CN100390699C - Authority identification method using plug-and-play device and system applying method - Google Patents

Authority identification method using plug-and-play device and system applying method Download PDF

Info

Publication number
CN100390699C
CN100390699C CNB2004100559731A CN200410055973A CN100390699C CN 100390699 C CN100390699 C CN 100390699C CN B2004100559731 A CNB2004100559731 A CN B2004100559731A CN 200410055973 A CN200410055973 A CN 200410055973A CN 100390699 C CN100390699 C CN 100390699C
Authority
CN
China
Prior art keywords
user
plug
storage device
data
play
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CNB2004100559731A
Other languages
Chinese (zh)
Other versions
CN1734387A (en
Inventor
林雅雯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Acer Inc
Original Assignee
Acer Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Acer Inc filed Critical Acer Inc
Priority to CNB2004100559731A priority Critical patent/CN100390699C/en
Publication of CN1734387A publication Critical patent/CN1734387A/en
Application granted granted Critical
Publication of CN100390699C publication Critical patent/CN100390699C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

A permission identification method using plug-and-play device and system using the method are used to judge whether the plug-and-play storage device electrically connected with the plug-and-play port of a data processing device is a legal device, the method includes the following steps: A) detecting whether at least one electronic certificate exists in one of the plug-and-play storage device and the data processing device; B) if yes, requesting to input a user private key; C) checking the user-specific key; D) if the check is correct, the data is allowed to be written into the plug-and-play storage device.

Description

使用随插即用装置的权限辨识方法及应用此方法的系统 Authorization identification method using plug-and-play device and system applying the method

技术领域 technical field

本发明涉及一种使用权限识别方法,特别涉及一种判断电性连接一数据处理装置的随插即用端口上的随插即用储存装置,是否为一合法装置的使用随插即用装置的权限识别方法及应用此方法的系统。The present invention relates to a method for identifying use rights, in particular to a method for judging whether a plug-and-play storage device electrically connected to a plug-and-play port of a data processing device is a legal device using a plug-and-play device A permission identification method and a system for applying the method.

背景技术 Background technique

近年来,由于可携式的随插即用储存装置如随身碟、数字相机、AppleiPod等的普及,使得电子数据的流通更为便利。由于此型装置的储存容量从64MB到1GB不等,其又多以传输速率极高的USB亦或1394为传输接口,当其插接于计算机时,将可十分快捷的传输或复制大量储存于计算机中的数据,这虽对使用者造成极大的便利,但也相对性的对此等电子数据的管理者增加了管制上的困难。In recent years, due to the popularity of portable plug-and-play storage devices such as flash drives, digital cameras, and Apple iPods, the circulation of electronic data has become more convenient. Since the storage capacity of this type of device ranges from 64MB to 1GB, and most of them use USB or 1394 with a very high transmission rate as the transmission interface, when it is plugged into the computer, it will be very fast. Although the data in the computer brings great convenience to users, it also relatively increases the difficulty in the management of such electronic data managers.

为了防止使用者利用随插即用储存装置任意复制储存于任一计算机中的电子数据,而造成电子数据的外流,目前,大致有二类型的方法可加以管制。其一,是可由一远程的控制台对所管理的终端计算机下达关闭或开启随插即用端口,如USB port、1394 port的命令,而在终端计算机则可根据此命令,决定是否要移除此等随插即用端口上的装置在终端计算机的操作系统上的注册(registry),藉此,来禁止或允许随插即用储存装置的使用。但是这是只针对计算机作锁定,且只可决定开启亦或关闭此等随插即用端口,无法弹性的根据使用者的身分给予不同权限的使用。In order to prevent the user from using the plug-and-play storage device to arbitrarily copy the electronic data stored in any computer, resulting in the outflow of the electronic data, currently, there are generally two types of methods that can be controlled. One is that a remote console can issue a command to close or open a plug-and-play port, such as USB port and 1394 port, to the managed terminal computer, and the terminal computer can decide whether to remove it according to this command. The devices on these plug-and-play ports register (registry) on the operating system of the terminal computer, thereby prohibiting or allowing the use of plug-and-play storage devices. But this is only locked for the computer, and can only decide to open or close these plug-and-play ports, and it is impossible to flexibly give different permissions according to the identity of the user.

