CN205029678U - Secure communication system based on USB agreement - Google Patents
Secure communication system based on USB agreement Download PDFInfo
- Publication number
- CN205029678U CN205029678U CN201520629151.3U CN201520629151U CN205029678U CN 205029678 U CN205029678 U CN 205029678U CN 201520629151 U CN201520629151 U CN 201520629151U CN 205029678 U CN205029678 U CN 205029678U
- Authority
- CN
- China
- Prior art keywords
- module
- information
- analysis module
- communication system
- usb device
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The utility model relates to a secure communication system based on USB agreement, the system includes USB equipment and certificate server, certificate server comprises server hardware, USB equipment and certificate server contain an interface at least for the visit of establishhing is between the two connected, including communication module, identity verification module, an analysis module, the 2nd analysis module, cryptographic module, processing module and man -machine interaction module, identity verification module is for can edit recognition chip, but an analysis module and the 2nd analysis module are the edit check chip. The beneficial effects of the utility model are that: the utility model discloses a safety check and verification are establish with USB equipment to the PC end, have improved the security of host computer, and the effectual the host system that has protected goes to verify at identity information through USB equipment and the long -range acting server of the third party true and false to have promoted the security of host computer once more through USB equipment.
Description
Technical field
The utility model belongs to communication technical field, is specifically related to a kind of safe communication system based on usb protocol.
Background technology
Along with the lifting of Internet technology, various remote agent server concept is popularized and the expansion of technology, increasing equipment is undertaken browsing access by the long-range connection computer of self chip, some may be that some adopt the remote agent server packed and forge, this is subject to serious impact with regard to causing the fail safe of computer, along with the equipment connected may carry the safety that multiple potential problems threaten computer.Comprehensive Verification System does not go the true and false identifying third party's remote agent server so far.
Utility model content
In order to solve the problems referred to above that prior art exists, the utility model provides a kind of safe communication system based on usb protocol.The utility model, by carrying out safety inspection and checking in the digital identity mark of PC end to USB device main control chip, improves the fail safe that main frame loads USB device, effectively protects host computer system; Being connected by setting up hold with PC credible, having ensured the fail safe of third party by USB device remote access host.
The technical scheme that the utility model adopts is:
Based on a safe communication system for usb protocol, its improvements are: described system comprises USB device and certificate server;
Described certificate server is made up of server hardware, and described USB device and certificate server at least comprise an interface, connects for the access of setting up between the two;
Described certificate server comprises communication module, authentication module, the first analysis module, the second analysis module, encrypting module, processing module and human-computer interaction module;
Described authentication module is for can edit identification chip; Described first analysis module and the second analysis module are can edit check chip.
Preferably, described communication module comprises collecting unit and request unit;
Described collecting unit intercoms mutually with described request unit, for intercepting and capturing the Dynamic System request sent by request unit; And receive cannot distort in described request unit and carry unique digital identities mark digital certificate information.
Preferably, described communication module connects with authentication module, triggers the identity information of described authentication module to USB device and identifies.
Preferably, described authentication module and the first analysis module are interconnected by CAN or data/address bus, when identity information is effective, perform integrity degree verification by described first analysis module; Verification is passed through, and sets up credible connection with certificate server; When identity information is invalid, push to processing module by this invalid identity with the warning information of unsafe condition mark by described first analysis module.
Preferably, described first analysis module performs integrity degree verification for the integrity information receiving USB device; Utilize dynamic measurement method to verify local dynamic measurement digest value, verify and legally send credible connection certification to USB device afterwards; Send signal to described encrypting module to be encrypted verify data simultaneously.
Preferably, described second analysis module holds initiation to set up credible connection request by USB device to PC for verifying remote agent server, carries out Service Privileges mark in remote agent server and holds the capability identification of USB device in the service list of white list storehouse to verify with PC.
Preferably, described processing module, for controlling whole system, receives the integrity degree check results that described first analysis module sends, and is sent to described human-computer interaction module with the form of figure and form.
Preferably, described human-computer interaction module is used for the integrity degree check results of display system.
Preferably, described connection certification is comprised the tcp connection certification transmitted by openssl and is connected certification with udp.
A kind of safe communication system based on usb protocol according to claim 1, is characterized in that: described processing module comprises information maintenance unit and synchronizing information unit;
Described information maintenance unit is connected with synchronizing information unit, for synchronizing information cell formation deposits the white list of the USB device information setting up credible connection.
The beneficial effects of the utility model are:
First the utility model sets up safety inspection and checking by PC end with USB device; improve the fail safe of main frame; effectively protect host computer system; going to verify the true and false by the identity information of USB device and third party's remote agent server; even if third party's remote agent server existing problems also can be found by PC end and take the necessary measures the very first time like this, again improved the fail safe of main frame by USB device.
