric identity authentication techniques and encryption mechanism are organically combined, can utilize permanently effective that uniqueness, the irreplaceability of biological characteristic ensure information security, stop thoroughly that password and key are forgotten, stolen, the phenomenon that is cracked.Biometric identity authentication techniques and encryption mechanism are organically combined, a kind of safer, file encryption Managed Solution easily can be provided.
Present most popular living creature characteristic recognition system is the fingerprint recognition system.Because fingerprint is unique, there is not identical fingerprint, can guarantee like this by authentication object and the strict between the two one-to-one relationship of identity foundation that needs checking; Fingerprint is relatively-stationary, is difficult to change, and can guarantee the long-term effectiveness of security information; Adopt leading living body finger print recognition technology, stop to use the possibility of the mode deception device that finger print duplicates, guarantee that confidential data can't be falsely used, steal and distort by the people.
And in movable storage device, what people often used is the operating system on the PC, particularly windows98/2000/2003/XP operating system.In daily life, emerge in an endless stream to the virus of movable memory equipment, these viruses trespass movable memory equipments, and data on the illegal fetch equipment even rewrite the file of the inside cause the data of the inside to be destroyed and can't normally to use.Because the strong characteristics of movability of movable memory equipment; Tend to cause an equipment to poison; Other computer that used this equipment is also by the situation of cross-infection, even when user during with same PC of other storage device access, the infected again situation of this memory device.Thus it is clear that, when we use the operating system access movable memory equipment on the PC, have huge information security risk.
Because the importance of information privacy, make that the mobile storage disc based on encryption technology emerges in an endless stream on the present market.The common feature of these encrypted U disks is both to have can be used as general USB flash disk to use, and also can be used as encryption disc simultaneously and uses.The means that these products adopt encryption technology and chip firmware development to combine usually, and on PC, set up the software of a managing encrypted USB flash disk, the method that combines through soft or hard guarantees security.The some of them encrypted U disk has also used fingerprint identification technology.
Here we use Sky, Shenzhen occasion science and technology electronicsThe encrypted U disk of company limited is that example analyzes what relative merits the encrypting fingerprint USB flash disk has.The encrypted U disk of the said firm can use fingerprint to land USB flash disk, and vital document is carried out encryption and decryption.USB flash disk is divided into two districts, and one is the public area, can be as the database of common U disk; One is encrypted area, adopts fingerprint or password to open, and with document storage at encrypted area.The way of usually encrypting is to deposit after utilizing software on the PC that file is encrypted, and perhaps through the chip on the USB flash disk data that leave encrypted area in is encrypted totally.Mode through such guarantees safety of data.
Can find that through analyzing the software that the management of encrypted U disk, the encryption and decryption of data, the functions such as management of fingerprint all need operate on the PC is supported.Done some drawbacks like this, be listed below:
1, software receives the wooden horse monitoring on the PC easily, and decrypted data is exposed to the internal memory the inside after all, and the PC at place possibly existed by some virus that reads internal storage data.
2, software need be kept at the USB flash disk the inside; When using with software copy to PC; Caused the compatibility issue of software on operating system like this, might operating system not support this software, to Macintosh, just can not move such as software copy with Windows.
3, the USB flash disk significant data can not back up, if the USB flash disk file system format damages, will cause loss of vital data.
Therefore, the product on the market does not in fact also reach tight security and reliability.Encrypting fingerprint USB flash disk+operating system+virtual machine technique that native system adopts can effectively solve an above difficult problem, makes up one and lets the relieved security system of user more.
The utility model content
The purpose of the utility model is to overcome the above-mentioned deficiency that prior art exists; A kind of secure data storage system based on fingerprint U disk and virtual machine is provided; Through the method for the utility model, can be the security system that the user provides a high security and ease for use, this system is memory carrier with the encrypted U disk; Utilize the fingerprint authentication technology to carry out authentication; And an integrated small-sized (SuSE) Linux OS (user is invisible) on USB flash disk, a plurality of windows operating systems based on the Virtualbox software virtual machine of operation on the operating system are to meet consumers' demand.In addition; At the management software (being installed on the said computer management end) that also has a management USB flash disk on user's windows platform trusty; As long as this software operates on the privately owned PC of user; USB flash disk or the like function is videoed, repaired to the fingerprint, the backup disk that are mainly used on the management USB flash disk, and a key generates USB flash disk etc.The utility model is realized through following technical scheme.
Based on the secure data storage system of fingerprint U disk and virtual machine, comprise a USB flash disk and a computer management end that is used for image file, modification USB flash disk login password and fingerprint and generation key on the backup and reduction encrypted U disk; Said USB flash disk comprises fingerprint identification module, main control chip, be used for the USB interface that is connected with said computer management end and be used to store the outside FLASH chip of boot, underlying operating system, virtual machine manager, and said main control chip is connected with USB interface with said fingerprint identification module, outside FLASH chip respectively.
Said main control chip comprises the inside FLASH that is used for storage key, login password and fingerprint template.The x86 computing machine of said computer management end for supporting that USB starts.
The secure data storage method of said system comprises the steps:
Step 1, utilize the computer management end that common U disk is carried out initial setting up; Make USB flash disk install boot, underlying operating system (not comprising the software that has nothing to do with the present invention), the virtual machine manager of basic running environment are provided; Can move one or more windows operating systems on the said virtual machine manager, the virtual disk image file of windows operating system also exists above the USB flash disk;
Step 2, USB flash disk is inserted on the x86 computing machine, selects to start from USB flash disk; The USB flash disk boot is written into the internal memory channeling conduct, prompting input fingerprint or password;
Step 3, input fingerprint or password, checking gets into next step through the back, otherwise the prompting failure;
Step 4, boot guiding underlying operating system, back operation virtual machine manager automatically finishes;
Step 5, entering virtual machine manager interface; The operation of selection virtual machine; On windows operating system service data, store data or install and use application software, said virtual machine manager reads the key of USB flash disk the inside automatically and automatically data is carried out the encryption and decryption operation in this process.
Above-mentioned secure data storage method, step 1 further comprises:
(1) insert USB flash disk to the computer management end, adopt USB flash disk initial password login USB flash disk, changing the USB flash disk mode of operation is login mode;
(2) the computer management end formats USB flash disk; Boot, underlying operating system, virtual machine manager are installed to the outside Flash of USB flash disk main control chip; Simultaneously boot, underlying operating system, virtual machine manager are generated an integrity verification sign indicating number, the integrity verification sign indicating number exists on the inner Flash of USB flash disk main control chip;
(3) the computer management end generates key automatically; Key is stored on the inner Flash of USB flash disk main control chip; The computer management end generates the virtual disk image file of encrypting with key; This document is a Windows operating system virtual disk image file that can move, and leaves on the outside Flash of main control chip;
(4) utilize computer management end registered user fingerprint to the USB flash disk the inside, revise the USB flash disk initial password.
Above-mentioned secure data storage method; In the step 2; Also with USB flash disk as a credible platform module, boot, underlying operating system, virtual machine manager are carried out the code integrity checking, proof procedure is following: by boot to self, the code of operating system, virtual machine manager generates an integrity verification sign indicating number; And send into USB flash disk and exist the integrity verification sign indicating number among the inner Flash of USB flash disk main control chip to compare, unanimity is then pointed out input fingerprint or password.
Above-mentioned secure data storage method is to start from USB flash disk with x86 computer installation earlier in the step 2.
Above-mentioned secure data storage method in the step 5, is moved a plurality of virtual machines, each virtual function separate, stored data or use data.
Above-mentioned secure data storage method; Said underlying operating system is invisible to the user; And the virtual disk image file is to leave on the outside Flash of USB flash disk main control chip with the form of encrypting; Key is kept on the inner Flash of USB flash disk main control chip, has only integrity verification correctly just can obtain key through reaching the input of password or fingerprint.
In the above-mentioned secure data storage method, also utilize the computer management end that the image file of encrypting in the USB flash disk is backuped on the computing machine, if system crash recovers USB flash disk through the computer management end.
In the above-mentioned secure data storage method, scsi command is expanded, made USB flash disk support readwrite key, read-write password, registered fingerprint, checking fingerprint, integrity verification or fingerprint login feature; Said USB flash disk has two states: a kind of is logging status not, possesses the function that existing USB flash disk read and stored data, possesses integrity verification and user's login feature simultaneously; Another kind is a logging status, supports readwrite key, read-write password, registered fingerprint and checking fingerprint function.
In the above-mentioned secure data storage method, the USB flash disk firmware adopts the Bulk-Only agreement to communicate, and this agreement adopts CBW bag and CSW bag to carry out exchanges data, and scsi command is to be encapsulated in the CBW bag; CSW is the state bag that USB device returns, the success or not of expression operation; In the communication process of USB flash disk firmware and computing machine, comprise CBW, CSW, three kinds of Content of Communication of data.
In the above-mentioned secure data storage method, underlying operating system is small-sized customizable operating system, only needs to satisfy the requirement of operation virtual machine running environment; Virtual machine is deciphered in the reading encrypted reflection; When writing crypto image, encrypt; AES adopts standard RC4 stream cipher variant, and the key of RC4 is a virtual disk image file disk block number and the XOR result of the key that is stored in USB flash disk, and RC4 is different to the random number of each virtual disk blocks generation; Random number and virtual disk blocks content are carried out XOR encrypt exactly, XOR is deciphered exactly again;
Said virtual machine manager interface is the software that is installed in above the underlying operating system, is used to point out which virtual machine to use, and the managing virtual machines state, and these states comprise startup, suspend, wake up and stop;
Said computer management end is the management end that is installed on the x86 computing machine, and when starting management end, the user must insert USB flash disk earlier, and inputing fingerprint or password then just can the entrance management program, just can carry out the said operation of step 1.
Compared with prior art, the utlity model has following advantage and technique effect:
(1) effectively solve the data security potential problem of running in the real life, the burst disk of comparing on the market has higher security;
(2) the utility model not merely is the method for the store data of a safety, but also is a security system that comprises trusted operating system and trusted software.Can use on other people computer the software that uses USB flash disk and need not install;
