WO2016107555A1 - Charge de support d'informations - Google Patents
Charge de support d'informations Download PDFInfo
- Publication number
- WO2016107555A1 WO2016107555A1 PCT/CN2015/099497 CN2015099497W WO2016107555A1 WO 2016107555 A1 WO2016107555 A1 WO 2016107555A1 CN 2015099497 W CN2015099497 W CN 2015099497W WO 2016107555 A1 WO2016107555 A1 WO 2016107555A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- storage medium
- administration server
- identity information
- application server
- remote application
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
Definitions
- a user such as an employee
- the remote desktop may store data and certain applications and settings which may be accessed by the user using a local client device which connects to the remote server over a network. While mobile office brings efficiency to enterprises, it also brings security concern to enterprises.
- Fig. 1 is a scenario schematic illustrating an application of the present disclosure in loading storage medium
- Fig. 2 is a flowchart illustrating a method for loading storage medium according to an example of the present disclosure
- Fig. 3 is a flowchart illustrating a method for loading storage medium according to an example of the present disclosure
- Fig. 4 is a diagram illustrating hardware structure of an apparatus in which a loading storage medium apparatus is installed according to an example of the present disclosure
- Fig. 5 a diagram illustrating a loading storage medium apparatus according to an example of the present disclosure.
- a storage medium connected to a local client is mapped to a remote application desktop (hereinafter, also be referred as “remote desktop” ) on a remote application server
- the storage medium is usually authenticated by the local client.
- the remote application server is allowed to access data stored in the storage medium. Since the data loaded from the storage medium by the remote application server is decrypted on the local client, the data may be easily leaked if it is intercepted in transmission.
- the present disclosure provides a method and apparatus for enhancing the security of a storage medium in a mobile office.
- the storage medium 101 may for example be an encrypted removable hard disk, optical disk, removable flash storage, a universal serial bus memory and so on.
- the local client 102 may be a handset, iPad, laptop, or desktop computer and so on.
- the remote application server 103 is used for distributing various types of office application software to the local client and authenticating the storage medium.
- the storage medium administration server 104 is used for identifying the identity of the storage medium.
- a mobile office application may be installed in the local client 102, and by initiating the mobile office application on the local client 102, the user may open the remote desktop on the remote application server 103 and access the office application distributed on the remote application server 103.
- the storage medium 101 connected to the local client 102 may be mapped to the remote desktop on the remote application server. That is, in response to a user opening the remote desktop on the remote application server, a mapping relationship between the storage medium and the remote desktop is built.
- the remote application server in which the remote desktop is installed may authenticate the storage medium according to verification credential with respect to the storage medium acquired from the local client. And then, when the storage medium passes the authentication, the remote application server may be allowed to access the storage medium such as load data from the storage medium.
- the storage medium is authenticated by the remote application server but not the local client, the data loaded by the remote application server from the storage medium can be decrypted into plaintext by the remote desktop but remains encrypted during the remote application server accessing the storage medium, so as to upgrade the use security of the storage medium.
- a remote application server which may include:
- Block 201 determining whether a storage medium connected to a local client is mapped to a remote desktop on a remote application server.
- the storage medium connected to the local client may be mapped to the remote desktop through Universal Serial Bus (USB) mapping supported by Remote Desktop Protocol (RDP) .
- USB Universal Serial Bus
- RDP Remote Desktop Protocol
- Block 202 if the storage medium is mapped to the remote desktop, authenticating, by the remote application server, the storage medium, according to a verification credential with respect to the storage medium acquired from the local client.
- the verification credential may be stored on the local client, or input by a user, and acquired by the remote application server.
- the local client may pop up a dialog box to require the user to input verification credential, and after the user inputs the verification credential in the dialog box, the local client may send the verification credential to the remote application server.
- the local client may further read the unique identifier of the storage medium, and send the unique identifier of the storage medium to the remote application server.
- the unique identifier may be “USB/VID_152D&PID_2339”
- VID represents a provider code
- PID represents a product code.
- the local client may send the unique identifier of the storage medium together with the verification credential to the remote application server after the user inputs the verification credential into the dialog box popped up in the local client.
- the remote application server may determine whether the identity information of the storage medium mapped to the remote desktop on the remote application server and the unique identifier of the storage medium match each other or not, and if they match, send the identity information of the storage medium to a storage medium administration server. Then, the storage medium administration server may determine whether the identity information of the storage medium is consistent with the preset identity information of storage medium, and if yes, it indicates that the storage medium is identified, and the storage medium administration server may send its own identity information and a loading policy to the remote application server.
- the preset identity information of storage medium means the identity information of the storage medium which is stored in the storage medium administration server in advance.