Accompanying drawing explanation
Fig. 1 is a kind of safe communication system structural representation based on usb protocol that the utility model provides.
Embodiment
As shown in Figure 1, the utility model provides a kind of safe communication system based on usb protocol, comprises USB device and certificate server;
Certificate server is made up of server hardware, and described USB device and certificate server at least comprise an interface, connects for the access of setting up between the two.
Described certificate server comprises communication module, authentication module, the first analysis module, the second analysis module, encrypting module, processing module and human-computer interaction module;
Authentication module is for can edit identification chip; Described first analysis module and the second analysis module are can edit check chip.
Communication module comprises collecting unit and request unit;
Collecting unit intercoms mutually with described request unit, for intercepting and capturing the Dynamic System request sent by request unit; And receive cannot distort in described request unit and carry unique digital identities mark digital certificate information.
Communication module connects with authentication module, triggers the identity information of described authentication module to USB device and identifies.
Authentication module and the first analysis module are interconnected by CAN or data/address bus, when identity information is effective, perform integrity degree verification by described first analysis module; Verification is passed through, and sets up credible connection with certificate server; When identity information is invalid, push to processing module by this invalid identity with the warning information of unsafe condition mark by described first analysis module.
First analysis module performs integrity degree verification for the integrity information receiving USB device; Utilize dynamic measurement method to verify local dynamic measurement digest value, verify and legally send credible connection certification to USB device afterwards; Send signal to described encrypting module to be encrypted verify data simultaneously;
Second analysis module holds initiation to set up credible connection request by USB device to PC for verifying remote agent server, carries out Service Privileges mark in remote agent server and holds the capability identification of USB device in the service list of white list storehouse to verify with PC.
Processing module, for controlling whole system, receives the integrity degree check results that described first analysis module sends, and is sent to described human-computer interaction module with the form of figure and form.
Human-computer interaction module is used for the integrity degree check results of display system.
Connection certification is comprised the tcp connection certification transmitted by openssl and is connected certification with udp.
Processing module comprises information maintenance unit and synchronizing information unit;
Information maintenance unit is connected with synchronizing information unit, for synchronizing information cell formation deposits the white list of the USB device information setting up credible connection.
A kind of safe communication system specific implementation based on usb protocol that the utility model provides is:
USB device is inserted PC end interface, intercept and capture the Dynamic System request sent by USB device; Identity information is that main control chip cannot be distorted and carries digital certificate and the validity information of unique digital identities mark.
The existing way of the digital identity mark of main control chip can be but be not limited to digital certificate mode; Described digital certificate is the digital signature formed under multiple cryptosystem, includes but not limited to PKI, IBE/IBC, CPK system.
The identity information of triggering authentication server to described USB device identifies, judges its validity according to recognition result;
The identity information of checking USB device, the non-repudiation namely verifying USB main control chip, the digital identity mark that can not distort.PC holds that certificate server can adopt the operating system servers such as BIOS, (U) EFI, embedded OS and Chip Operating System, checking USB device can not be distorted, the digital identity of non-repudiation mark is realized by challenge response mode, the privately owned mode such as to communicate with code telegram; The algorithm used in the identity information process of described checking USB device, comprises unsymmetrical key (PKI, private key) cryptographic algorithm and digital digest algorithm etc.
Wherein, asymmetric key cipher (PKI, private key) algorithm uses two keys: public-key cryptography and private cipher key, be respectively used to the encryption and decryption to data, if be namely encrypted data with public-key cryptography, only had and just can be decrypted with corresponding private cipher key; If be encrypted data with private cipher key, then only had and could decipher with corresponding public-key cryptography.
Digital digest algorithm (DigitalDigest) is also referred to as being safe HASH compiling method (SHA:SecureHashAlgorithm).Digital digest algorithm is used for carrying out computing information generated summary to the data that will transmit, it is not a kind of encryption mechanism, but can produce the numeral " fingerprint " of information, its object is not modified in order to ensure data or changes, and the integrality of guarantee information is not destroyed.
If identity information is effective, again perform integrity degree verification; Verification is passed through, and sets up hold with PC credible and is connected;
The identity information of USB device comprise following one of at least: type information, type information, version number information, supplier information, digital signature information, effective date, Expiration Date etc.; Again perform integrity degree verification to comprise, PC termination receives the integrity information of USB device, utilizes dynamic measurement method to verify local dynamic measurement digest value, verifies legally to send credible connection certification to USB device afterwards; And verify data is encrypted.
Connection certification comprises tcp connection certification and is connected certification with udp; Encryption adopts the close SM algorithm of state and aes algorithm encryption, and is transmitted by openssl.