(3) combine biological fingerprint technology and Intel Virtualization Technology, cryptographic technique, utilized fingerprint as identity identifying technology to make up higher security system, and the information source of having utilized fingerprint to generate as key;
(4) USB flash disk is from tape operation system, can be on the x86PC of a plurality of different operating systems machine migration data, the virus above the PC of protecting from infection.
(5) Intel Virtualization Technology can guarantee the backup and the recovery of significant data, and can move a plurality of virtual opetrating systems simultaneously, with the demand for security of difference various tasks; Can move two above virtual machines simultaneously, one is used for online, and one is used for special security information and handles, even poisoning online time the so can not cause losing of vital document yet;
(6) user is easy to use, and reliability is high.
In a word; Under the prerequisite that the utility model can guarantee data security; User operation is reduced to minimum, the user promptly can use encrypted U disk as common U disk, have in data security under the situation of demand; Also can use, and the operating system that carries makes more convenient in the use of application software, more relieved as encryption disc.
Description of drawings
Fig. 1 is based on the secure data storage system synoptic diagram of fingerprint U disk and virtual machine in the embodiment.
Fig. 2 is based on the hardware configuration synoptic diagram of fingerprint U disk in the embodiment.
Fig. 3 is the functional schematic of management end in the embodiment.
Fig. 4 is the high-level schematic functional block diagram of USB flash disk firmware in the embodiment.
Fig. 5 is the treatment scheme synoptic diagram of USB flash disk firmware in the embodiment.
Fig. 6 is the guiding proof procedure figure of USB flash disk boot in the embodiment.
Fig. 7 must use process flow diagram for USB flash disk among the embodiment.
Fig. 8 is the course of work synoptic diagram of Virtual Machine Manager program behind the entering Virtual Machine Manager program interface.
Embodiment
Be described further below in conjunction with the embodiment of accompanying drawing, but enforcement of the utility model and protection domain are not limited thereto the utility model.
Like Fig. 1 and Fig. 2,, comprise a USB flash disk and a computer management end that is used for image file, modification USB flash disk login password and fingerprint and generation key on the backup and reduction encrypted U disk based on the secure data storage system of fingerprint U disk and virtual machine; Said USB flash disk comprises fingerprint identification module, main control chip, be used for the USB interface that is connected with said computer management end and be used to store the outside FLASH chip of boot, underlying operating system, virtual machine manager, and said main control chip is connected with USB interface with said fingerprint identification module, outside FLASH chip respectively.
This embodiment is memory carrier with the encrypted U disk; Utilize the fingerprint authentication technology to carry out authentication; An and integrated small-sized (SuSE) Linux OS (user is invisible) on USB flash disk; The a plurality of windows operating systems based on the Virtualbox software virtual machine of operation in the system are to meet consumers' demand.
In addition; The management software (said computer management end) that on user's windows platform trusty, also has a management USB flash disk; As long as this software operates on the privately owned PC of user; USB flash disk or the like function is videoed, repaired to the fingerprint, the backup disk that are mainly used on the management USB flash disk, and a key generates USB flash disk etc.
It is quite simple that the user uses the process of this USB flash disk.As long as the fingerprint of registration oneself also indicates to generate what virtual XP operating systems on management software; The management software meeting is automatic to add overstocked image file with USB flash disk format, generation key, installation (SuSE) Linux OS, installation virtual machine etc., generation; And exist USB flash disk to get among the flash file, make up an encrypted U disk that can on other computing machines, move at last.
The user needs only the USB port that USB flash disk is inserted PC, and system is set to start from USB flash disk, and after the integrity verification success, boot can be verified user fingerprints, and the user inputs fingerprint or password (when fingerprint is disabled).Success promptly gets into the virtual machine interface and selects interface (Linux community's face conductively-closed has been fallen), is selected the virtual machine that uses and is moved it by the user.The user can be kept at significant data on the virtual machine, adopts another virtual machine in the time of online, to guarantee safety of data.Because the reflection of virtual machine leaves on the USB flash disk, and virtual machine makes that through transforming image file is to leave on the USB flash disk with the form of encrypting.Like this; Script needs overall encrypting storing data just to become only needs the crypto image file to get final product, and has reduced the processing time, and this USB flash disk can be used as existing USB flash disk use; The image file of general data and encryption stores together; Key is kept on the inner Flash of USB flash disk main control chip, have only integrity verification correctly just can obtain key through reaching the input of password or fingerprint, and the user can utilize management software often the image file of encrypting to be backuped on the management software; If system crash can recover through management software.The user does not worry that USB flash disk loses, even lost, others does not have fingerprint to get into not system yet.The process of said integrity verification is following: by boot to self, the code of operating system, virtual machine manager generates an integrity verification sign indicating number; And send into USB flash disk and exist the integrity verification sign indicating number among the inner Flash of USB flash disk main control chip to compare, unanimity is then pointed out input fingerprint or password.
Instance below in conjunction with concrete is described further.
Fig. 2 is the hardware configuration synoptic diagram of fingerprint U disk, emerging SOC encryption chip during the main control chip of this embodiment adopts, and chip internal has inside flash and the used DRAM internal memory of working procedure of depositing firmware program and key.Outside connect a FLASH chip, be formatted into FAT16 or FAT32, can deposit user data, boot, operating system, crypto image file, size can be for 1G to 8G etc.Main control chip is also integrated USB interface is used for communicating by letter with the USB interface of PC, and main control chip also is connected with fingerprint module.
