WO2016107555A1 - Loading storage medium - Google Patents

Loading storage medium Download PDF

Info

Publication number
WO2016107555A1
WO2016107555A1 PCT/CN2015/099497 CN2015099497W WO2016107555A1 WO 2016107555 A1 WO2016107555 A1 WO 2016107555A1 CN 2015099497 W CN2015099497 W CN 2015099497W WO 2016107555 A1 WO2016107555 A1 WO 2016107555A1
Authority
WO
WIPO (PCT)
Prior art keywords
storage medium
administration server
identity information
application server
remote application
Prior art date
Application number
PCT/CN2015/099497
Other languages
French (fr)
Inventor
Youchun LUO
Original Assignee
Hangzhou H3C Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co., Ltd. filed Critical Hangzhou H3C Technologies Co., Ltd.
Publication of WO2016107555A1 publication Critical patent/WO2016107555A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • a user such as an employee
  • the remote desktop may store data and certain applications and settings which may be accessed by the user using a local client device which connects to the remote server over a network. While mobile office brings efficiency to enterprises, it also brings security concern to enterprises.
  • Fig. 1 is a scenario schematic illustrating an application of the present disclosure in loading storage medium
  • Fig. 2 is a flowchart illustrating a method for loading storage medium according to an example of the present disclosure
  • Fig. 3 is a flowchart illustrating a method for loading storage medium according to an example of the present disclosure
  • Fig. 4 is a diagram illustrating hardware structure of an apparatus in which a loading storage medium apparatus is installed according to an example of the present disclosure
  • Fig. 5 a diagram illustrating a loading storage medium apparatus according to an example of the present disclosure.
  • a storage medium connected to a local client is mapped to a remote application desktop (hereinafter, also be referred as “remote desktop” ) on a remote application server
  • the storage medium is usually authenticated by the local client.
  • the remote application server is allowed to access data stored in the storage medium. Since the data loaded from the storage medium by the remote application server is decrypted on the local client, the data may be easily leaked if it is intercepted in transmission.
  • the present disclosure provides a method and apparatus for enhancing the security of a storage medium in a mobile office.
  • the storage medium 101 may for example be an encrypted removable hard disk, optical disk, removable flash storage, a universal serial bus memory and so on.
  • the local client 102 may be a handset, iPad, laptop, or desktop computer and so on.
  • the remote application server 103 is used for distributing various types of office application software to the local client and authenticating the storage medium.
  • the storage medium administration server 104 is used for identifying the identity of the storage medium.
  • a mobile office application may be installed in the local client 102, and by initiating the mobile office application on the local client 102, the user may open the remote desktop on the remote application server 103 and access the office application distributed on the remote application server 103.
  • the storage medium 101 connected to the local client 102 may be mapped to the remote desktop on the remote application server. That is, in response to a user opening the remote desktop on the remote application server, a mapping relationship between the storage medium and the remote desktop is built.
  • the remote application server in which the remote desktop is installed may authenticate the storage medium according to verification credential with respect to the storage medium acquired from the local client. And then, when the storage medium passes the authentication, the remote application server may be allowed to access the storage medium such as load data from the storage medium.
  • the storage medium is authenticated by the remote application server but not the local client, the data loaded by the remote application server from the storage medium can be decrypted into plaintext by the remote desktop but remains encrypted during the remote application server accessing the storage medium, so as to upgrade the use security of the storage medium.
  • a remote application server which may include:
  • Block 201 determining whether a storage medium connected to a local client is mapped to a remote desktop on a remote application server.
  • the storage medium connected to the local client may be mapped to the remote desktop through Universal Serial Bus (USB) mapping supported by Remote Desktop Protocol (RDP) .
  • USB Universal Serial Bus
  • RDP Remote Desktop Protocol
  • Block 202 if the storage medium is mapped to the remote desktop, authenticating, by the remote application server, the storage medium, according to a verification credential with respect to the storage medium acquired from the local client.
  • the verification credential may be stored on the local client, or input by a user, and acquired by the remote application server.
  • the local client may pop up a dialog box to require the user to input verification credential, and after the user inputs the verification credential in the dialog box, the local client may send the verification credential to the remote application server.
  • the local client may further read the unique identifier of the storage medium, and send the unique identifier of the storage medium to the remote application server.
  • the unique identifier may be “USB/VID_152D&PID_2339”
  • VID represents a provider code
  • PID represents a product code.
  • the local client may send the unique identifier of the storage medium together with the verification credential to the remote application server after the user inputs the verification credential into the dialog box popped up in the local client.
