WO2016107555A1 - Charge de support d'informations - Google Patents

Charge de support d'informations Download PDF

Info

Publication number
WO2016107555A1
WO2016107555A1 PCT/CN2015/099497 CN2015099497W WO2016107555A1 WO 2016107555 A1 WO2016107555 A1 WO 2016107555A1 CN 2015099497 W CN2015099497 W CN 2015099497W WO 2016107555 A1 WO2016107555 A1 WO 2016107555A1
Authority
WO
WIPO (PCT)
Prior art keywords
storage medium
administration server
identity information
application server
remote application
Prior art date
Application number
PCT/CN2015/099497
Other languages
English (en)
Inventor
Youchun LUO
Original Assignee
Hangzhou H3C Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co., Ltd. filed Critical Hangzhou H3C Technologies Co., Ltd.
Publication of WO2016107555A1 publication Critical patent/WO2016107555A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • a user such as an employee
  • the remote desktop may store data and certain applications and settings which may be accessed by the user using a local client device which connects to the remote server over a network. While mobile office brings efficiency to enterprises, it also brings security concern to enterprises.
  • Fig. 1 is a scenario schematic illustrating an application of the present disclosure in loading storage medium
  • Fig. 2 is a flowchart illustrating a method for loading storage medium according to an example of the present disclosure
  • Fig. 3 is a flowchart illustrating a method for loading storage medium according to an example of the present disclosure
  • Fig. 4 is a diagram illustrating hardware structure of an apparatus in which a loading storage medium apparatus is installed according to an example of the present disclosure
  • Fig. 5 a diagram illustrating a loading storage medium apparatus according to an example of the present disclosure.
  • a storage medium connected to a local client is mapped to a remote application desktop (hereinafter, also be referred as “remote desktop” ) on a remote application server
  • the storage medium is usually authenticated by the local client.
  • the remote application server is allowed to access data stored in the storage medium. Since the data loaded from the storage medium by the remote application server is decrypted on the local client, the data may be easily leaked if it is intercepted in transmission.
  • the present disclosure provides a method and apparatus for enhancing the security of a storage medium in a mobile office.
  • the storage medium 101 may for example be an encrypted removable hard disk, optical disk, removable flash storage, a universal serial bus memory and so on.
  • the local client 102 may be a handset, iPad, laptop, or desktop computer and so on.
  • the remote application server 103 is used for distributing various types of office application software to the local client and authenticating the storage medium.
  • the storage medium administration server 104 is used for identifying the identity of the storage medium.
  • a mobile office application may be installed in the local client 102, and by initiating the mobile office application on the local client 102, the user may open the remote desktop on the remote application server 103 and access the office application distributed on the remote application server 103.
  • the storage medium 101 connected to the local client 102 may be mapped to the remote desktop on the remote application server. That is, in response to a user opening the remote desktop on the remote application server, a mapping relationship between the storage medium and the remote desktop is built.
  • the remote application server in which the remote desktop is installed may authenticate the storage medium according to verification credential with respect to the storage medium acquired from the local client. And then, when the storage medium passes the authentication, the remote application server may be allowed to access the storage medium such as load data from the storage medium.
  • the storage medium is authenticated by the remote application server but not the local client, the data loaded by the remote application server from the storage medium can be decrypted into plaintext by the remote desktop but remains encrypted during the remote application server accessing the storage medium, so as to upgrade the use security of the storage medium.
  • a remote application server which may include:
  • Block 201 determining whether a storage medium connected to a local client is mapped to a remote desktop on a remote application server.
  • the storage medium connected to the local client may be mapped to the remote desktop through Universal Serial Bus (USB) mapping supported by Remote Desktop Protocol (RDP) .
  • USB Universal Serial Bus
  • RDP Remote Desktop Protocol
  • Block 202 if the storage medium is mapped to the remote desktop, authenticating, by the remote application server, the storage medium, according to a verification credential with respect to the storage medium acquired from the local client.
  • the verification credential may be stored on the local client, or input by a user, and acquired by the remote application server.
  • the local client may pop up a dialog box to require the user to input verification credential, and after the user inputs the verification credential in the dialog box, the local client may send the verification credential to the remote application server.
  • the local client may further read the unique identifier of the storage medium, and send the unique identifier of the storage medium to the remote application server.
  • the unique identifier may be “USB/VID_152D&PID_2339”
  • VID represents a provider code
  • PID represents a product code.
  • the local client may send the unique identifier of the storage medium together with the verification credential to the remote application server after the user inputs the verification credential into the dialog box popped up in the local client.