- the loading policy means a loading policy which is stored in the storage medium administration server in advance and relates to how the storage medium shall be loaded by the local client or the remote application server, and so on.
- the loading policy may be: reading operation on the storage medium, writing operation on the storage medium, or reading and writing operation on the storage medium.
- the remote application server may further determine whether the identity information of the storage medium administration server is consistent with the preset identity information of storage medium administration server, and if yes, it indicates that the storage medium administration server is authenticated.
- the preset identity information of storage medium administration server refers to a legal server that may be used to identify the identity of the storage medium that can be accessed by the remote application server. In general, the preset identity information of storage medium administration server is stored in the remote application server in advance.
- the remote application server may further authenticate the verification credentials with respect to the storage medium acquired from the local client, and if the storage medium passes the authentication, Block 203 may be executed; otherwise, the remote application server may return an error report about the verification credential to the local client, so as to inform the user to input correct verification credential.
- the verification credential may be an encryption code of the storage medium
- the authentication process may be that: after acquiring the verification credential input from the local client, the remote application server may compare the verification credential with information about the verification credential extracted by the remote application server, and if they are consistent with each other, it means the storage medium is authenticated, i.e., passes the authentication.
- the storage medium passes the authentication, allowing the remote application server to load the storage medium.
- the remote application server may load the storage medium according to the loading policy acquired from the storage medium administration server.
- the present disclosure may effectively prevents data leaks during the remote application server accessing data in the storage medium, so as to upgrade the use security of the storage medium.
- a flowchart of another example of the method for loading storage medium in the present disclosure illustrates the interactions among local client, remote application server and storage medium administration server, so as to describe the process for loading the storage medium in details.
- a credible mobile storage medium agent AGENT may be deployed on the remote application server, and the agent AGENT digitally communicates with the local client and the storage medium administration server so as to execute a method provided in the present disclosure.
- the method may include following blocks:
- Block 301 after a storage medium is connected to a local client, the user may open the remote desktop on the remote application server by initiating a mobile office application on the local client.
- Block 302 the local client reads the unique identifier of the storage medium.
- Block 303 the storage medium connected to the local client is mapped to a remote desktop on the remote application server through USB mapping supported by RDP.
- Block 304 the local client requests the user to input a verification credential, e.g. through a dialog box.
- Block 305 after the user inputs the verification credential, the local client sends the unique identifier of the storage medium and the verification credential to the agent AGENT on the remote application server.
- Block 306 the agent AGENT determines whether the identity information of the storage medium and the unique identifier of the storage medium match each other or not.
- Block 307 if they match, the agent AGENT sends the identity information of the storage medium to the storage medium administration server.
- Block 308 the storage medium administration server determines whether the identity information of the storage medium is consistent with a preset identity information of storage medium, and if yes, it indicates that the identity of the storage medium passes the identification, and Block 309 may be executed. Otherwise, it indicates that the identity of the storage medium does not pass the identification, and Block 314 may be executed.
- Block 309 the storage medium administration server sends its own identity information and a loading policy to the agent AGENT.
- Block 310 the agent AGENT determines whether the identity information of the storage medium administration server is consistent with preset identity information of storage medium administration server, and if yes, this indicates that the identity information of the storage medium administration server passes the identification, and Block 311 may be executed. Otherwise, this indicates that the identity information of the storage medium administration server does not pass the identification, and Block 315 may be executed.
- Block 311 the agent AGENT authenticates the verification credential with respect to the storage medium acquired from the local client, and if the storage medium passes the authentication, Block 312 may be executed, and otherwise, Block 313 may be executed.
- Block 312 the agent AGENT loads the storage medium according to the loading policy.
- the agent AGENT may inform the remote desktop on the remote application server, so as to allow the remote desktop to access the storage medium through an explorer normally.
- Block 313 the agent AGENT returns an error report about verification credential to the local client, so as to inform the user to input correct verification credential.
- Block 314 the storage medium administration server sends a report about the identity information of the storage medium not passing identification to the remote application server, and Block 315 is executed.
- Block 315 it indicates that the remote application server cannot load the storage medium.
- the present disclosure may help to effectively prevents data leaks during the remote application server accessing data in the storage medium and thereby upgrade the security of the mobile office.
- the present disclosure also provides an example of an apparatus for loading storage medium, in correspondence with the method for loading storage medium described above.
- the apparatus for loading storage medium may be realized by software or hardware or the combination of both.
- the apparatus may be an apparatus in a logical sense and formed by the processor of the apparatus reading corresponding machine readable instructions from non-transitory storage to internal memory and operating these instructions.