On the flash of the inside of USB flash disk, depositing firmware program, this program is the important procedure that is used to control the USB flash disk behavior.Firmware program is divided into two patterns (two states of corresponding USB flash disk), and one is login mode, and another is a login mode not, is login mode not when initialization powers on.The user can adopt password or fingerprint to land.Can only adopt the password form to land when using for the first time, after having registered fingerprint, just can adopt fingerprint to land later on.If be in not under the login mode, USB flash disk is equivalent to common U, can deposit user data, can carry out login feature and integrity verification function.And be under the login mode, firmware can access the content of inner flash, mainly be to deposit key and fingerprint template, also can rewrite critical functions such as landing password.Firmware is also being born the function of fingerprint authentication, fingerprint register.These functions must be called under login mode.Firmware program adopts scsi command to communicate by letter with the driver on the PC through USB interface.
Outside FLASH is exactly the place of our the normal USB flash disk store data of saying.This FLASH is that the user is visible, can deposit various information after being formatted into FAT16 form or FAT32 form.Our system does not adopt totally and encrypts, relevant below will being mentioned to of encrypting.Shown in last information of depositing of FLASH such as the table 1 (n crypto image file number, yes, N representes several), method for expressing is wrong.
Table 1
Boot (SuSE) Linux OS Crypto image file 1 ...... Crypto image file n His user data
The fundamental purpose of boot is the pilot operationp system, and boot is communicated by letter with firmware program in guiding, carries out authenticating user identification.Boot can point out the user to import fingerprint, if the fingerprint of input is user's a fingerprint, then can get into login mode, if mistake has then guided not system.In a word, only, user's fingerprint just can let firmware land module after verifying successfully through the fingerprint module on the USB flash disk.
Operating system adopts (SuSE) Linux OS, mainly is the support platform of setting up a bottom for virtual machine program.The interface of this operating system does not need the user to know, that is to say the just virtual machine that the user sees.Operating system deducts various application programs by existing puppy linux mini-system, last only remaining virtual machine program and relevant system function module, built-in function etc.The operating system of installing at last will be more than 30 about M.The root file system of operating system leaves on the USB flash disk with the form of compressed file, because the not need to be keep secret of data of operating system, so can be without the file system of cryptographic operation system.
Most important program, software virtual machine are installed on the root file system.This software virtual machine adopts the VirtualBox virtual machine of increasing income.VirtualBox is a very outstanding, the software virtual machine of increasing income that performance is good; Through rewriting the VirtualBox source code again; On VirtualBox, the process of reflection file access is carried out encryption and decryption; Be equivalent between VirtualBox and virtual machine image file, add individual middle layer, AES can adopt the RC4 stream cipher.Key is communicated by letter with firmware program through VirtualBox and is obtained.Only, the integrity verification user just can obtain key after logining success.Adopting software cryptography mainly is to have utilized PC processor processes ability, has shortened the response time of machine.The key of RC4 is a virtual disk image file disk block number and the XOR result of the key that is stored in USB flash disk; RC4 is different to the random number that each virtual disk blocks produces; Random number and virtual disk blocks content are carried out XOR encrypt exactly, XOR is deciphered exactly again.
The image file of encrypting leaves on the USB flash disk, and USB flash disk can move everywhere like this, and is not afraid of and loses, even because having lost others has found, can not obtain key and decipher.Can deposit a plurality of image files on the USB flash disk, the user can selective operation, leaves important information the image file the inside of a safety in, and other image file can be used for online, in case middle virus.
The VirtualBox software virtual machine comprises front-end and back-end two parts.Front end is exactly the interface that we see, the rear end is exactly the driving and the virtual machine kernal of being correlated with.The source code that can rewrite the disk read module is the source code that is in the virtual machine kernal part.In addition, also can utilize VirtualBoxAPI to write a convenient interface front end that uses of user again.The function of this front end mainly is to select different virtual machines to move, close, restart the better simply function of geometric ratio.Mainly be user-friendly to, and complicated originally interface is not suitable for user's use.These front-end and back-end are installed on the root file system together, and the user will eject this graphical interfaces automatically and indicate the user can use which virtual machine in case the guiding back gets into operating system.
Like Fig. 3, the appearance of the supervisory routine that relates in the inventive method (computer management end) has significantly reduced user's burden, makes the user can easily, unsuspectingly manage the thing above the USB flash disk.Supervisory routine is actually the program of a management USB flash disk that operates in above user's PC.This program can be accomplished user fingerprints and register, is provided with encryption key, preservation crypto image file, " key generates USB flash disk ", backup and recovery or the like function.Make the user use this supervisory routine can reduce operation greatly, mask details, make that being presented on the preceding security system of user plane is a supervisory routine and the operating system above the USB flash disk USB flash disk to USB flash disk.
Supervisory routine must be carried out authenticating user identification; When starting supervisory routine, the user must insert USB flash disk earlier, and importing fingerprint then just can the entrance management program; Adopt pin mode login management program when using for the first time, adopt password or the fingerprint all can the login management program later on.Utilize supervisory routine also can add, delete fingerprint, revise the password of entrance management program.No matter pass through which kind of mode, the login of supervisory routine must just can realize by USB flash disk.This usurps the problem of supervisory routine with regard to having guaranteed others.