  • the remote application server may determine whether the identity information of the storage medium mapped to the remote desktop on the remote application server and the unique identifier of the storage medium match each other or not, and if they match, send the identity information of the storage medium to a storage medium administration server. Then, the storage medium administration server may determine whether the identity information of the storage medium is consistent with the preset identity information of storage medium, and if yes, it indicates that the storage medium is identified, and the storage medium administration server may send its own identity information and a loading policy to the remote application server.
  • the preset identity information of storage medium means the identity information of the storage medium which is stored in the storage medium administration server in advance.
  • the loading policy means a loading policy which is stored in the storage medium administration server in advance and relates to how the storage medium shall be loaded by the local client or the remote application server, and so on.
  • the loading policy may be: reading operation on the storage medium, writing operation on the storage medium, or reading and writing operation on the storage medium.
  • the remote application server may further determine whether the identity information of the storage medium administration server is consistent with the preset identity information of storage medium administration server, and if yes, it indicates that the storage medium administration server is authenticated.
  • the preset identity information of storage medium administration server refers to a legal server that may be used to identify the identity of the storage medium that can be accessed by the remote application server. In general, the preset identity information of storage medium administration server is stored in the remote application server in advance.
  • the remote application server may further authenticate the verification credentials with respect to the storage medium acquired from the local client, and if the storage medium passes the authentication, Block 203 may be executed; otherwise, the remote application server may return an error report about the verification credential to the local client, so as to inform the user to input correct verification credential.
  • the verification credential may be an encryption code of the storage medium
  • the authentication process may be that: after acquiring the verification credential input from the local client, the remote application server may compare the verification credential with information about the verification credential extracted by the remote application server, and if they are consistent with each other, it means the storage medium is authenticated, i.e., passes the authentication.
  • the storage medium passes the authentication, allowing the remote application server to load the storage medium.
  • the remote application server may load the storage medium according to the loading policy acquired from the storage medium administration server.
  • the present disclosure may effectively prevents data leaks during the remote application server accessing data in the storage medium, so as to upgrade the use security of the storage medium.
  • a flowchart of another example of the method for loading storage medium in the present disclosure illustrates the interactions among local client, remote application server and storage medium administration server, so as to describe the process for loading the storage medium in details.
  • a credible mobile storage medium agent AGENT may be deployed on the remote application server, and the agent AGENT digitally communicates with the local client and the storage medium administration server so as to execute a method provided in the present disclosure.
  • the method may include following blocks:
  • Block 301 after a storage medium is connected to a local client, the user may open the remote desktop on the remote application server by initiating a mobile office application on the local client.
  • Block 302 the local client reads the unique identifier of the storage medium.
  • Block 303 the storage medium connected to the local client is mapped to a remote desktop on the remote application server through USB mapping supported by RDP.
  • Block 304 the local client requests the user to input a verification credential, e.g. through a dialog box.
  • Block 305 after the user inputs the verification credential, the local client sends the unique identifier of the storage medium and the verification credential to the agent AGENT on the remote application server.
  • Block 306 the agent AGENT determines whether the identity information of the storage medium and the unique identifier of the storage medium match each other or not.
  • Block 307 if they match, the agent AGENT sends the identity information of the storage medium to the storage medium administration server.
  • Block 308 the storage medium administration server determines whether the identity information of the storage medium is consistent with a preset identity information of storage medium, and if yes, it indicates that the identity of the storage medium passes the identification, and Block 309 may be executed. Otherwise, it indicates that the identity of the storage medium does not pass the identification, and Block 314 may be executed.
  • Block 309 the storage medium administration server sends its own identity information and a loading policy to the agent AGENT.
  • Block 310 the agent AGENT determines whether the identity information of the storage medium administration server is consistent with preset identity information of storage medium administration server, and if yes, this indicates that the identity information of the storage medium administration server passes the identification, and Block 311 may be executed. Otherwise, this indicates that the identity information of the storage medium administration server does not pass the identification, and Block 315 may be executed.