另一种方法,是可对此终端计算机上拥有账号的使用者,依其账号,来决定计算机外设连接端口的启闭,以限制其使用权限。此种作法,虽已可依使用者身份来确认使用权限的功能,但仅限于在此个人计算机上拥有账号的使用者,这对于随插即用储存装置的便利性,将大幅降低,且当使用者以其账号开启计算机外设的连接端口后,计算机将不再管制连接端口的启闭,故,若有他人于此时电连接一随插即用储存装置至该计算机,将可沿用开启此计算机的使用者的使用权限,这对储存于此计算机中的数据的控管,将形成极大的漏洞。Another method is to determine the opening and closing of the connection ports of the computer peripherals according to the accounts of the users who have accounts on the terminal computer, so as to limit their use rights. Although this kind of practice can confirm the function of using authority according to the identity of the user, it is only limited to the user who has an account on this personal computer, which will greatly reduce the convenience of the plug-and-play storage device, and when After the user opens the connection port of the computer peripheral with his account, the computer will no longer control the opening and closing of the connection port. Therefore, if someone else electrically connects a plug-and-play storage device to the computer at this time, the open The use authority of the user of this computer will form a huge loophole in the control and control of the data stored in this computer.

发明内容 Contents of the invention

因此,本发明的目的,即在提供一种以辨别随插即用储存装置的使用者身份为依据,并在不影响随插即用储存装置便利性的条件下,判断电性连接一数据处理装置的随插即用端口上的随插即用储存装置,是否为一合法装置的使用随插即用装置的权限识别方法及应用此方法的系统。Therefore, the object of the present invention is to provide a method for judging the electrical connection-data processing based on the identification of the user identity of the plug-and-play storage device and without affecting the convenience of the plug-and-play storage device. A method for identifying whether the plug-and-play storage device on the plug-and-play port of the device is a legitimate device and the system for using the plug-and-play device.

于是,本发明揭露一种使用随插即用装置的权限识别方法,用以判断电性连接一数据处理装置的随插即用端口上的随插即用储存装置是否为一合法装置,该方法包含下述步骤:A)检测在随插即用储存装置及数据处理装置其中之一,是否存在至少一电子凭证;B)若有,要求输入一使用者专用密钥;C)核对使用者专用密钥;D)若核对无误,容许数据写入该随插即用储存装置。Therefore, the present invention discloses a method for identifying the authority of a plug-and-play device, which is used to determine whether a plug-and-play storage device electrically connected to a plug-and-play port of a data processing device is a legitimate device. The method comprises the following steps: A) detecting whether there is at least one electronic certificate in one of the plug-and-play storage device and the data processing device; B) if so, requiring input of a user-specific key; C) checking the user-specific Key; D) If the verification is correct, data is allowed to be written into the plug-and-play storage device.

本发明另揭露了一种使用随插即用装置的权限识别方法,应用于一控制端及一使用者端,该控制端及该使用者端藉由一网络彼此互相连结,其中,该控制端具有一服务器,该使用者端具有至少一数据处理装置,该方法包含下述步骤:A)检测在随插即用储存装置及数据处理装置其中之一,是否存在至少一电子凭证;B)若有,要求输入一使用者专用密钥;C)核对使用者专用密钥;D)若核对无误,容许数据写入该随插即用储存装置。The present invention also discloses a permission identification method using a plug-and-play device, which is applied to a control terminal and a user terminal, and the control terminal and the user terminal are connected to each other through a network, wherein the control terminal There is a server, the user end has at least one data processing device, the method includes the following steps: A) detecting whether at least one electronic certificate exists in one of the plug-and-play storage device and the data processing device; B) if Yes, it is required to input a user-specific key; C) check the user-specific key; D) if the verification is correct, allow data to be written into the plug-and-play storage device.