In addition; Supervisory routine is in store user's crypto image file also; Fundamental purpose is can regenerate USB flash disk when USB flash disk breaks down perhaps file system collapse, is cracked in order to prevent the crypto image file, and key must can not be placed on above the supervisory routine; Can only be kept at above the USB flash disk, and can only read through firmware program.
Should add paragraph completeness of description checking.The position should be before the password login, after USB flash disk powers on.
The main control chip of USB flash disk emerging Z32U-Flash series security chip controller (Z32H256D32UF) in adopting.This chip is that ZTEIC is towards the safety governor application market; On multifunctional safe processing platform basis, develop, possess characteristics such as high throughput, high security, multiple interfaces, low-power consumption, low cost based on No. 2 32 risc processors of homemade Noah's ark.
This family chip can be used on the equipment such as safety encipher USB flash disk, fingerprint recognition USB KEY, high capacity USB KEY, desktop encryption equipment, desktop type VPN, high-performance card reader, handheld POS machine, encryption integrated circuit board, and the function that can realize comprises:
Key management on the sheet (key generation, key storage, key updating etc.);
Signature and authentication (can support RSA, ECC public key algorithms such as (p territories)) on the sheet;
Tailor-made algorithm is downloaded and is carried out and high data rate encryption and decryption (supporting DES/3DES algorithm and various special purpose system algorithm);
Through abundant GPIO interface, SPI/UART interface, Flash principal and subordinate interface, SRAM principal and subordinate interface, USB interface etc.
The design of USB flash disk has adopted that the Nand Flash interface above the chip connects outside flash storer, the UART mouth connects fingerprint module, USB interface and main frame and communicates, and has utilized its encryption and decryption to cause to generate key and preserve key.
Like Fig. 4, the USB flash disk firmware is the important component part of USB flash disk, and USB flash disk keeps and the communicating by letter, obtain fingerprint, call the encryption and decryption engine, control flash or the like of main frame through firmware just.Firmware program is to make why USB flash disk becomes the basic reason of encrypted U disk.In emerging chip had a firmware program; Be mainly used in initiating hardware; And encryption and decryption etc. is partially integrated in inside the firmware program, this embodiment if through programming accomplish USB interface communication, read and write outside FLASH, control fingerprint module, to call encryption and decryption engine function just passable.Present USB flash disk all adopts scsi command to carry out and the communicating by letter of main frame; This communication protocol has been standard; USB flash disk must realize that the scsi command of standard just can become common U, and functions such as relevant fingerprint, encryption and decryption engine then use privately owned scsi command to realize; Firmware need be accomplished two-part function, and one is the standard scsi command, and one is privately owned scsi command, has wherein listed the privately owned scsi command of part.
SCSI agreement and treatment scheme, the USB tissue has defined the standard of mass storage class (Mass Storage Class), and this type standard comprises four independently subclass standards, that is:
1.USB?Mass?Storage?Class?Control/Bulk/Interrupt(CBI)Transport
2.USBMass?Storage?Class?Bulk-Only?Transport
3.USB?Mass?Storage?Class?ATA?Command?Block
4.USB?Mass?Storage?Class?UFI?Command?Specification。
Preceding two sub-normalized definitions the transmission method of data/order/state on USB.The Bulk-Only transmission specification only uses the Bulk end points to transmit data/order/state, and the CBI transmission specification then uses the end points of three types of Control/Bulk/Interrupt to carry out data/order/state and transmits.Latter two cuckoo model has then defined the operational order of storage medium.The ata command standard is used for hard disk, and the UFI ordering norms is to the USB mobile storage.
The USB flash disk firmware adopts the Bulk-Only agreement to communicate, and this agreement adopts CBW and CSW to carry out exchanges data, and SCSI is encapsulated in CBW bag the inside, the state bag that the USB device of CSW returns.In the communication process of USB flash disk firmware and PC, mainly be CBW, CSW, three kinds of Content of Communication of data.Generally all be that CBW of main frame transmission wraps to equipment, equipment returns a CSW bag, and then main frame sends a CBW bag, and equipment can return the related data content.The processing procedure of USB flash disk firmware is as shown in Figure 5.
The function that the USB flash disk firmware provides should be " fingerprint management, key generate and preserve, and read key, and more new password reads password ", and these functions are encapsulated in the agreement the inside with an attribute field, enumerate out the macro definition of the function of all uses here.
Figure BDA0000076208420000071
These macro definitions are corresponding to privately owned function that firmware had; We can specify order accordingly through encapsulation CBW bag, send to firmware then and carry out correlation function by firmware; Firmware calls related function and realizes, at last through CSW state bag notice main frame execution result.
The USB flash disk firmware has two kinds of patterns, and a kind of is login mode, a kind ofly is login mode not.Initially powering on is login mode not, in case the user logins through password or fingerprint, then firmware is judged, if password or fingerprint are correct, then changes the USB flash disk pattern.At this moment, can carry out all functions of USB flash disk, can only the operative norm scsi command and be in not login mode, USB flash disk has only the function of common U disk.
Supervisory routine can be logined through interface, only after login, just can operate, and in guidance system, also can carry out login authentication, has not then got into not system through login.
In order to accomplish the specific function of privately owned scsi command; On the FLASH of the inside of USB flash disk, should specify some zones to deposit important informations such as fingerprint, key, password; And these information can only be used under login mode, and can only be obtained by firmware, can not obtain through any way in addition.