  • Block 311 the agent AGENT authenticates the verification credential with respect to the storage medium acquired from the local client, and if the storage medium passes the authentication, Block 312 may be executed, and otherwise, Block 313 may be executed.
  • Block 312 the agent AGENT loads the storage medium according to the loading policy.
  • the agent AGENT may inform the remote desktop on the remote application server, so as to allow the remote desktop to access the storage medium through an explorer normally.
  • Block 313 the agent AGENT returns an error report about verification credential to the local client, so as to inform the user to input correct verification credential.
  • Block 314 the storage medium administration server sends a report about the identity information of the storage medium not passing identification to the remote application server, and Block 315 is executed.
  • Block 315 it indicates that the remote application server cannot load the storage medium.
  • the present disclosure may help to effectively prevents data leaks during the remote application server accessing data in the storage medium and thereby upgrade the security of the mobile office.
  • the present disclosure also provides an example of an apparatus for loading storage medium, in correspondence with the method for loading storage medium described above.
  • the apparatus for loading storage medium may be realized by software or hardware or the combination of both.
  • the apparatus may be an apparatus in a logical sense and formed by the processor of the apparatus reading corresponding machine readable instructions from non-transitory storage to internal memory and operating these instructions.
  • the apparatus for loading storage medium in the present disclosure may comprise a processor 401, a network interface 402 and a storage 403, and may further comprise other hardware parts, such as a chip for forwarding messages and so on.
  • the apparatus may be a distributed apparatus and comprise multiple interface cards, so as to perform the extension of message processing in hardware level.
  • the apparatus may comprise:
  • a determining unit 510 configured to determine whether a storage medium connected to a local client is mapped to a remote desktop on a remote application server;
  • an authenticating unit 520 configured to authenticate the storage medium, according to verification credential with respect to the storage medium which is acquired from the local client when the determination result of the determining unit 510 is YES;
  • a loading unit 530 configured to load the storage medium, when the storage medium passes the authentication.
  • the apparatus may further comprise a matching unit 540, which is configured to:
  • the authenticating unit authenticates the storage medium according to the verification credential, determine whether the identity information of the storage medium mapped to the remote desktop on the remote application server and the unique identifier of the storage medium acquired from the local client match each other or not;
  • the apparatus may further comprise a receiving unit 550, which is configured to
  • the apparatus may further comprise a determining unit 560, which is configured to
  • the authenticating unit if it is, cause the authenticating unit to authenticate the storage medium according to the verification credential with respect to the storage medium acquired from the local client, and
  • the description about an example of the apparatus is basically in correspondence with that of the method, and the detailed description is omitted and may be referenced to the description about the example of the method.
  • the above-described example of apparatus is only illustrative, wherein the units described as separate components may or may not be physically separate, and the component described as a displaying unit may or may not be a physical unit and can be located in one location or distributed to a plurality of networking units.
  • Those skilled in the art may readily implement the present disclosure without any inventive effort and may select some or all of the modules or units to implement according to practical needs.
  • the present disclosure provides a machine readable storage medium corresponding to the method for loading storage medium as above, which is stored with machine readable instructions which are executed by processor to:
  • the machine readable instructions are further executed by the processor to:
  • the machine readable instructions are further executed by the processor to:
  • the storage medium administration server when the storage medium is identified by the storage medium administration server, receive the identity information of the storage medium administration server and the loading policy of the storage medium from the storage medium administration server.
  • the machine readable instructions are further executed by the processor to:
  • the present disclosure effectively prevents data leaks during the remote application server accessing the data in the storage medium, so as to upgrade the use security of the storage medium.
  • processors may be implemented by hardware (including hardware logic circuitry) , software or firmware or a combination thereof.
  • the term ‘processor’ is to be interpreted broadly to include a processing unit, ASIC, logic unit, or programmable gate array etc.
  • the processes, methods and functional units may all be performed by the one or more processors; reference in this disclosure or the claims to a ‘processor’ should thus be interpreted to mean ‘one or more processors’ .
  • the processes, methods and functional units described in this disclosure may be implemented in the form of a computer software product.
  • the computer software product is stored in a storage medium and comprises a plurality of instructions for making a processor to implement the methods recited in the examples of the present disclosure.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