When the identity information inspection of USB device with after being verified, set up hold with PC credible and be connected; Remote agent's server holds initiation to set up credible connection request by USB device to PC; This request of PC end response; Start PC and hold credible platform, registration service bus; Accept remote agent's server connection request; After the Information Authentication that two access rights identify all is passed through, credible connection request is set up in response; Receive remote agent's server service request, generate remote browse instruction;
The Information Authentication of two access rights mark is not passed through, then show pushing on PC end display with the warning information of unsafe condition mark in this remote agent's server.
Specific embodiment comprises: USB device (capability identification 0x00000001) remote agent's server (Service Privileges mark 0x00000001).When remote agent server initiates request by USB device to PC end, use Service Privileges mark 0x00000001, ask after PC end is by intercepting and capturing, utilize PC to hold credible platform to extract the Service Privileges mark 0x00000001 of remote agent server, in the service list of local white list storehouse, find the capability identification of USB device simultaneously; And extract the capability identification 0x00000001 of USB device; The Subjective and Objective capability identification of user and service is carried out XOR (0x00000001xor0x00000001=0), judges to pass through, then allow it to initiate remote browse request.
White list storehouse is set, for depositing the USB device information setting up credible connection; Wherein, described white list storehouse, comprises local white list storehouse, network white list storehouse and interim white list storehouse;
Local white list storehouse, when program initialization is installed, is generated by scan interface scanning; Described scan interface, comprises program mounting interface, software scans interface and GetIpUpDown scan interface.
Wherein, network white list storehouse comprises: when PC end is by setting up the USB device information reporting of credible connection to administrative center, automatically generated by administrative center; And all whitelist file are all kept in whitelist file, provide anti-tampering protection to all information in white list storehouse, forbid unauthorized act of revision, prevent from renaming, changing position, revised context and deletion action;
In default situations, the executive program only allowing ROMPaq and ROMPaq to create increases the executive program in white list storehouse, delete, changes operation, amended executable program is kept in temporary file, is written to by temporary file in interim white list storehouse after system reboot to be operated.
If identity information is invalid or set up the credible connection failure of holding with PC, the warning information marked is pushed to PC hold with unsafe condition;
When USB device identity information inspection and verify invalid, then directly stop PC end and USB device, and in being held by PC, certificate server shows pushing on PC end display with the warning information of unsafe condition mark in this invalid identity, thus effectively protect the safety of computer host system;
That holds as remote agent's server and PC is crediblely connected, and the Information Authentication of two access rights mark is not passed through, then hold on display show pushing to PC with the warning information of unsafe condition mark in this remote agent's server.
Such as: USB device (capability identification 0x00000001) remote agent's server (Service Privileges mark 0x00000000).When remote agent server initiates request by USB device to PC end, use Service Privileges mark 0x00000000, ask after PC end is by intercepting and capturing, utilize PC to hold credible platform to extract the Service Privileges mark 0x00000000 of remote agent server, in the service list of local white list storehouse, find the capability identification of USB device simultaneously; And extract the capability identification 0x00000001 of USB device; Because its authority judges not by (0x00000000xor0x00000001=1), then not allow it to initiate remote browse request, and show pushing on PC end display with the warning information of unsafe condition mark in this remote agent's server.
The utility model is not limited to above-mentioned preferred forms; anyone can draw other various forms of products under enlightenment of the present utility model; no matter but any change is done in its shape or structure; every have identical with the application or akin technical scheme, all drops within protection range of the present utility model.
Claims (10)
1. based on a safe communication system for usb protocol, it is characterized in that: described system comprises USB device and certificate server;
Described certificate server is made up of server hardware, and described USB device and certificate server at least comprise an interface, connects for the access of setting up between the two;
Described certificate server comprises communication module, authentication module, the first analysis module, the second analysis module, encrypting module, processing module and human-computer interaction module;
Described authentication module is for can edit identification chip; Described first analysis module and the second analysis module are can edit check chip.
2. a kind of safe communication system based on usb protocol according to claim 1, is characterized in that: described communication module comprises collecting unit and request unit;
Described collecting unit intercoms mutually with described request unit, for intercepting and capturing the Dynamic System request sent by request unit; And receive cannot distort in described request unit and carry unique digital identities mark digital certificate information.
3. a kind of safe communication system based on usb protocol according to claim 1, is characterized in that: described communication module connects with authentication module, triggers the identity information of described authentication module to USB device and identifies.
4. a kind of safe communication system based on usb protocol according to claim 1, it is characterized in that: described authentication module and the first analysis module are interconnected by CAN or data/address bus, when identity information is effective, perform integrity degree verification by described first analysis module; Verification is passed through, and sets up credible connection with certificate server; When identity information is invalid, push to processing module by this invalid identity with the warning information of unsafe condition mark by described first analysis module.