USB flash disk important information storage area form is as shown in table 2:
Table 2
10 of fingerprint templates 1 of key One of initial password
Though PC and USB flash disk firmware are to communicate through the transmission of order bag and reception; But in order to guarantee that PC supervisory routine and virtual machine program can use the function of USB flash disk easily; Seal commentaries on classics and need not all carry out order at every turn; Also, designed the general-purpose interface of PC end visit USB flash disk firmware at this in order to improve the portability of program.These interfaces are that the function of the privately owned scsi command of USB flash disk firmware is sealed commentaries on classics basically, make when calling convenient.On supervisory routine, only need call these interfaces can accomplish the program of communicating by letter with firmware, same, as long as it is all right in guiding USB flash disk and virtual machine reading encrypted reflection key, to call these interfaces.Though supervisory routine is moved on Windows, and virtual machine program is on Linux, to move, and the interface of visiting the encrypting fingerprint USB flash disk is the same, even the realization of bottom is different.These interfaces are described with the C linguistic form.As shown in table 3.
The fundamental purpose of boot is to carry out fingerprint or password login authentication; Pilot operationp system then; Boot can point out the user to import fingerprint, reads fingerprint then, and then verifies; The login of three fingerprints is unsuccessful can use password instead and login, and under the situation of not registering fingerprint, also can carry out password login (when only being used for just having dispatched from the factory).
Boot mainly be through BIOS interrupt 13 with USB flash disk on firmware communicate by letter, this time owing to be assembly level other.When firmware program fetches the request of self initializing program, just start the checking flow process of fingerprint, wait for user's brush finger line.Behind the intact fingerprint image of fingerprint collecting equipment collection, firmware program extracts the eigenwert of image, reads registered fingerprint template and contrast with it then.At last, firmware program sends the result to the boot on the main frame according to comparing result.Boot judges whether to contrast successfully according to the filling result that firmware returns, if success then get into pilot operationp system link, and firmware will carry out login mode.If previous action is then returned in failure.Proof procedure is as shown in Figure 6 during guiding.
Encrypted U disk use Fig. 7 and shown in Figure 8 is inserted into USB flash disk on the x86 computing machine, selects to start from USB flash disk; The USB flash disk boot is written into the internal memory channeling conduct, prompting input fingerprint or password; Input fingerprint or password, checking gets into next step through the back, otherwise the prompting failure; Boot guiding (SuSE) Linux OS, back operation virtual machine manager automatically finishes; Get into the virtual machine manager interface; The operation of selection virtual machine; Service data, storage data or installation application software on based on the windows operating system of Virtualbox software virtual machine, said virtual machine manager read the key of USB flash disk the inside automatically and automatically data are carried out the encryption and decryption operation in this process.
Supervisory routine (computer management end) is to operate on the supervisory computer program of system being carried out basic management.Supervisory routine can provide functions such as revising user cipher and backup.Only under the situation of login, just can carry out the operation of supervisory routine.The user can adopt password or fingerprint login, and fingerprint is empty in the time of initial, and password is an initial password.Can make amendment after user's login.Subscriber Management System for ease, supervisory routine operates on the Windows XP operating system, and possesses good interactive interface.Supervisory routine is developed on Windows XP, and developing instrument is VC 6.0.The functional module of supervisory routine can be referring to Fig. 3,
Below the VMDK file module of backup on the encrypted U disk is described further.The VMDK file is the memory file system of virtual machine, and the function of the physical hard disk of its simulation is equal to operating system on the virtual machine and physical hard disk.Therefore the used user data of native system all is to be stored in the VMDK file through VirtualBox, will back up user's data, best bet be exactly whole VMDK file copy to supervisory computer.Supervisory routine will realize this function; Xcopy that can be through calling Windows XP with API realize the VMDK on the encrypted U disk the VMDK file copy on the encrypted U disk to supervisory computer; And being saved in the file directory that the user selectes, supervisory routine becomes the VMDK file rename of duplicating the backup file on band date automatically.
The user data best bet of reduction on the encrypted U disk be the VMDK file copy of backup to encrypted U disk, cover original VMDK file.Concrete implementation method is that supervisory routine is earlier the standard of selected backup file RNTO VMDK name (removing the date); Copy to it in the encrypted U disk then; Be capped VMDK file original in the encrypted U disk; At last, the backup file RNTO on the supervisory computer originally with the name on date.
Below again other functions of supervisory routine are done explanation:
Revise password: login USB flash disk, and the login password of modification encrypted U disk.Through the interface that program provides, change the login password of encrypted U disk boot.
Revise fingerprint: login USB flash disk, and the login fingerprint of modification encrypted U disk.Through the interface that program provides, change the login fingerprint of encrypted U disk boot.
Automatically generate encryption key (key user of generation is invisible): send order and give the USB flash disk firmware, let firmware generate key, and preserve according to user's finger print information.Can read the time in the USB flash disk firmware mode for logging status.
One key generates the USB flash disk system, when first use or need regenerating USB flash disk, files such as boot, operating system, virtual machine manager, crypto image is write USB flash disk in the lump, and the user is as long as a button just can generate complete USB flash disk like this.Use this USB flash disk just can between the various computing machine, move.
Table 3