In one example, a method comprises determining whether a storage medium connected to a local client is mapped to a remote desktop on a remote application server. If the storage medium is mapped to the remote desktop, the storage medium may be authenticated according to verification credential with respect to the storage medium acquired from the local client. The storage medium may be loaded when the storage medium passes the authentication.

Description

Loading Storage Medium Background
With the development of virtualization technology, mobile office becomes more and more pervasive in enterprises. In a mobile office, a user, such as an employee, may be assigned a virtual desktop which runs on a remote server. The remote desktop may store data and certain applications and settings which may be accessed by the user using a local client device which connects to the remote server over a network. While mobile office brings efficiency to enterprises, it also brings security concern to enterprises.
Brief Description of the Drawings
Fig. 1 is a scenario schematic illustrating an application of the present disclosure in loading storage medium;
Fig. 2 is a flowchart illustrating a method for loading storage medium according to an example of the present disclosure;
Fig. 3 is a flowchart illustrating a method for loading storage medium according to an example of the present disclosure;
Fig. 4 is a diagram illustrating hardware structure of an apparatus in which a loading storage medium apparatus is installed according to an example of the present disclosure;
Fig. 5 a diagram illustrating a loading storage medium apparatus according to an example of the present disclosure.
Detailed Description
After a storage medium connected to a local client is mapped to a remote application desktop (hereinafter, also be referred as “remote desktop” ) on a remote application server, the storage medium is usually authenticated by the local client. After the storage medium passes the authentication, the remote application server is allowed to access data stored in the storage medium. Since the data loaded from the storage medium by the remote application server is decrypted on the local client, the data may be easily leaked if it is intercepted in transmission. With respect to such condition, the present disclosure provides a method and apparatus for enhancing the security of a storage medium in a mobile office.
For simplicity and illustrative purposes, the present disclosure is described by referring mainly to an example and figures thereof. In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present disclosure as well as its objects, features and advantages.
In an example of the present disclosure, referring to Fig. 1, the scenario schematic of an application of the present disclosure in loading storage medium is illustrated. In Fig. 1, the  storage medium 101 may for example be an encrypted removable hard disk, optical disk, removable flash storage, a universal serial bus memory and so on. The local client 102 may be a handset, iPad, laptop, or desktop computer and so on. The remote application server 103 is used for distributing various types of office application software to the local client and authenticating the storage medium. The storage medium administration server 104 is used for identifying the identity of the storage medium. In order to realize mobile office, a mobile office application may be installed in the local client 102, and by initiating the mobile office application on the local client 102, the user may open the remote desktop on the remote application server 103 and access the office application distributed on the remote application server 103.
In an example, when a user opens the remote desktop on a remote application server, the storage medium 101 connected to the local client 102 may be mapped to the remote desktop on the remote application server. That is, in response to a user opening the remote desktop on the remote application server, a mapping relationship between the storage medium and the remote desktop is built. Thus, based on the mapping relationship between the storage medium and the remote desktop, the remote application server in which the remote desktop is installed may authenticate the storage medium according to verification credential with respect to the storage medium acquired from the local client. And then, when the storage medium passes the authentication, the remote application server may be allowed to access the storage medium such as load data from the storage medium. In this way, since the storage medium is authenticated by the remote application server but not the local client, the data loaded by the remote application server from the storage medium can be decrypted into plaintext by the remote desktop but remains encrypted during the remote application server accessing the storage medium, so as to upgrade the use security of the storage medium.
Referring to Fig. 2, a flowchart of an example of the method for loading storage medium in the present disclosure, the example is illustrated from the side of a remote application server, which may include:
Block 201, determining whether a storage medium connected to a local client is mapped to a remote desktop on a remote application server.
For example, when a storage medium is connected to a local client and a user opens the remote desktop on a remote application server, the storage medium connected to the local client may be mapped to the remote desktop through Universal Serial Bus (USB) mapping supported by Remote Desktop Protocol (RDP) . In the meantime, since the storage medium mapped to the remote desktop on the remote application server remains encrypted and to be authenticated, the remote application server cannot use the storage medium yet.
Block 202, if the storage medium is mapped to the remote desktop, authenticating, by  the remote application server, the storage medium, according to a verification credential with respect to the storage medium acquired from the local client. For example the verification credential may be stored on the local client, or input by a user, and acquired by the remote application server.
In an example, when the storage medium is connected to the local client and the user opens the remote desktop on the remote application server, the local client may pop up a dialog box to require the user to input verification credential, and after the user inputs the verification credential in the dialog box, the local client may send the verification credential to the remote application server.
In an example, when a storage medium is connected to the local client and the user opens the remote desktop on the remote application server, the local client may further read the unique identifier of the storage medium, and send the unique identifier of the storage medium to the remote application server. For example, the unique identifier may be “USB/VID_152D&PID_2339” , VID represents a provider code, and PID represents a product code. In another example, the local client may send the unique identifier of the storage medium together with the verification credential to the remote application server after the user inputs the verification credential into the dialog box popped up in the local client.
In order to enhance the security in loading storage medium, according to an example, after acquiring the unique identifier of the storage medium, the remote application server may determine whether the identity information of the storage medium mapped to the remote desktop on the remote application server and the unique identifier of the storage medium match each other or not, and if they match, send the identity information of the storage medium to a storage medium administration server. Then, the storage medium administration server may determine whether the identity information of the storage medium is consistent with the preset identity information of storage medium, and if yes, it indicates that the storage medium is identified, and the storage medium administration server may send its own identity information and a loading policy to the remote application server. Wherein, the preset identity information of storage medium means the identity information of the storage medium which is stored in the storage medium administration server in advance. The loading policy means a loading policy which is stored in the storage medium administration server in advance and relates to how the storage medium shall be loaded by the local client or the remote application server, and so on. For example, the loading policy may be: reading operation on the storage medium, writing operation on the storage medium, or reading and writing operation on the storage medium.