- the apparatus for loading storage medium in the present disclosure may comprise a processor 401, a network interface 402 and a storage 403, and may further comprise other hardware parts, such as a chip for forwarding messages and so on.
- the apparatus may be a distributed apparatus and comprise multiple interface cards, so as to perform the extension of message processing in hardware level.
- the apparatus may comprise:
- a determining unit 510 configured to determine whether a storage medium connected to a local client is mapped to a remote desktop on a remote application server;
- an authenticating unit 520 configured to authenticate the storage medium, according to verification credential with respect to the storage medium which is acquired from the local client when the determination result of the determining unit 510 is YES;
- a loading unit 530 configured to load the storage medium, when the storage medium passes the authentication.
- the apparatus may further comprise a matching unit 540, which is configured to:
- the authenticating unit authenticates the storage medium according to the verification credential, determine whether the identity information of the storage medium mapped to the remote desktop on the remote application server and the unique identifier of the storage medium acquired from the local client match each other or not;
- the apparatus may further comprise a receiving unit 550, which is configured to
- the apparatus may further comprise a determining unit 560, which is configured to
- the authenticating unit if it is, cause the authenticating unit to authenticate the storage medium according to the verification credential with respect to the storage medium acquired from the local client, and
- the description about an example of the apparatus is basically in correspondence with that of the method, and the detailed description is omitted and may be referenced to the description about the example of the method.
- the above-described example of apparatus is only illustrative, wherein the units described as separate components may or may not be physically separate, and the component described as a displaying unit may or may not be a physical unit and can be located in one location or distributed to a plurality of networking units.
- Those skilled in the art may readily implement the present disclosure without any inventive effort and may select some or all of the modules or units to implement according to practical needs.
- the present disclosure provides a machine readable storage medium corresponding to the method for loading storage medium as above, which is stored with machine readable instructions which are executed by processor to:
- the machine readable instructions are further executed by the processor to:
- the machine readable instructions are further executed by the processor to:
- the storage medium administration server when the storage medium is identified by the storage medium administration server, receive the identity information of the storage medium administration server and the loading policy of the storage medium from the storage medium administration server.
- the machine readable instructions are further executed by the processor to:
- the present disclosure effectively prevents data leaks during the remote application server accessing the data in the storage medium, so as to upgrade the use security of the storage medium.
- processors may be implemented by hardware (including hardware logic circuitry) , software or firmware or a combination thereof.
- the term ‘processor’ is to be interpreted broadly to include a processing unit, ASIC, logic unit, or programmable gate array etc.
- the processes, methods and functional units may all be performed by the one or more processors; reference in this disclosure or the claims to a ‘processor’ should thus be interpreted to mean ‘one or more processors’ .
- the processes, methods and functional units described in this disclosure may be implemented in the form of a computer software product.
- the computer software product is stored in a storage medium and comprises a plurality of instructions for making a processor to implement the methods recited in the examples of the present disclosure.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
Dans un exemple, un procédé consiste à déterminer si un support d'informations connecté à un client local est mis en correspondance avec un ordinateur de bureau à distance sur un serveur d'applications à distance. Si le support d'informations est mis en correspondance avec l'ordinateur de bureau à distance, le support d'informations peut être authentifié en fonction d'un justificatif d'identité de vérification par rapport au support d'informations acquis à partir du client local. Le support d'informations peut être chargé lorsque le support d'informations réussit l'authentification.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410840830.5A CN105812319B (zh) | 2014-12-29 | 2014-12-29 | 存储介质加载方法及装置 |