5. a kind of safe communication system based on usb protocol according to claim 1, is characterized in that: described first analysis module performs integrity degree verification for the integrity information receiving USB device; Utilize dynamic measurement method to verify local dynamic measurement digest value, verify and legally send credible connection certification to USB device afterwards; Send signal to described encrypting module to be encrypted verify data simultaneously.
6. a kind of safe communication system based on usb protocol according to claim 1, it is characterized in that: described second analysis module holds initiation to set up credible connection request by USB device to PC for verifying remote agent server, carrying out Service Privileges mark in remote agent server and holding the capability identification of USB device in the service list of white list storehouse to verify with PC.
7. a kind of safe communication system based on usb protocol according to claim 1, it is characterized in that: described processing module is for controlling whole system, receive the integrity degree check results that described first analysis module sends, and be sent to described human-computer interaction module with the form of figure and form.
8. a kind of safe communication system based on usb protocol according to claim 1, is characterized in that: described human-computer interaction module is used for the integrity degree check results of display system.
9. a kind of safe communication system based on usb protocol according to claim 1, is characterized in that: described connection certification is comprised the tcp connection certification transmitted by openssl and is connected certification with udp.
10. a kind of safe communication system based on usb protocol according to claim 1, is characterized in that: described processing module comprises information maintenance unit and synchronizing information unit;
Described information maintenance unit is connected with synchronizing information unit, for synchronizing information cell formation deposits the white list of the USB device information setting up credible connection.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201520629151.3U CN205029678U (en) | 2015-08-19 | 2015-08-19 | Secure communication system based on USB agreement |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201520629151.3U CN205029678U (en) | 2015-08-19 | 2015-08-19 | Secure communication system based on USB agreement |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN205029678U true CN205029678U (en) | 2016-02-10 |
Family
ID=55262179
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201520629151.3U Expired - Fee Related CN205029678U (en) | 2015-08-19 | 2015-08-19 | Secure communication system based on USB agreement |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN205029678U (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109905366A (en) * | 2019-01-16 | 2019-06-18 | 平安科技(深圳)有限公司 | Terminal device safe verification method, device, readable storage medium storing program for executing and terminal device |
-
2015
- 2015-08-19 CN CN201520629151.3U patent/CN205029678U/en not_active Expired - Fee Related
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109905366A (en) * | 2019-01-16 | 2019-06-18 | 平安科技(深圳)有限公司 | Terminal device safe verification method, device, readable storage medium storing program for executing and terminal device |
| CN109905366B (en) * | 2019-01-16 | 2022-03-22 | 平安科技(深圳)有限公司 | Terminal equipment safety verification method and device, readable storage medium and terminal equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109361668B (en) | Trusted data transmission method | |
| CN105099705A (en) | Safety communication method and system based on USB protocol | |
| US6138239A (en) | Method and system for authenticating and utilizing secure resources in a computer system | |
| US8312272B1 (en) | Secure authentication token management | |
| CN101005361B (en) | Server and software protection method and system | |
| KR101078546B1 (en) | Apparatus for coding and decoding of security data file based on data storage unit idedtification, system for electronic signature using the same | |
| Paverd et al. | Hardware security for device authentication in the smart grid | |
| CN104735065A (en) | Data processing method, electronic device and server | |
| CN105207776A (en) | Fingerprint authentication method and system | |
| CN105740725A (en) | File protection method and system | |
| CN101661599A (en) | Method for authenticating validity of self-contained software of equipment system | |
| CN102025503A (en) | Data security implementation method in cluster environment and high-security cluster | |
| Jang et al. | Biometric Enabled Portable Trusted Computing Platform | |
| CN100334519C (en) | Method for establishing credible input-output channels | |
| US20150047001A1 (en) | Application program execution device | |
| CN112968774B (en) | Method, device storage medium and equipment for encrypting and decrypting configuration file | |
| CN114785514A (en) | Method and system for authorizing application permission of industrial Internet of things terminal | |
| CN105933117A (en) | Data encryption and decryption device and method based on TPM (Trusted Platform Module) key security storage | |
| WO2018033017A1 (en) | Terminal state conversion method and system for credit granting | |
| CN205029678U (en) | Secure communication system based on USB agreement | |
| CN116881936A (en) | Trusted computing method and related equipment | |
| CN107317925B (en) | Mobile terminal | |
| CN102025492A (en) | WEB server and data protection method thereof | |
| CN110460562A (en) | A kind of long-range Activiation method of POS terminal and system | |
| Han et al. | Scalable and secure virtualization of HSM with ScaleTrust |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20160210 Termination date: 20180819 |