After receiving the identity information of the storage medium administration server, in order to avoid illegal attacks in the meantime, the remote application server may further  determine whether the identity information of the storage medium administration server is consistent with the preset identity information of storage medium administration server, and if yes, it indicates that the storage medium administration server is authenticated. Wherein, the preset identity information of storage medium administration server refers to a legal server that may be used to identify the identity of the storage medium that can be accessed by the remote application server. In general, the preset identity information of storage medium administration server is stored in the remote application server in advance.
If the identity of the storage medium and the identity of the storage medium administration server in the remote application server are authenticated, it means the mapped storage medium is legal and the remote application server may be allowed to access the storage medium. At this time, the remote application server may further authenticate the verification credentials with respect to the storage medium acquired from the local client, and if the storage medium passes the authentication, Block 203 may be executed; otherwise, the remote application server may return an error report about the verification credential to the local client, so as to inform the user to input correct verification credential. Wherein, the verification credential may be an encryption code of the storage medium, and the authentication process may be that: after acquiring the verification credential input from the local client, the remote application server may compare the verification credential with information about the verification credential extracted by the remote application server, and if they are consistent with each other, it means the storage medium is authenticated, i.e., passes the authentication.
At block 203, the storage medium passes the authentication, allowing the remote application server to load the storage medium.
In an example, when the storage medium passes the authentication, the remote application server may load the storage medium according to the loading policy acquired from the storage medium administration server.
As can be seen from the above, when a storage medium connected to a local client is mapped to a remote desktop on a remote application server, through authenticating the storage medium by the remote application server, the present disclosure may effectively prevents data leaks during the remote application server accessing data in the storage medium, so as to upgrade the use security of the storage medium.
Referring to Fig. 3, a flowchart of another example of the method for loading storage medium in the present disclosure, the example illustrates the interactions among local client, remote application server and storage medium administration server, so as to describe the process for loading the storage medium in details. In the practice, a credible mobile storage medium agent AGENT may be deployed on the remote application server, and the agent  AGENT digitally communicates with the local client and the storage medium administration server so as to execute a method provided in the present disclosure. The method may include following blocks:
Block 301, after a storage medium is connected to a local client, the user may open the remote desktop on the remote application server by initiating a mobile office application on the local client.
Block 302, the local client reads the unique identifier of the storage medium.
Block 303, the storage medium connected to the local client is mapped to a remote desktop on the remote application server through USB mapping supported by RDP.
Block 304, the local client requests the user to input a verification credential, e.g. through a dialog box.
Block 305, after the user inputs the verification credential, the local client sends the unique identifier of the storage medium and the verification credential to the agent AGENT on the remote application server.
Block 306, the agent AGENT determines whether the identity information of the storage medium and the unique identifier of the storage medium match each other or not.
Block 307, if they match, the agent AGENT sends the identity information of the storage medium to the storage medium administration server.
Block 308, the storage medium administration server determines whether the identity information of the storage medium is consistent with a preset identity information of storage medium, and if yes, it indicates that the identity of the storage medium passes the identification, and Block 309 may be executed. Otherwise, it indicates that the identity of the storage medium does not pass the identification, and Block 314 may be executed.
Block 309, the storage medium administration server sends its own identity information and a loading policy to the agent AGENT.
Block 310, the agent AGENT determines whether the identity information of the storage medium administration server is consistent with preset identity information of storage medium administration server, and if yes, this indicates that the identity information of the storage medium administration server passes the identification, and Block 311 may be executed. Otherwise, this indicates that the identity information of the storage medium administration server does not pass the identification, and Block 315 may be executed.
Block 311, the agent AGENT authenticates the verification credential with respect to the storage medium acquired from the local client, and if the storage medium passes the authentication, Block 312 may be executed, and otherwise, Block 313 may be executed.
Block 312, the agent AGENT loads the storage medium according to the loading  policy.
In the present example, when the storage medium is loaded successfully, the agent AGENT may inform the remote desktop on the remote application server, so as to allow the remote desktop to access the storage medium through an explorer normally.
Block 313, the agent AGENT returns an error report about verification credential to the local client, so as to inform the user to input correct verification credential.
Block 314, the storage medium administration server sends a report about the identity information of the storage medium not passing identification to the remote application server, and Block 315 is executed.
Block 315, it indicates that the remote application server cannot load the storage medium.
As seen from the above, when a storage medium connected to a local client is mapped to a remote desktop on a remote application server, through authenticating the storage medium by the remote application server, the present disclosure may help to effectively prevents data leaks during the remote application server accessing data in the storage medium and thereby upgrade the security of the mobile office.
The present disclosure also provides an example of an apparatus for loading storage medium, in correspondence with the method for loading storage medium described above.
The example of the present disclosure of the apparatus for loading storage medium may be realized by software or hardware or the combination of both. As an example of being realized by software, the apparatus may be an apparatus in a logical sense and formed by the processor of the apparatus reading corresponding machine readable instructions from non-transitory storage to internal memory and operating these instructions. In a hardware sense, as illustrated in Fig. 4, the apparatus for loading storage medium in the present disclosure may comprise a processor 401, a network interface 402 and a storage 403, and may further comprise other hardware parts, such as a chip for forwarding messages and so on. And in terms of the hardware structure, the apparatus may be a distributed apparatus and comprise multiple interface cards, so as to perform the extension of message processing in hardware level.
