CN2891502Y - Secure data transmission device - Google Patents
Secure data transmission device Download PDFInfo
- Publication number
- CN2891502Y CN2891502Y CN 200620012396 CN200620012396U CN2891502Y CN 2891502 Y CN2891502 Y CN 2891502Y CN 200620012396 CN200620012396 CN 200620012396 CN 200620012396 U CN200620012396 U CN 200620012396U CN 2891502 Y CN2891502 Y CN 2891502Y
- Authority
- CN
- China
- Prior art keywords
- module
- equipment
- memory
- data security
- transmission equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The utility model relates to data-security transmission equipment, in particular to data security transmission equipment which is based on an embedded system board for embedded system board data-security transmission, which comprises a CPU, an interface chip and a direct memory access, wherein, the direct memory access is internally provided with a communication protocol module for parsing communication protocol of the embedded system board and a security module for the data safeguarding. The communication protocol module and the security module which are provided inside the direct memory access are respectively connected with the CPU. The communication protocol module and the security module are added to the direct memory access, thereby, the data security transmission based on the embedded system board can be realized in the field of software protection and authentication.
Description
Technical field
The utility model relates to a kind of data security transmission equipment, relates to a kind of data security transmission equipment based on embedded system platform especially, belongs to the data security transmission field.
Background technology
Be accompanied by the dawn of 21st century, the mankind have welcome a New Times full of hope.As one of greatest invention of twentieth century human society, computer also marched toward its another be full of stage of opportunity, people more and more touch a new notion---embedded product.All belong to embedded product as mobile phone, PDA, VCD or the like, and equally all adopt embedded system as vehicle GPS system, Digit Control Machine Tool, network refrigerator etc.Various informative digitizer is just making great efforts Internet is connected to each corner of people's life.Extensively popularizing of digital product will provide infinite motive force for embedded software industry flourish.
Nowadays, the application of embedded system is yielded positive results in a lot of fields, as information appliance, mobile computing device, the network equipment, industry control, emulation, Medical Instruments etc.The equipment of various application embedded systems requires powerful network and multimedia processing capability, easy-to-use interface and rich functions gradually.Some famous embedded systems that exist comprise Windows CE, VxWorks, pSOS, QNX, Palm OS, OS-9, LynxOS, Linux etc. at present.Various embedded application softwares also just get prosperous with every passing day, and the Copyright Protection of software is extremely important in the application of embedded OS.
A development trend of embedded OS is access network, because each embedded system does not also have very healthy and strong security system, in access network, just become the object of attack, each embedded system be applied in the safety problem that also exists authentication in the based on network application.
Summary of the invention
(1) technical problem that will solve
The utility model wants the technical solution problem to provide a kind of data security transmission equipment based on embedded system platform.
(2) technical scheme
In order to achieve the above object, the utility model provides a kind of data security transmission equipment based on embedded system platform, and this equipment comprises:
Comprise a central processing unit; a memory; an interface module; also comprise an embedded system platform communication protocol module and a security module in the equipment; communication protocol module is used for the communication protocol of embedded system platform is resolved; security module is used to provide data security protecting, and communication protocol module is positioned at memory inside and is connected with described central processing unit, and security module is positioned at memory inside and is connected with described central processing unit.
Security module is the software protection module, and the software protection module is used to provide software cryptography.
Security module can also be an identification module, and identification module is used to preserve user's sensitive data.
The central processing unit of the said equipment, interface chip and memory are integrated in a microcontroller chip.
Central processing unit of the said equipment and memory are integrated in a microcontroller chip.
Above-mentioned microcontroller chip is an intelligent card chip.
The above-mentioned equipment that contains intelligent card chip also comprises flash memories, and flash memories is connected with microcontroller chip.
Central processing unit and memory also can be integrated in the single-chip microcomputer.
The memory of the said equipment is any in random asccess memory, read-only memory, electronics EPROM (Erasable Programmable Read Only Memory), the EPROM (Erasable Programmable Read Only Memory).
The data transmission method step that the utility model solves the problems of the technologies described above employing is as follows:
1) main frame identification equipment
2) main frame sends order to equipment
3) equipment is to the parsing and the processing of order
4) response of equipment application programs
The process of described main frame identification equipment, promptly main frame is by the described RM identification equipment of communication protocol, and the communicating by letter of foundation and equipment.Because embedded system platform and Windows operating system still exist difference, can satisfy communication between main frame and the equipment according to the different different drivings of demand exploitation.