Claims (3)

1. based on the secure data storage system of fingerprint U disk and virtual machine, it is characterized in that comprising a USB flash disk and a computer management end that is used for image file, modification USB flash disk login password and fingerprint and generation key on the backup and reduction encrypted U disk; Said USB flash disk comprises fingerprint identification module, main control chip, be used for the USB interface that is connected with said computer management end and be used to store the outside FLASH chip of boot, underlying operating system, virtual machine manager, and said main control chip is connected with USB interface with said fingerprint identification module, outside FLASH chip respectively.
2. the secure data storage system based on fingerprint U disk and virtual machine according to claim 1 is characterized in that said main control chip comprises the inside FLASH that is used for storage key, login password and fingerprint template.
3. the secure data storage system based on fingerprint U disk and virtual machine according to claim 1 and 2 is characterized in that the x86 computing machine of said computer management end for supporting that USB starts.
CN2011202516295U 2011-07-15 2011-07-15 Safety data memory system based on finger print universal serial bus (USB) flash disk and virtual machine Expired - Fee Related CN202217282U (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2011202516295U CN202217282U (en) 2011-07-15 2011-07-15 Safety data memory system based on finger print universal serial bus (USB) flash disk and virtual machine

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2011202516295U CN202217282U (en) 2011-07-15 2011-07-15 Safety data memory system based on finger print universal serial bus (USB) flash disk and virtual machine