Referring to Fig. 5, a block diagram of the apparatus for loading storage medium in an example of the present disclosure is illustrated, and the example is described from the side of a remote application server. As shown in Fig. 5, the apparatus may comprise:
a determining unit 510, configured to determine whether a storage medium connected to a local client is mapped to a remote desktop on a remote application server;
an authenticating unit 520, configured to authenticate the storage medium, according to  verification credential with respect to the storage medium which is acquired from the local client when the determination result of the determining unit 510 is YES; and
loading unit 530, configured to load the storage medium, when the storage medium passes the authentication.
In an alternative example, the apparatus may further comprise a matching unit 540, which is configured to:
before the authenticating unit authenticates the storage medium according to the verification credential, determine whether the identity information of the storage medium mapped to the remote desktop on the remote application server and the unique identifier of the storage medium acquired from the local client match each other or not; and
if they match, send the identity information of the storage medium to a storage medium administration server, so as to allow the storage medium administration server to identify the storage medium.
In another alternative example, the apparatus may further comprise a receiving unit 550, which is configured to
receive the identity information of the storage medium administration server and a loading policy of the storage medium acquired from the storage medium administration server, when the storage medium is identified by the storage medium administration server.
In another alternative example, the apparatus may further comprise a determining unit 560, which is configured to
determine whether the received identity information of the storage medium administration server is consistent with preset identity information of storage medium administration server, and
if it is, cause the authenticating unit to authenticate the storage medium according to the verification credential with respect to the storage medium acquired from the local client, and
when the storage medium passes the authentication, cause the loading unit to load the storage medium according to the loading policy sent from the storage medium administration server.
The description about an example of the apparatus is basically in correspondence with that of the method, and the detailed description is omitted and may be referenced to the description about the example of the method. The above-described example of apparatus is only illustrative, wherein the units described as separate components may or may not be physically  separate, and the component described as a displaying unit may or may not be a physical unit and can be located in one location or distributed to a plurality of networking units. Those skilled in the art may readily implement the present disclosure without any inventive effort and may select some or all of the modules or units to implement according to practical needs.
The present disclosure provides a machine readable storage medium corresponding to the method for loading storage medium as above, which is stored with machine readable instructions which are executed by processor to:
determine whether a storage medium connected to a local client is mapped to a remote desktop on a remote application server;
authenticate the storage medium, according to verification credential with respect to the storage medium acquired from the local client when the storage medium is mapped to the remote desktop; and
load the storage medium, when the storage medium passes the authentication.
The machine readable instructions are further executed by the processor to:
before authenticating the storage medium according to the verification credential with respect to the storage medium acquired from the local client, determine whether the identity information of the storage medium mapped to the remote desktop on the remote application server and the unique identifier of the storage medium acquired from the local client match each other or not; and
if they match, send the identity information of the storage medium to a storage medium administration server, so as to allow the storage medium administration server to identify the storage medium.
The machine readable instructions are further executed by the processor to:
when the storage medium is identified by the storage medium administration server, receive the identity information of the storage medium administration server and the loading policy of the storage medium from the storage medium administration server.
The machine readable instructions are further executed by the processor to:
determine whether the received identity information of the storage medium administration server is consistent with preset identity information of storage medium administration server, and
if it is, authenticate the storage medium, according to the verification credential with respect to the storage medium acquired from the local client, and when the storage medium is  identified, load the storage medium, according to the loading policy sent from the storage medium administration server.
As seen from the above, when a local client opens a remote desktop on a remote application server, through mapping a storage medium connected to the local client to the remote desktop and authenticating the storage medium by the remote application server, the present disclosure effectively prevents data leaks during the remote application server accessing the data in the storage medium, so as to upgrade the use security of the storage medium.
The above are only preferred examples of the present disclosure is not intended to limit the disclosure within the spirit and principles of the present disclosure, any changes made, equivalent replacement, or improvement in the protection of the present disclosure should contain within the range.
The methods, processes and units described herein may be implemented by hardware (including hardware logic circuitry) , software or firmware or a combination thereof. The term ‘processor’ is to be interpreted broadly to include a processing unit, ASIC, logic unit, or programmable gate array etc. The processes, methods and functional units may all be performed by the one or more processors; reference in this disclosure or the claims to a ‘processor’ should thus be interpreted to mean ‘one or more processors’ .
Further, the processes, methods and functional units described in this disclosure may be implemented in the form of a computer software product. The computer software product is stored in a storage medium and comprises a plurality of instructions for making a processor to implement the methods recited in the examples of the present disclosure.
The figures are only illustrations of an example, wherein the units or procedure shown in the figures are not necessarily essential for implementing the present disclosure. Those skilled in the art will understand that the units in the device in the example can be arranged in the device in the examples as described, or can be alternatively located in one or more devices different from that in the examples. The units in the examples described can be combined into one module or further divided into a plurality of sub-units.
Although the flowcharts described show a specific order of execution, the order of execution may differ from that which is depicted. For example, the order of execution of two or more blocks may be changed relative to the order shown. Also, two or more blocks shown in succession may be executed concurrently or with partial concurrence. All such variations are within the scope of the present disclosure.
It will be appreciated by persons skilled in the art that numerous variations and/or modifications may be made to the above-described examples, without departing from the broad general scope of the present disclosure. The present disclosure are, therefore, to be considered in  all respects as illustrative and not restrictive.
The foregoing disclosure is merely illustrative of preferred examples of the disclosure but is not intended to limit the disclosure, and any modifications, equivalent substitutions, adaptations, thereof made without departing from the spirit and scope of the disclosure shall be encompassed in the claimed scope of the appended claims.