此外,本发明亦揭露了一种计算机可读取的记录媒体,其可被载置于一数据处理器上,藉以判断电性连接一该数据处理器随插即用端口上的随插即用储存装置是否为一合法装置,该记录媒体中记录有一可驱使该数据处理器动作的程序代码,该程序代码可于该数据处理器中执行如下的步骤:A)检测在随插即用储存装置及数据处理装置其中之一,是否存在至少一电子凭证;B)若有,要求输入一使用者专用密钥;C)核对使用者专用密钥;D)若核对无误,容许数据写入该随插即用储存装置。In addition, the present invention also discloses a computer-readable recording medium, which can be loaded on a data processor, so as to determine the electrical connection to a plug-and-play port on the data processor plug-and-play port. Whether the storage device is a legal device, a program code that can drive the data processor to act is recorded in the recording medium, and the program code can perform the following steps in the data processor: A) detect the plug-and-play storage device and one of the data processing devices, whether there is at least one electronic certificate; B) if there is, request to input a user-specific key; C) check the user-specific key; D) if the check is correct, allow data to be written into the random Plug and play storage.

本发明更揭露了一种使用随插即用装置的权限识别系统,用以判断电性连接一数据处理装置的随插即用端口上的随插即用储存装置是否为一合法装置,该系统包含一随插即用储存装置、一服务器,及至少一数据处理器。服务器用以核发一专属一申请者的电子凭证;数据处理器是以网络与该服务器连结,具有至少一随插即用端口,并安装有一应用程序,每检测到该随插即用端口电性连接该随插即用储存装置时,即判断是否存在该电子凭证,若有,则要求输入一使用者专用密钥,并于核对无误时,容许数据写入该随插即用储存装置。The present invention further discloses a permission identification system using a plug-and-play device to determine whether a plug-and-play storage device electrically connected to a plug-and-play port of a data processing device is a legitimate device. It includes a plug-and-play storage device, a server, and at least one data processor. The server is used to issue an electronic certificate exclusive to an applicant; the data processor is connected to the server with a network, has at least one plug-and-play port, and installs an application program, and detects the electrical performance of the plug-and-play port When the plug-and-play storage device is connected, it is judged whether the electronic certificate exists, and if so, a user-specific key is required to be input, and when the verification is correct, data is allowed to be written into the plug-and-play storage device.

附图说明 Description of drawings

图1是一示意图,说明本发明使用随插即用装置的权限识别系统的较佳实施例;Fig. 1 is a schematic diagram illustrating a preferred embodiment of the authority identification system using a plug-and-play device of the present invention;

图2是一方块图,说明一远程管理程序;Figure 2 is a block diagram illustrating a remote management program;

图3是一流程图,说明一电子凭证申请方式;Fig. 3 is a flowchart illustrating an electronic voucher application method;

图4是一方块图,说明一代理人程序;Figure 4 is a block diagram illustrating an agent program;

图5是一流程图,说明本发明使用随插即用装置的权限识别方法的部分动作流程;Fig. 5 is a flow chart illustrating the partial action flow of the authority identification method using the plug-and-play device of the present invention;

图6是一流程图,说明接续图5的其余动作流程。FIG. 6 is a flow chart illustrating the flow of the remaining operations following FIG. 5 .

附图符号说明Description of reference symbols

1-识别系统1- Identification system

11-远程管理中心11-Remote Management Center

12-终端机12-terminal

13-终端机13-Terminal

2-远程管理程序2- Remote management program

21-凭证管理模块21- Credential Management Module

22-安全等级管理模块22-Security level management module

23-文件纪录维护模块23-File record maintenance module

3-代理人程序3- Agent procedure

31-凭证验证模块31-Credential Verification Module

32-权限检索模块32-Authority retrieval module

501-504-步骤501-504-step

701-717-步骤701-717-step

具体实施方式 Detailed ways

本发明的前述及其它技术内容、特征与优点,在以下配合参考附图的一较佳实施例的详细说明中,将可清楚明白。The aforementioned and other technical contents, features and advantages of the present invention will be clearly understood in the following detailed description of a preferred embodiment with reference to the accompanying drawings.