  • the remote application server may determine whether the identity information of the storage medium mapped to the remote desktop on the remote application server and the unique identifier of the storage medium match each other or not, and if they match, send the identity information of the storage medium to a storage medium administration server. Then, the storage medium administration server may determine whether the identity information of the storage medium is consistent with the preset identity information of storage medium, and if yes, it indicates that the storage medium is identified, and the storage medium administration server may send its own identity information and a loading policy to the remote application server.
  • the preset identity information of storage medium means the identity information of the storage medium which is stored in the storage medium administration server in advance.
  • the loading policy means a loading policy which is stored in the storage medium administration server in advance and relates to how the storage medium shall be loaded by the local client or the remote application server, and so on.
  • the loading policy may be: reading operation on the storage medium, writing operation on the storage medium, or reading and writing operation on the storage medium.
  • the remote application server may further determine whether the identity information of the storage medium administration server is consistent with the preset identity information of storage medium administration server, and if yes, it indicates that the storage medium administration server is authenticated.
  • the preset identity information of storage medium administration server refers to a legal server that may be used to identify the identity of the storage medium that can be accessed by the remote application server. In general, the preset identity information of storage medium administration server is stored in the remote application server in advance.
  • the remote application server may further authenticate the verification credentials with respect to the storage medium acquired from the local client, and if the storage medium passes the authentication, Block 203 may be executed; otherwise, the remote application server may return an error report about the verification credential to the local client, so as to inform the user to input correct verification credential.
  • the verification credential may be an encryption code of the storage medium
  • the authentication process may be that: after acquiring the verification credential input from the local client, the remote application server may compare the verification credential with information about the verification credential extracted by the remote application server, and if they are consistent with each other, it means the storage medium is authenticated, i.e., passes the authentication.
  • the storage medium passes the authentication, allowing the remote application server to load the storage medium.
  • the remote application server may load the storage medium according to the loading policy acquired from the storage medium administration server.
  • the present disclosure may effectively prevents data leaks during the remote application server accessing data in the storage medium, so as to upgrade the use security of the storage medium.
  • a flowchart of another example of the method for loading storage medium in the present disclosure illustrates the interactions among local client, remote application server and storage medium administration server, so as to describe the process for loading the storage medium in details.
  • a credible mobile storage medium agent AGENT may be deployed on the remote application server, and the agent AGENT digitally communicates with the local client and the storage medium administration server so as to execute a method provided in the present disclosure.
  • the method may include following blocks:
  • Block 301 after a storage medium is connected to a local client, the user may open the remote desktop on the remote application server by initiating a mobile office application on the local client.
  • Block 302 the local client reads the unique identifier of the storage medium.
  • Block 303 the storage medium connected to the local client is mapped to a remote desktop on the remote application server through USB mapping supported by RDP.
  • Block 304 the local client requests the user to input a verification credential, e.g. through a dialog box.
  • Block 305 after the user inputs the verification credential, the local client sends the unique identifier of the storage medium and the verification credential to the agent AGENT on the remote application server.
  • Block 306 the agent AGENT determines whether the identity information of the storage medium and the unique identifier of the storage medium match each other or not.
  • Block 307 if they match, the agent AGENT sends the identity information of the storage medium to the storage medium administration server.
  • Block 308 the storage medium administration server determines whether the identity information of the storage medium is consistent with a preset identity information of storage medium, and if yes, it indicates that the identity of the storage medium passes the identification, and Block 309 may be executed. Otherwise, it indicates that the identity of the storage medium does not pass the identification, and Block 314 may be executed.
  • Block 309 the storage medium administration server sends its own identity information and a loading policy to the agent AGENT.
  • Block 310 the agent AGENT determines whether the identity information of the storage medium administration server is consistent with preset identity information of storage medium administration server, and if yes, this indicates that the identity information of the storage medium administration server passes the identification, and Block 311 may be executed. Otherwise, this indicates that the identity information of the storage medium administration server does not pass the identification, and Block 315 may be executed.