Described main frame sends order to equipment, refers to that main frame receives after the request of client that use agreement appointment data transformat sends verification msg to equipment.This request may be the PIN code checking, may be signature verification, may be that data are downloaded, and may be the visit and the rights management of file.
Described equipment is to the parsing and the processing of order, finger equipment is after the order that receives from main frame, according to the data protocol resolve command request of agreement in advance, and carry out corresponding safety operation, such as carrying out the PIN code verification, carry out signature verification, receiving needs data downloaded to appointed positions, according to access rights file is read and write the operation of revising the interpolation deletion, perhaps change operating right file.
The response of described equipment application programs refers to that equipment finishes after the operation of appointment or equipment when proposing new request to using, and sends related data such as result to being used for the request of response application.
(3) beneficial effect
The utility model has comprised the memory of the communication module that can resolve the communication protocol of embedded system platform by employing; the data transmission set of interface module and memory is connected the line data transmission of going forward side by side with embedded platform; the algorithm routine that is preset in memory by the CPU operation is encrypted with communicating by letter of embedded platform the user; realized data security transmission based on embedded system platform; and then realize software protection and identification, have simple in structure, easy to use, steady performance simultaneously.
Description of drawings
Fig. 1 software cryptography latching operation flow chart is the workflow diagram of embodiment 1 in the utility model;
Fig. 2 authentication latching operation flow chart is the workflow diagram of embodiment 2 in the utility model;
The hardware block diagram that single MCU scheme shown in Figure 3 is embodiment 2;
MCU shown in Figure 4 adds the hardware block diagram of interface chip solution for embodiment 3;
MCU shown in Figure 5 adds the interface chip and memory approaches is the hardware block diagram of embodiment 1.
Embodiment
The utility model hardware components can be high performance intelligent card chip, also can be high performance cpu chip, or the combination of they and USB interface chip, can also add other master controllers and transducer in addition.The technical scheme that solves the utility model indication technical problem is a kind of based on the USB mouth of embedded system platform or the information security or the software protection equipment of parallel port or serial ports.
Because WinCE operating system is a kind of important operating system on the embedded system platform, because set forth the utility model with the example that is applied as on the WinCE among the embodiment.
First kind of preferred embodiment of the present utility model provides the software protection equipment under a kind of WinCE of being applied to operating system (or being called encryption lock).With USB interface equipment is example.
As shown in Figure 5; described software protection equipment 502 comprises interface chip 503, MCU (the Micro-Controller Unit that connects in turn; micro controller unit) 505 and extended menory 504; described extended menory can be selected RAM, ROM, EEPROM, FLASH etc. arbitrarily for use, is used to store corresponding cryptographic algorithm.Described memory should have enough memory spaces, is used to store the cryptographic algorithm that presets, and perhaps can be selected or download algorithm by the user, and the words of storage area personal code work need enough big memory space if desired, can be in-chip FLASHs etc.
MCU505 comprises communication protocol module 506 and the security module 507 under the WinCE among the figure.506 modules are finished the parsing at the communication protocol of WinCE operating system, and security module 507 is used to provide data security protecting, are the software protection module in the present embodiment.
Firmware program partly comprises: identification division, the equipment wait of equipment and data, device parses and deal with data, the equipment that receives from main frame are returned to host data and wait for that next bar instruction and equipment disconnect the coupling part with main frame.Equipment is discerned by main frame, and the information of the register by being built in MCU inside is set up being connected of main frame and equipment.
In the said procedure, the communications portion of equipment and main frame is the core, below in conjunction with Fig. 1 the communication process of equipment and main frame is described in detail.
Connect devices to the USB interface of the palmtop PC that WinCE operating system is housed, wait for the palmtop PC identification equipment.
Through step 101 main frame equipment has been finished initialization, by step 102 main frame the product identification of the manufacturer of equipment has been verified again, if correct, equipment execution in step 103, otherwise forwarded for 110 being connected to equipment disconnection and main frame.Verify user password in the step 103, if it is correct, equipment waits for the order of self-application with execution in step 104, otherwise also forward step 110 to, equipment execution in step 104 receives after the order, resolve command is also carried out step 105 according to different application requirements and is carried out data encrypting and deciphering, perhaps step 106 operation of presetting the code operational data.Data processing finishes afterwards data to be returned to enter step 107, wait for the order of self-application, if use and to no longer include response, then enter step 110, disconnect and being connected of main frame, otherwise, if also have new order, then forward step 108 to, if through judging sign off, then execution in step 109 disconnects and being connected of main frame equipment, continues wait and takes orders otherwise forward step 104 to.
Below the code operational data is preset in utilization is that the function of performing step 106 is described further.