首先请参阅图1,本发明使用随插即用装置的权限识别系统1,用以判断电性连接一数据处理装置的随插即用端口上的随插即用储存装置是否为一合法装置,其是为有效监控公司所拥有的电子文件,以防止此等文件遭不被认可的使用者任意复制、下载于随插即用(Plug-and-Play)储存装置`6,并对公司所认可的使用者,依其使用权限,限制并纪录其于这些文件进行的使用行为,借以完整详尽的确认这些文件的流向,以对公司的文件达到最确实的保护。Please refer to Fig. 1 at first, the present invention uses the authorization identification system 1 of plug-and-play device, in order to judge whether the plug-and-play storage device on the plug-and-play port that is electrically connected to a data processing device is a legitimate device, It is to effectively monitor the electronic files owned by the company to prevent these files from being arbitrarily copied and downloaded to Plug-and-Play storage devices by unapproved users. Users, according to their use rights, limit and record their use of these documents, so as to completely and detailedly confirm the flow of these documents, so as to achieve the most reliable protection of the company's documents.

识别系统1包含一控制端及一使用者端,是建构于一局域网络(Intranet),亦或一因特网(Internet)上,其中,控制端具有一服务器11,使用者端具有至少一可上网的数据处理装置12。且服务器11上安装有一远程管理程序2,数据处理装置12上安装有一代理人程序3及一文件系统驱动程序4。在本实施例中,此数据处理装置12为一具有至少一随插即用端口(图未示)的终端机,但亦可为一具有至少一随插即用端口的PDA或其它电子设备,不应已此为限。且为说明方便,在下文中,服务器11将以远程管理中心称之,数据处理装置12将以终端机称之。The identification system 1 includes a control terminal and a user terminal, and is constructed on a local area network (Intranet), or on an Internet (Internet), wherein, the control terminal has a server 11, and the user terminal has at least one Internet-capable Data processing means 12. And a remote management program 2 is installed on the server 11 , and an agent program 3 and a file system driver 4 are installed on the data processing device 12 . In this embodiment, the data processing device 12 is a terminal with at least one plug-and-play port (not shown), but it can also be a PDA or other electronic equipment with at least one plug-and-play port, This should not be the limit. And for the convenience of description, hereinafter, the server 11 will be referred to as the remote management center, and the data processing device 12 will be referred to as the terminal.

参阅图2、3,远程管理程序2安装于远程管理中心11上,具有一凭证管理模块21、一安全等级管理模块22。凭证管理模块21具有一组互相搭配的管理者公开密钥及管理者专用密钥,是用以建立一安全严密的认证机制,以管理电子凭证(Certificate)的签发、更新、废止等…。此电子凭证核发机制,是依据ITU-T(CCITT)所定义的X.509国际标准所订定,其核发的流程如图3所示,并简述如下。步骤501,凭证管理模块21接收到使用者经由一具有凭证申请程序(Certificate Issue Agent)的终端机13所发送的凭证申请数据,及一做为一使用者专用密钥的密码。其中,依X.509标准,此等数据应包含有使用者姓名、所属部门单位,及隶属国家等…。Referring to FIGS. 2 and 3 , the remote management program 2 is installed on the remote management center 11 and has a credential management module 21 and a security level management module 22 . The credential management module 21 has a set of administrator's public key and administrator's private key that match each other, and is used to establish a secure and rigorous authentication mechanism to manage the issuance, renewal, and revocation of electronic certificates, etc. . . . This electronic certificate issuing mechanism is based on the X.509 international standard defined by ITU-T (CCITT). The issuing process is shown in Figure 3 and briefly described as follows. Step 501, the certificate management module 21 receives the certificate application data sent by the user through a terminal 13 with a certificate application program (Certificate Issue Agent), and a password as a user-specific key. Among them, according to the X.509 standard, such data should include the user's name, department and unit, and country etc. . . .