  • Block 311 the agent AGENT authenticates the verification credential with respect to the storage medium acquired from the local client, and if the storage medium passes the authentication, Block 312 may be executed, and otherwise, Block 313 may be executed.
  • Block 312 the agent AGENT loads the storage medium according to the loading policy.
  • the agent AGENT may inform the remote desktop on the remote application server, so as to allow the remote desktop to access the storage medium through an explorer normally.
  • Block 313 the agent AGENT returns an error report about verification credential to the local client, so as to inform the user to input correct verification credential.
  • Block 314 the storage medium administration server sends a report about the identity information of the storage medium not passing identification to the remote application server, and Block 315 is executed.
  • Block 315 it indicates that the remote application server cannot load the storage medium.
  • the present disclosure may help to effectively prevents data leaks during the remote application server accessing data in the storage medium and thereby upgrade the security of the mobile office.
  • the present disclosure also provides an example of an apparatus for loading storage medium, in correspondence with the method for loading storage medium described above.
  • the apparatus for loading storage medium may be realized by software or hardware or the combination of both.
  • the apparatus may be an apparatus in a logical sense and formed by the processor of the apparatus reading corresponding machine readable instructions from non-transitory storage to internal memory and operating these instructions.
  • the apparatus for loading storage medium in the present disclosure may comprise a processor 401, a network interface 402 and a storage 403, and may further comprise other hardware parts, such as a chip for forwarding messages and so on.
  • the apparatus may be a distributed apparatus and comprise multiple interface cards, so as to perform the extension of message processing in hardware level.
  • the apparatus may comprise:
  • a determining unit 510 configured to determine whether a storage medium connected to a local client is mapped to a remote desktop on a remote application server;
  • an authenticating unit 520 configured to authenticate the storage medium, according to verification credential with respect to the storage medium which is acquired from the local client when the determination result of the determining unit 510 is YES;
  • a loading unit 530 configured to load the storage medium, when the storage medium passes the authentication.
  • the apparatus may further comprise a matching unit 540, which is configured to:
  • the authenticating unit authenticates the storage medium according to the verification credential, determine whether the identity information of the storage medium mapped to the remote desktop on the remote application server and the unique identifier of the storage medium acquired from the local client match each other or not;
  • the apparatus may further comprise a receiving unit 550, which is configured to
  • the apparatus may further comprise a determining unit 560, which is configured to
  • the authenticating unit if it is, cause the authenticating unit to authenticate the storage medium according to the verification credential with respect to the storage medium acquired from the local client, and
  • the description about an example of the apparatus is basically in correspondence with that of the method, and the detailed description is omitted and may be referenced to the description about the example of the method.
  • the above-described example of apparatus is only illustrative, wherein the units described as separate components may or may not be physically separate, and the component described as a displaying unit may or may not be a physical unit and can be located in one location or distributed to a plurality of networking units.
  • Those skilled in the art may readily implement the present disclosure without any inventive effort and may select some or all of the modules or units to implement according to practical needs.
  • the present disclosure provides a machine readable storage medium corresponding to the method for loading storage medium as above, which is stored with machine readable instructions which are executed by processor to:
  • the machine readable instructions are further executed by the processor to:
  • the machine readable instructions are further executed by the processor to:
  • the storage medium administration server when the storage medium is identified by the storage medium administration server, receive the identity information of the storage medium administration server and the loading policy of the storage medium from the storage medium administration server.
  • the machine readable instructions are further executed by the processor to:
  • the present disclosure effectively prevents data leaks during the remote application server accessing the data in the storage medium, so as to upgrade the use security of the storage medium.
  • processors may be implemented by hardware (including hardware logic circuitry) , software or firmware or a combination thereof.
  • the term ‘processor’ is to be interpreted broadly to include a processing unit, ASIC, logic unit, or programmable gate array etc.
  • the processes, methods and functional units may all be performed by the one or more processors; reference in this disclosure or the claims to a ‘processor’ should thus be interpreted to mean ‘one or more processors’ .
  • the processes, methods and functional units described in this disclosure may be implemented in the form of a computer software product.
  • the computer software product is stored in a storage medium and comprises a plurality of instructions for making a processor to implement the methods recited in the examples of the present disclosure.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