Equipment is as the device that software cryptography is provided.Can be used to preserve the part segment of user software, guarantee the safety of this part segment, and be not read out, and make it to come Control Software to guarantee its legal operation with this in device interior operation and mutual with external software.This equipment and external program are frequent alternately, and computational speed and communication speed are important speed ability indexs.
According to the function of this embodiment, the software protection function that can be achieved as follows:
1. acquisition facility information, this information refers to the information of this device.These information stores offer the function of the equipment of user's memory and identification oneself in internal storage.As step 102.
2. format, the user can format this device, through making all settings and data return to factory state after the format.
3. written document, this class file comprises user's code snippet, perhaps needed data during this segment operation.
4. read file, this class file can be the data file in code snippet when operation but not be this code snippet itself.
5. operating file, this class file just is meant the code snippet that the user writes, and allows these code snippets move in this equipment and guarantees all data of its operation and memory information is retained in equipment with interior and return results only.
6. encryption and decryption offers the user and carries out encryption and decryption such as user data RSA, DES, 3DES in hardware inside, and the encryption and decryption result is returned to the user.
Preset and also comprise software protection application interface function in the code, described software protection application interface function is the interface level between software protection equipment and the 3rd side use, and this application interface function is mainly used by the developer, and following function mainly is provided:
1. the equipment of opening is opened the handle of this equipment, sets up the communication channel with this equipment.
2. closing device is removed the handle and the status information of equipment of this equipment when equipment is prepared not re-use.
3. this is the core of this protected software product to send order, and realization is provided with work, i.e. the realization of all software protection functions to all of this device.
The main effect of software protection equipment is that the defence program part can not appear in the internal memory of main frame, and the benefit of bringing like this is:
1. prevent the illegal copies of program, it is exactly incomplete that the program on the main frame is left the software protection key, and the distribution of software must have the existence of software protection key.
2. the program that prevents is illegally followed the tracks of or is debugged, and the code of the pith of software can not operate in the main frame, and all debugging softwares all can't obtain the running status of this section program.
3. prevent that by dump the situation that software the most easily is cracked is it in operation, traditional software that adds the shell protection is often reduced code return under the situation of core dump.
4. prevent decompiling, no matter how high the technology of decompiling have, and all can't obtain the code snippet of this embodiment device inside, therefore can't realize the complete function of its software itself.
Second kind of preferred embodiment of the present utility model provides a kind of user identity identification equipment (or being called the authentication lock).It mainly is responsible for preserving user's sensitive data, as password, digital certificate etc.
The hardware components of identification apparatus as shown in Figure 3,301 is main frame among the figure, 302 is identification apparatus, 303 for being arranged on the MCU in the described identification apparatus, protocol part 304 and security module 305 under the WinCE that described MCU is inner integrated, wherein, 303 comprise CPU, interface chip and RAM memory, are built-in with algorithm among the described RAM.MCU303 partly comprises communication protocol module 304 and the security module 305 under the WinCE among the figure.304 modules are finished the parsing at the communication protocol of WinCE, and security module 305 is identification module in the present embodiment.Enough ram in slice spaces should be arranged among the described MCU, be used to preset algorithm, comprise RSA, DES, 3DES, MD5 algorithm etc., perhaps can select or download algorithm by the user, the words of storage area personal code work need enough big memory space if desired, can be in-chip FLASHs etc.
The firmware program of identification apparatus part can the combined with intelligent card technique and modern password learn a skill, can support third party's algorithm to download, support multistage file management and visit.
Shown in Figure 2 as flow process.
WinCE operating system to the identifying of equipment with embodiment one.
General function is: step 201 has been finished initialization for main frame to identification apparatus among Fig. 2, obtain the password A of user's input in the step 202 by identification apparatus, identification apparatus is read password and is obtained B through specific processing in the step 203 from the password memory block, in the step 204 A and B are compared, then authentication failure of difference, forward step 211 to, identification apparatus disconnects the connection with main frame, identically then distribute certain authority to give the user by identification apparatus, described this authority is associated with user's cryptographic levels, the user can authorize the application end operation in the identity allowed band, be order such as the step 205 that identification apparatus receives self-application, order is carried out dissection process such as step 206 data encryption processing and step 207 with presetting the code operational data, return to application then, execution in step 208 continues to wait for the order of self-application then.There is not to forward under the situation of legal response being connected of step 211 off device and main frame in application, otherwise receive the order of application layer, if judge the indication sign off by step 208, then arrive step 210 and disconnect this communication process of connection normal termination, continue to carry out otherwise forward step 205 to.Step 202, step 203, three modules of step 204 also can directly read password from identification apparatus, judge by host side whether password is correct.