步骤502、503,凭证管理模块21产生一相对应该使用者专用密钥的使用者公开密钥,并利用管理者专用密钥对使用者发送的凭证申请数据及使用者公开密钥加密而形成专属于使用者的电子凭证,步骤504,再依据使用者的指定,传送至该终端机或该外围的储存装置。使用者接收到远程管理中心11核发的电子凭证后,即可储存于一随插即用储存装置6或终端机12中,用以于使用随插即用储存装置6时,供终端机12做验证。In steps 502 and 503, the certificate management module 21 generates a user public key corresponding to the user's private key, and uses the administrator's private key to encrypt the certificate application data sent by the user and the user's public key to form a private key. The electronic certificate belonging to the user, step 504, is then sent to the terminal or the peripheral storage device according to the user's designation. After the user receives the electronic certificate issued by the remote management center 11, it can be stored in a plug-and-play storage device 6 or a terminal machine 12, which is used for the terminal machine 12 to do when the plug-and-play storage device 6 is used. verify.

其中,使用者公开密钥是配对于使用者专用密钥,即经过其中一把密钥加密过后的信息,需由另一密钥才可将此信息解密。由于此公开密钥(Public-Key)密码法的技术,是目前密码学中所普偏使用的方法,且非本发明的重点,故在此不再多加赘述。Wherein, the user's public key is paired with the user's private key, that is, the information encrypted by one of the keys needs to be decrypted by the other key. Since the technology of the public-key cryptography is a method commonly used in cryptography at present, and is not the focus of the present invention, it will not be repeated here.

参阅图2,安全等级管理模块22是具有一使用权限清单,此使用权限清单是由远程管理中心11的管理人员来建制,其是依使用者身份的不同而对随插即用装置设定不同的使用权限。在本实施例中,此等使用权限是分为只可读取随插即用装置所储存的数据,及可读取/可写入数据至随插即用装置两种等级。当然,此种权限的分野,亦可是以针对电子文件来做分类,不同的文件设置不同的等级,使用者只可依照本身等级的使用权限,来读写符合权限范围内的文件,并不应以本实施例揭露者为限。Referring to Fig. 2, the security level management module 22 has a list of usage rights, and this list of usage rights is made by the management personnel of the remote management center 11, and it sets different plug-and-play devices according to the identity of the user. permission to use. In this embodiment, the usage rights are divided into two levels: only read data stored in the plug-and-play device, and read/write data to the plug-and-play device. Of course, this kind of permission division can also be used to classify electronic files. Different files have different levels. Users can only read and write files that meet the scope of permissions according to their own level of use permissions, and should not It is limited to those disclosed in this embodiment.

参阅图1、4,终端机12安装有代理人程序3,代理人程序3具有一凭证验证模块31,及一使用权限检索模块32,当随插即用储存装置6插设于终端机12的随插即用端口时,凭证验证模块31即搜寻随插即用储存装置6及终端机12的电子凭证,由于,各终端机12及随插即用储存装置6并无限制可储存的电子凭证数目,故,其可能储存有多个电子凭证,在本实施例中,凭证验证模块31会将搜寻到的电子凭证表列于终端机12的显示器上,用以供使用者选择属于个人的电子凭证。当然,此电子凭证的选择方式,亦可由使用者直接输入电子凭证储存的地址,以供凭证验证模块31使用。Referring to Figures 1 and 4, the terminal machine 12 is equipped with an agent program 3, the agent program 3 has a certificate verification module 31, and a use authorization retrieval module 32, when the plug-and-play storage device 6 is inserted into the terminal machine 12 When the plug-and-play port is used, the certificate verification module 31 immediately searches for the electronic certificates of the plug-and-play storage device 6 and the terminal machine 12, because each terminal machine 12 and the plug-and-play storage device 6 have no limit to the electronic certificates that can be stored Therefore, it may store a plurality of electronic certificates. In this embodiment, the certificate verification module 31 will list the searched electronic certificates on the display of the terminal 12 for users to select personal electronic certificates. certificate. Of course, the way to select the electronic certificate is that the user can also directly input the storage address of the electronic certificate for use by the certificate verification module 31 .