Claims (12)

  1. A method for loading storage medium, comprising:
    determining whether a storage medium connected to a local client is mapped to a remote desktop on a remote application server;
    authenticating, by the remote application server, the storage medium according to a verification credential with respect to the storage medium sent from the local client, when the storage medium is mapped to the remote desktop; and
    loading the storage medium, by the remote application server, when the storage medium passes the authentication.
  2. The method according to claim 1, further comprising:
    before authenticating the storage medium, determining, by the remote application server, whether the identity information of the storage medium mapped to the remote desktop on the remote application server and the verification credential of the storage medium acquired from the local client match each other or not;
    if they match, sending the identity information of the storage medium to a storage medium administration server, so as to allow the storage medium administration server to authenticate the storage medium.
  3. The method according to claim 2, further comprising:
    if the storage medium passes the authentication by the storage medium administration server, receiving, by the remote application server, the identity information of the storage medium administration server and a loading policy of the storage medium from the storage medium administration server.
  4. The method according to claim 3, further comprising:
    determining, by the remote application server, whether the received identity information of the storage medium administration server is consistent with a preset identity information of storage medium administration server,
    if it is consistent, authenticating the storage medium, by the remote application server, according to the verification credential of the storage medium sent from the local client, and loading the storage medium according to the loading policy when the storage medium passes the authentication.
  5. An apparatus for loading storage medium, applied on a remote application server, comprising:
    a determining unit to determine whether a storage medium connected to a local client is mapped to a remote desktop on the remote application server ;
    an authenticating unit to authenticate the storage medium, according to verification credential with respect to the storage medium which is acquired from the local client, when the determination result of the determining unit is YES; and
    a loading unit to load the storage medium, when the storage medium passes the authentication.
  6. The apparatus according to claim 5, further comprising:
    a matching unit to
    before the authenticating unit authenticates the storage medium, determine whether the identity information of the storage medium mapped to the remote desktop on the remote application server and the unique identifier of the storage medium acquired from the local client match each other or not; and
    if they match, send the identity information of the storage medium to a storage medium administration server, so as to allow the storage medium administration server to identify the storage medium.
  7. The apparatus according to claim 6, further comprising:
    a receiving unit to, after the storage medium has been authenticated by the storage medium administration server, receive the identity information of the storage medium administration server and a loading policy of the storage medium from the storage medium administration server.
  8. The apparatus according to claim 7, further comprising a determining unit which is to
    determine whether the received identity information of the storage medium administration server is consistent with preset identity information of storage medium administration server, and
    if it is, allow the authenticating unit to authenticate the storage medium according to the acquired verification credential with respect to the storage medium, and allow the loading unit to load the storage medium according to the loading policy when the storage medium passes the authentication.
  9. A non-transitory machine readable storage medium storing machine readable instructions, which are executable by a processor to:
    determine whether a storage medium connected to a local client is mapped to a remote desktop on a remote application server ;
    if the storage medium is mapped to the remote desktop, authenticate the storage medium, according to verification credential with respect to the storage medium which is acquired from the local client; and
    load the storage medium when the storage medium passes the authentication.
  10. The machine readable storage medium according to claim 9, wherein the machine readable instructions are further executable by the processor to:
    before authenticating the storage medium according to the verification credential, determine whether the identity information of the storage medium mapped to the remote desktop on the remote application server and the unique identifier of the storage medium acquired from the local client match each other or not; and
    if they match, send the identity information of the storage medium to a storage medium administration server, so as to allow the storage medium administration server to authenticate the storage medium.
  11. The machine readable storage medium according to claim 10, wherein the machine readable instructions are further executed by the processor to:
    when the storage medium is authenticated by the storage medium administration server, receive the identity information of the storage medium administration server and a loading policy of the storage medium from the storage medium administration server.
  12. The machine readable storage medium according to claim 11, wherein the machine readable instructions are further executed by the processor to:
    determine whether the received identity information of the storage medium administration server is consistent with preset identity information of storage medium administration server, and
    if it is consistent, authenticate the storage medium according to the verification credential with respect to the storage medium acquired from the local client, and load the storage medium according to the loading policy when the storage medium passes the authentication.
PCT/CN2015/099497 2014-12-29 2015-12-29 Loading storage medium WO2016107555A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410840830.5A CN105812319B (en) 2014-12-29 2014-12-29 Storage medium loading method and device
CN201410840830.5 2014-12-29