CN201410840830.5 | 2014-12-29 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2016107555A1 true WO2016107555A1 (fr) | 2016-07-07 |
Family
ID=56284289
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2015/099497 WO2016107555A1 (fr) | 2014-12-29 | 2015-12-29 | Charge de support d'informations |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN105812319B (fr) |
WO (1) | WO2016107555A1 (fr) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101272242A (zh) * | 2008-02-29 | 2008-09-24 | 中兴通讯股份有限公司 | 基于网络的移动存储***和方法 |
CN102685245A (zh) * | 2012-05-29 | 2012-09-19 | 北京麦谱影随科技有限公司 | 一种基于互联网的数据社交存储方法和*** |
CN103188301A (zh) * | 2011-12-29 | 2013-07-03 | 北大方正集团有限公司 | 分布式网络的电子文件处理方法、***及网络存储服务器 |
CN103685267A (zh) * | 2013-12-10 | 2014-03-26 | 小米科技有限责任公司 | 数据访问方法及装置 |
WO2014130742A1 (fr) * | 2013-02-20 | 2014-08-28 | The Digital Marvels, Inc. | Interface utilisateur de client de système de stockage virtuel |
Family Cites Families (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN100337229C (zh) * | 2003-06-02 | 2007-09-12 | 华为技术有限公司 | 网络认证、授权和计帐***及方法 |
CN100555298C (zh) * | 2007-06-08 | 2009-10-28 | 北京飞天诚信科技有限公司 | 虚拟个人办公环境的方法和设备 |
CN101989196A (zh) * | 2009-08-04 | 2011-03-23 | 张济政 | 基于移动存储设备的寄生操作*** |
CN102253902A (zh) * | 2011-06-10 | 2011-11-23 | 国核信息科技有限公司 | 移动存储设备数据的保护方法 |
CN103428176A (zh) * | 2012-05-18 | 2013-12-04 | 中国电信股份有限公司 | 移动用户访问移动互联网应用的方法、***及应用服务器 |
CN102724137B (zh) * | 2012-05-30 | 2017-04-19 | 杭州华三通信技术有限公司 | 一种离线安全使用可信移动存储介质的方法及*** |
CN102882871A (zh) * | 2012-09-28 | 2013-01-16 | 深圳市赛蓝科技有限公司 | 一种移动终端usb虚拟化映射方法 |
CN103413086B (zh) * | 2013-08-23 | 2016-08-10 | 杭州华三通信技术有限公司 | 一种解决可信移动存储介质安全漫游的方法及装置 |
-
2014
- 2014-12-29 CN CN201410840830.5A patent/CN105812319B/zh active Active
-
2015
- 2015-12-29 WO PCT/CN2015/099497 patent/WO2016107555A1/fr active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101272242A (zh) * | 2008-02-29 | 2008-09-24 | 中兴通讯股份有限公司 | 基于网络的移动存储***和方法 |
CN103188301A (zh) * | 2011-12-29 | 2013-07-03 | 北大方正集团有限公司 | 分布式网络的电子文件处理方法、***及网络存储服务器 |
CN102685245A (zh) * | 2012-05-29 | 2012-09-19 | 北京麦谱影随科技有限公司 | 一种基于互联网的数据社交存储方法和*** |
WO2014130742A1 (fr) * | 2013-02-20 | 2014-08-28 | The Digital Marvels, Inc. | Interface utilisateur de client de système de stockage virtuel |
CN103685267A (zh) * | 2013-12-10 | 2014-03-26 | 小米科技有限责任公司 | 数据访问方法及装置 |
Also Published As
Publication number | Publication date |
---|---|
CN105812319A (zh) | 2016-07-27 |
CN105812319B (zh) | 2019-07-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10796009B2 (en) | Security engine for a secure operating environment | |
US10834086B1 (en) | Hybrid cloud-based authentication for flash storage array access | |
US9882913B1 (en) | Delivering authorization and authentication for a user of a storage array from a cloud | |
EP3326103B1 (fr) | Technologies d'e/s de confiance pour environnements multiples d'exécution de confiance coexistant sous contrôle d'isa | |
EP2913956B1 (fr) | Procédé et appareil de commande de la gestion pour machines virtuelles | |
US9507964B2 (en) | Regulating access using information regarding a host machine of a portable storage drive | |
EP3275159B1 (fr) | Technologies d'accès à un serveur sûr au moyen d'un agent de licences sécurisé | |
AU2014235165B2 (en) | Application program as key for authorizing access to resources | |
US9391980B1 (en) | Enterprise platform verification | |
US20170359333A1 (en) | Context based switching to a secure operating system environment | |
CN113557703B (zh) | 网络摄像机的认证方法和装置 | |
US20160048694A1 (en) | System and Method for Secure Transport of Data from an Operating System to a Pre-operating System Environment | |
US9529733B1 (en) | Systems and methods for securely accessing encrypted data stores | |
US20150033299A1 (en) | System and methods for ensuring confidentiality of information used during authentication and authorization operations | |
US11868476B2 (en) | Boot-specific key access in a virtual device platform | |
US20180183609A1 (en) | Remote attestation of a network endpoint device | |
US20170249453A1 (en) | Controlling access to secured media content | |
US10110568B2 (en) | Keyless access to laptop | |
WO2016107555A1 (fr) | Charge de support d'informations | |
JP6300942B2 (ja) | 生産コンピュータシステムをブートする方法 | |
CN102915419A (zh) | 一种病毒扫描方法及扫描*** | |
JP2013114294A (ja) | 端末装置、端末認証方法、端末プログラム及び端末設定記録媒体 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 15875231 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 15875231 Country of ref document: EP Kind code of ref document: A1 |