Publications (1)

Publication Number Publication Date
CN202217282U true CN202217282U (en) 2012-05-09

Family

ID=46016525

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2011202516295U Expired - Fee Related CN202217282U (en) 2011-07-15 2011-07-15 Safety data memory system based on finger print universal serial bus (USB) flash disk and virtual machine

Country Status (1)

Country Link
CN (1) CN202217282U (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104021319A (en) * 2013-12-03 2014-09-03 山东渔翁信息技术股份有限公司 Method and device for preventing read-write data from being copied
CN106548054A (en) * 2016-10-13 2017-03-29 北京握奇智能科技有限公司 It is a kind of towards PC and mobile terminal without driving personal identification number management method and equipment
CN108520172A (en) * 2017-12-29 2018-09-11 天津卓扬智联通讯有限公司 A kind of safety chip encryption of living body finger print identification can manage USB flash drive
CN112597470A (en) * 2021-01-22 2021-04-02 建投物联股份有限公司 Intelligent safe biological secret treasure system
CN117850700A (en) * 2024-01-23 2024-04-09 铵泰克(北京)科技有限公司 Method for controlling read-write of mobile storage medium file

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104021319A (en) * 2013-12-03 2014-09-03 山东渔翁信息技术股份有限公司 Method and device for preventing read-write data from being copied
CN104021319B (en) * 2013-12-03 2017-02-15 山东渔翁信息技术股份有限公司 Method and device for preventing read-write data from being copied
CN106548054A (en) * 2016-10-13 2017-03-29 北京握奇智能科技有限公司 It is a kind of towards PC and mobile terminal without driving personal identification number management method and equipment
CN108520172A (en) * 2017-12-29 2018-09-11 天津卓扬智联通讯有限公司 A kind of safety chip encryption of living body finger print identification can manage USB flash drive
CN112597470A (en) * 2021-01-22 2021-04-02 建投物联股份有限公司 Intelligent safe biological secret treasure system
CN117850700A (en) * 2024-01-23 2024-04-09 铵泰克(北京)科技有限公司 Method for controlling read-write of mobile storage medium file

Similar Documents

Publication Publication Date Title
CN102254119B (en) Safe mobile data storage method based on fingerprint U disk and virtual machine
CN101436247B (en) Biological personal identification method and system based on UEFI
US9047486B2 (en) Method for virtualizing a personal working environment and device for the same
EP2335181B1 (en) External encryption and recovery management with hardware encrypted storage devices
US8375437B2 (en) Hardware supported virtualized cryptographic service
CN100552690C (en) Data managing method
US9881183B2 (en) System and method for recovering from an interrupted encryption and decryption operation performed on a volume
CN107003866A (en) The safety establishment of encrypted virtual machine from encrypted template
US7840795B2 (en) Method and apparatus for limiting access to sensitive data
CN202217282U (en) Safety data memory system based on finger print universal serial bus (USB) flash disk and virtual machine
US7818567B2 (en) Method for protecting security accounts manager (SAM) files within windows operating systems
JP2005166049A (en) Memory storage device having fingerprint sensor, and method for protecting data stored therein
CN109614799B (en) Information authentication method
JP5689429B2 (en) Authentication apparatus and authentication method
CN201126581Y (en) Biological personal identification apparatus based on UEFI
CN102024115B (en) Computer with user security subsystem
CN102819700A (en) Device and method for identifying a plurality of biological characteristics in isolation environment
US8601282B2 (en) Program and device for using second uncorrupted MBR data stored in an external storage
CN102314574A (en) HID (human interface device)-based method for setting access rights of host machine
US8190813B2 (en) Terminal apparatus with restricted non-volatile storage medium
CN103870769B (en) Method and system for protecting magnetic disk
US20070150746A1 (en) Portable storage with bio-data protection mechanism & methodology
CN201845340U (en) Safety computer provided with user safety subsystem
CN113302598B (en) Electronic data management device, electronic data management system, and method used therefor
JP2003208234A (en) Software recording part separation type information processor and software managing method

Legal Events

Date Code Title Description
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20120509

Termination date: 20150715

EXPY Termination of patent right or utility model