Present embodiment can be achieved as follows function and comprise:
1. control accesses network: id information and user authentication information by containing in the identification apparatus are used to land network.
2. be used to verify digital signature or proof with the identity of the sender of document of identify, and prevent to be distorted midway.
3. storage encrypted message, the stored user encrypted message prevents the risk that the user brings when manually inputing password.
4. telnet, the website of bank can utilize signing messages to discern the user and get legitimacy.
5. the visit of control documents can add access control information in some files, can prevent unauthorized access or operation under the situation of identification apparatus.
6. control logs on specific application system, and the developer can be used for this function the product of oneself, and this product can utilize the present embodiment device to land.
Be meant described in above-mentioned 3 that the encrypted message that comprises in the identification apparatus sends to main frame and is used for discerning the lock people information of holding.
Described presetting also comprises identification apparatus application interface function in the code, identification apparatus application interface function is the interface level between identification apparatus and the 3rd side use, this application interface function is mainly used by the developer, and described application interface function mainly provides following function:
1. the equipment of opening is opened the handle of this equipment, sets up the communication channel with this equipment.
2. closing device is removed the handle and the status information of equipment of this equipment when equipment is prepared not re-use.
3. this is the core of identification apparatus to send order, and realization is provided with work, i.e. the realization of the intelligent card function of all this identity identification equipments to all of this device.
The main effect of digital identity identification equipment is that the important sensitive data that obtains of protection can be read out outside the key apparatus in the internal memory as main frame never, and such benefit of bringing is:
1. the user can remember redundant cipher, and the password of safety is necessarily formed enough complicated character string by letter and number, and upgrades often, stores the trouble that encrypted message can be removed the user from identification apparatus.
2. the measures of double factor authentication is provided,, can bring risk to the user even a side of user's password or digital identity identification equipment loses.
3. key can not be derived, and has guaranteed the safety of user key.
4. algorithm is built-in
The third embodiment of the present utility model, another kind of identification apparatus is provided, as shown in Figure 4, be provided with interface chip 403 in the described identification apparatus 402, with the integrated CPU that is attached thereto and the MCU404 of memory, link to each other with main frame 401 by institute's interface chip, be mainly used in the translation of finishing the docking port agreement, make that the realization of MCU part 404 can be simpler.404 parts also comprise 405 (protocol modules under the WinCE) and 406 (security modules).
Main frame in the present embodiment is identical with embodiment 2 with communicating by letter of equipment, and realization and embodiment 2 identical functions.
More than to a kind of equipment provided by the utility model, be described in detail, used specific case herein principle of the present utility model and execution mode are set forth, the explanation of above embodiment just is used for helping to understand method of the present utility model and realizing thought; Simultaneously, for one of ordinary skill in the art, according to thought of the present utility model, the part that all can change in specific embodiments and applications, in sum, this description should not be construed as restriction of the present utility model.
Claims (11)
1. data security transmission equipment; comprise a central processing unit; a memory; an interface module; it is characterized in that; also comprise a communication protocol module and a security module in the described equipment at embedded system platform; the communication protocol that described communication protocol module is used to finish each embedded system platform is resolved; described security module is used to provide data security protecting; described communication protocol module is positioned at described memory inside and is connected with described central processing unit, and described security module is positioned at described memory inside and is connected with described central processing unit.
2. data security transmission equipment as claimed in claim 1 is characterized in that, described security module is the software protection module, and the software protection module is used to provide software cryptography.
3. data security transmission equipment as claimed in claim 1 is characterized in that, described security module is an identification module, and identification module is used to preserve user's sensitive data.
4. as the described data security transmission equipment of arbitrary claim in the claim 1 to 3, it is characterized in that described central processing unit, interface chip and memory are integrated in a microcontroller chip.
5. as the described data security transmission equipment of arbitrary claim in the claim 1 to 3, it is characterized in that described central processing unit and memory are integrated in a microcontroller chip.
6. data security transmission equipment as claimed in claim 4 is characterized in that described microcontroller chip is an intelligent card chip.
7. data security transmission equipment as claimed in claim 5 is characterized in that described microcontroller chip is an intelligent card chip.
8. as claim 6 or 7 described data security transmission equipments, it is characterized in that described equipment also comprises extended menory, described extended menory is connected with described microcontroller chip.
9. as the described data security transmission equipment of arbitrary claim in the claim 1 to 3, it is characterized in that described central processing unit and memory are integrated in a single-chip microcomputer.