Publications (1)

Publication Number Publication Date
WO2016107555A1 true WO2016107555A1 (en) 2016-07-07

Family

ID=56284289

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/099497 WO2016107555A1 (en) 2014-12-29 2015-12-29 Loading storage medium

Country Status (2)

Country Link
CN (1) CN105812319B (en)
WO (1) WO2016107555A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101272242A (en) * 2008-02-29 2008-09-24 中兴通讯股份有限公司 Mobile memory system and method based on network
CN102685245A (en) * 2012-05-29 2012-09-19 北京麦谱影随科技有限公司 Method and system for data social contact storage based on internet
CN103188301A (en) * 2011-12-29 2013-07-03 北大方正集团有限公司 Method and system for processing electronic documents of distributed network and network storage server
CN103685267A (en) * 2013-12-10 2014-03-26 小米科技有限责任公司 Data access method and device
WO2014130742A1 (en) * 2013-02-20 2014-08-28 The Digital Marvels, Inc. Virtual storage system client user interface

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100337229C (en) * 2003-06-02 2007-09-12 华为技术有限公司 Network verifying, authorizing and accounting system and method
CN100555298C (en) * 2007-06-08 2009-10-28 北京飞天诚信科技有限公司 The method and apparatus of virtulizing personal office environment
CN101989196A (en) * 2009-08-04 2011-03-23 张济政 Mobile storage equipment-based parasitic operation system
CN102253902A (en) * 2011-06-10 2011-11-23 国核信息科技有限公司 Method for protecting data in mobile storage equipment
CN103428176A (en) * 2012-05-18 2013-12-04 中国电信股份有限公司 Mobile user accessing mobile Internet application method and system and application server
CN102724137B (en) * 2012-05-30 2017-04-19 杭州华三通信技术有限公司 Method and system for safely using credible mobile storage medium in off-line state
CN102882871A (en) * 2012-09-28 2013-01-16 深圳市赛蓝科技有限公司 Mobile terminal USB (universal serial bus) virtualized mapping method
CN103413086B (en) * 2013-08-23 2016-08-10 杭州华三通信技术有限公司 A kind of method and device solving credible mobile memory medium secure roaming

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101272242A (en) * 2008-02-29 2008-09-24 中兴通讯股份有限公司 Mobile memory system and method based on network
CN103188301A (en) * 2011-12-29 2013-07-03 北大方正集团有限公司 Method and system for processing electronic documents of distributed network and network storage server
CN102685245A (en) * 2012-05-29 2012-09-19 北京麦谱影随科技有限公司 Method and system for data social contact storage based on internet
WO2014130742A1 (en) * 2013-02-20 2014-08-28 The Digital Marvels, Inc. Virtual storage system client user interface
CN103685267A (en) * 2013-12-10 2014-03-26 小米科技有限责任公司 Data access method and device

Also Published As

Publication number Publication date
CN105812319A (en) 2016-07-27
CN105812319B (en) 2019-07-05

Similar Documents

Publication Publication Date Title
US10796009B2 (en) Security engine for a secure operating environment
US10834086B1 (en) Hybrid cloud-based authentication for flash storage array access
US9882913B1 (en) Delivering authorization and authentication for a user of a storage array from a cloud
EP3326103B1 (en) Technologies for trusted i/o for multiple co-existing trusted execution environments under isa control
EP2913956B1 (en) Management control method and device for virtual machines
US9507964B2 (en) Regulating access using information regarding a host machine of a portable storage drive
EP3275159B1 (en) Technologies for secure server access using a trusted license agent
AU2014235165B2 (en) Application program as key for authorizing access to resources
US9391980B1 (en) Enterprise platform verification
US20170359333A1 (en) Context based switching to a secure operating system environment
CN113557703B (en) Authentication method and device of network camera
US20160048694A1 (en) System and Method for Secure Transport of Data from an Operating System to a Pre-operating System Environment
US9529733B1 (en) Systems and methods for securely accessing encrypted data stores
US20150033299A1 (en) System and methods for ensuring confidentiality of information used during authentication and authorization operations
US11868476B2 (en) Boot-specific key access in a virtual device platform
US20180183609A1 (en) Remote attestation of a network endpoint device
US20170249453A1 (en) Controlling access to secured media content
US10110568B2 (en) Keyless access to laptop
WO2016107555A1 (en) Loading storage medium
JP6300942B2 (en) How to boot a production computer system
CN102915419A (en) Virus scanning method and scanning system
JP2013114294A (en) Terminal device, terminal authentication method, terminal program and terminal setting storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15875231

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15875231

Country of ref document: EP

Kind code of ref document: A1