Dans un exemple, un procédé consiste à déterminer si un support d'informations connecté à un client local est mis en correspondance avec un ordinateur de bureau à distance sur un serveur d'applications à distance. Si le support d'informations est mis en correspondance avec l'ordinateur de bureau à distance, le support d'informations peut être authentifié en fonction d'un justificatif d'identité de vérification par rapport au support d'informations acquis à partir du client local. Le support d'informations peut être chargé lorsque le support d'informations réussit l'authentification.
PCT/CN2015/099497 2014-12-29 2015-12-29 Charge de support d'informations WO2016107555A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410840830.5A CN105812319B (zh) 2014-12-29 2014-12-29 存储介质加载方法及装置
CN201410840830.5 2014-12-29

Publications (1)

Publication Number Publication Date
WO2016107555A1 true WO2016107555A1 (fr) 2016-07-07

Family

ID=56284289

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/099497 WO2016107555A1 (fr) 2014-12-29 2015-12-29 Charge de support d'informations

Country Status (2)

Country Link
CN (1) CN105812319B (fr)
WO (1) WO2016107555A1 (fr)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101272242A (zh) * 2008-02-29 2008-09-24 中兴通讯股份有限公司 基于网络的移动存储***和方法
CN102685245A (zh) * 2012-05-29 2012-09-19 北京麦谱影随科技有限公司 一种基于互联网的数据社交存储方法和***
CN103188301A (zh) * 2011-12-29 2013-07-03 北大方正集团有限公司 分布式网络的电子文件处理方法、***及网络存储服务器
CN103685267A (zh) * 2013-12-10 2014-03-26 小米科技有限责任公司 数据访问方法及装置
WO2014130742A1 (fr) * 2013-02-20 2014-08-28 The Digital Marvels, Inc. Interface utilisateur de client de système de stockage virtuel

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100337229C (zh) * 2003-06-02 2007-09-12 华为技术有限公司 网络认证、授权和计帐***及方法
CN100555298C (zh) * 2007-06-08 2009-10-28 北京飞天诚信科技有限公司 虚拟个人办公环境的方法和设备
CN101989196A (zh) * 2009-08-04 2011-03-23 张济政 基于移动存储设备的寄生操作***
CN102253902A (zh) * 2011-06-10 2011-11-23 国核信息科技有限公司 移动存储设备数据的保护方法
CN103428176A (zh) * 2012-05-18 2013-12-04 中国电信股份有限公司 移动用户访问移动互联网应用的方法、***及应用服务器
CN102724137B (zh) * 2012-05-30 2017-04-19 杭州华三通信技术有限公司 一种离线安全使用可信移动存储介质的方法及***
CN102882871A (zh) * 2012-09-28 2013-01-16 深圳市赛蓝科技有限公司 一种移动终端usb虚拟化映射方法
CN103413086B (zh) * 2013-08-23 2016-08-10 杭州华三通信技术有限公司 一种解决可信移动存储介质安全漫游的方法及装置

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101272242A (zh) * 2008-02-29 2008-09-24 中兴通讯股份有限公司 基于网络的移动存储***和方法
CN103188301A (zh) * 2011-12-29 2013-07-03 北大方正集团有限公司 分布式网络的电子文件处理方法、***及网络存储服务器
CN102685245A (zh) * 2012-05-29 2012-09-19 北京麦谱影随科技有限公司 一种基于互联网的数据社交存储方法和***
WO2014130742A1 (fr) * 2013-02-20 2014-08-28 The Digital Marvels, Inc. Interface utilisateur de client de système de stockage virtuel
CN103685267A (zh) * 2013-12-10 2014-03-26 小米科技有限责任公司 数据访问方法及装置

Also Published As

Publication number Publication date
CN105812319A (zh) 2016-07-27
CN105812319B (zh) 2019-07-05

Similar Documents

Publication Publication Date Title
US10796009B2 (en) Security engine for a secure operating environment
US10834086B1 (en) Hybrid cloud-based authentication for flash storage array access
US9882913B1 (en) Delivering authorization and authentication for a user of a storage array from a cloud
EP3326103B1 (fr) Technologies d'e/s de confiance pour environnements multiples d'exécution de confiance coexistant sous contrôle d'isa
EP2913956B1 (fr) Procédé et appareil de commande de la gestion pour machines virtuelles
US9507964B2 (en) Regulating access using information regarding a host machine of a portable storage drive
EP3275159B1 (fr) Technologies d'accès à un serveur sûr au moyen d'un agent de licences sécurisé
AU2014235165B2 (en) Application program as key for authorizing access to resources
US9391980B1 (en) Enterprise platform verification
US20170359333A1 (en) Context based switching to a secure operating system environment
CN113557703B (zh) 网络摄像机的认证方法和装置
US20160048694A1 (en) System and Method for Secure Transport of Data from an Operating System to a Pre-operating System Environment
US9529733B1 (en) Systems and methods for securely accessing encrypted data stores
US20150033299A1 (en) System and methods for ensuring confidentiality of information used during authentication and authorization operations
US11868476B2 (en) Boot-specific key access in a virtual device platform
US20180183609A1 (en) Remote attestation of a network endpoint device
US20170249453A1 (en) Controlling access to secured media content
US10110568B2 (en) Keyless access to laptop
WO2016107555A1 (fr) Charge de support d'informations
JP6300942B2 (ja) 生産コンピュータシステムをブートする方法
CN102915419A (zh) 一种病毒扫描方法及扫描***
JP2013114294A (ja) 端末装置、端末認証方法、端末プログラム及び端末設定記録媒体

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15875231

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15875231

Country of ref document: EP

Kind code of ref document: A1