10. data security transmission equipment as claimed in claim 1 is characterized in that, described memory is any in random asccess memory, read-only memory, electronics EPROM (Erasable Programmable Read Only Memory), the EPROM (Erasable Programmable Read Only Memory).
11. data security transmission equipment as claimed in claim 1 is characterized in that, described embedded system platform is Windows CE, VxWorks, ucLinux, FreeBSD or Solaris.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200620012396 CN2891502Y (en) | 2006-04-17 | 2006-04-17 | Secure data transmission device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200620012396 CN2891502Y (en) | 2006-04-17 | 2006-04-17 | Secure data transmission device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN2891502Y true CN2891502Y (en) | 2007-04-18 |
Family
ID=38022161
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200620012396 Expired - Lifetime CN2891502Y (en) | 2006-04-17 | 2006-04-17 | Secure data transmission device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN2891502Y (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102024106A (en) * | 2010-11-17 | 2011-04-20 | 北京曙光天演信息技术有限公司 | Method for executing user customization code in encryption card and encryption card |
| CN109359451A (en) * | 2018-11-12 | 2019-02-19 | 兴科迪科技(泰州)有限公司 | A kind of architecture based on security control box container, method and system |
-
2006
- 2006-04-17 CN CN 200620012396 patent/CN2891502Y/en not_active Expired - Lifetime
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102024106A (en) * | 2010-11-17 | 2011-04-20 | 北京曙光天演信息技术有限公司 | Method for executing user customization code in encryption card and encryption card |
| CN102024106B (en) * | 2010-11-17 | 2014-01-15 | 曙光云计算技术有限公司 | Method for executing user customization code in encryption card and encryption card |
| CN109359451A (en) * | 2018-11-12 | 2019-02-19 | 兴科迪科技(泰州)有限公司 | A kind of architecture based on security control box container, method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1331017C (en) | Safety chip | |
| US6625730B1 (en) | System for validating a bios program and memory coupled therewith by using a boot block program having a validation routine | |
| US8543838B1 (en) | Cryptographic module with secure processor | |
| US7073064B1 (en) | Method and apparatus to provide enhanced computer protection | |
| EP1993058A1 (en) | System and method of providing security to an external device | |
| CN103514414A (en) | Encryption method and encryption system based on ARM TrustZone | |
| CN100578473C (en) | Embedded system and method for increasing embedded system security | |
| CN105095772A (en) | Method and apparatus for securely saving and restoring the state of a computing platform | |
| CN101034991A (en) | Secure guiding system, method, code signature construction method and authentication method | |
| CN1621994A (en) | Computer security control module and safeguard control method thereof | |
| CN101794362A (en) | Trusted computation trust root device for computer and computer | |
| EP1510899B1 (en) | Memory management unit | |
| US10747884B2 (en) | Techniques for coordinating device boot security | |
| CN104951701A (en) | Method for guiding terminal equipment operation system based on USB controller | |
| TW201723804A (en) | Secure modular exponentiation processors, methods, systems, and instructions | |
| CN102024115B (en) | Computer with user security subsystem | |
| CN101034986A (en) | Method and system for securely using the intelligent secrete key device | |
| CN101593252A (en) | Control method and system that a kind of computing machine conducts interviews to USB device | |
| CN100334519C (en) | Method for establishing credible input-output channels | |
| CN1991800A (en) | Fingerprint identification storage device and fingerprint identification method | |
| CN106789006A (en) | A kind of decryption method and system | |
| CN105740733A (en) | Encrypted mobile hard disk and realization method thereof | |
| CN2891502Y (en) | Secure data transmission device | |
| CN109918918B (en) | Trusted computing system implementation scheme based on solid-state disk master control | |
| CN2836094Y (en) | Universal serial bus transmission device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee |
Owner name: FEITIAN CHENGXIN TECHNOLOGIES CO., LTD. Free format text: FORMER NAME: BEIJING FEITIAN CHENGXIN SCIENCE + TECHNOLOGY CO. LTD. |
|
| CP03 | Change of name, title or address |
Address after: 100085 Beijing city Haidian District Xueqing Road No. 9 Ebizal building B block 17 layer Patentee after: Feitian Technologies Co., Ltd. Address before: 100083, Haidian District, Xueyuan Road, No. 40 research, 7 floor, 5 floor, Beijing Patentee before: Beijing Feitian Chengxin Science & Technology Co., Ltd. |
|
| CX01 | Expiry of patent term |
Granted publication date: 20070418 |
|
| EXPY | Termination of patent right or utility model |