其中,凭证验证模块31具有一定期向远程管理中心12下载并更新管理者公开密钥,当凭证验证模块31取得电子凭证后,将以此管理者公开密钥对电子凭证进行验证,如前文所述,由于电子凭证是由凭证管理模块21以管理者专用密钥加密,故若此电子凭证是由此凭证管理模块21所产生,则将可顺利验证而得到使用者的凭证申请数据及使用者公开密钥。反之,此电子凭证将被视为不合法。若,凭证验证模块31确认其为不合法的凭证,则将发送一请求,用以请求终端机12停止供应此随插即用储存装置6所需的电源,如此,随插即用储存装置6将无法使用。Wherein, the credential verification module 31 has a function to regularly download and update the administrator's public key to the remote management center 12. After the credential verification module 31 obtains the electronic certificate, it will use the administrator's public key to verify the electronic certificate, as mentioned above. As mentioned above, since the electronic certificate is encrypted by the certificate management module 21 with the administrator's private key, if the electronic certificate is generated by the certificate management module 21, it will be successfully verified to obtain the user's certificate application data and the user's certificate. public key. On the contrary, this electronic certificate will be regarded as illegal. If the credential verification module 31 confirms that it is an invalid credential, then a request will be sent to request the terminal 12 to stop supplying the required power of the plug-and-play storage device 6, so that the plug-and-play storage device 6 will not be available.

当凭证验证模块31以管理者公开密钥确认了电子凭证的合法性后,将产生一组随机数(random number),并以验证电子凭证后所得到的使用者公开密钥对此组随机数进行加密,而产生一密文。此时,凭证验证模块31将请求使用者输入使用者专用密钥来对此密文解密,用以验证解密后得到的数据,是否同等于原先凭证验证模块31产生的随机数。When the credential verification module 31 confirms the legitimacy of the electronic certificate with the manager's public key, a group of random numbers (random numbers) will be generated, and the user's public key obtained after verifying the electronic certificate is used to match the group of random numbers. Encrypt to generate a ciphertext. At this time, the credential verification module 31 will request the user to input the user-specific key to decrypt the ciphertext, so as to verify whether the decrypted data is equal to the random number generated by the credential verification module 31 originally.

若相同,则可确认此使用者是为一合法的使用者,即可再交由使用权限检索模块32,依使用者的使用权限来限制使用者可被允许的使用行为,反之,将视其为一不合法的使用者,其将发送一请求,请求终端机12停止供应此随插即用储存装置6所需的电源。If it is the same, then it can be confirmed that the user is a legal user, and then it can be handed over to the use authority retrieval module 32 to limit the user's permitted usage behavior according to the user's use authority. As an illegal user, it will send a request, requesting the terminal machine 12 to stop supplying the power required by the plug-and-play storage device 6 .

使用权限检索模块32定期由终端机12下载、更新使用权限清单,当凭证验证模块31利用使用权限清单比对使用者身份,确认使用者的使用权限,将依据其使用权限,以决定其是否可读/写随插即用储存装置6、或只可读取随插即用储存装置6所储存的数据,若此使用权限清单上无使用者的名字,则其亦将视为一不合法的使用者,终端机12亦将停止供应此随插即用储存装置6所需的电源。藉此,终端机12将可于电连接一随插即用储存装置6后,以一身份验证的机制,来识别使用者身份及确认其使用权限,并依其使用权限来限制使用者所被允许的使用行为,这将有效的保有了随插即用储存装置6的便利性,及对数据管制上更为确实。The use authority retrieval module 32 regularly downloads and updates the use authority list by the terminal machine 12. When the credential verification module 31 uses the use authority list to compare the user's identity to confirm the user's use authority, it will determine whether it can be used according to its use authority. Read/write plug-and-play storage device 6, or only read the data stored in plug-and-play storage device 6, if there is no user name on the usage permission list, it will also be regarded as an illegal For the user, the terminal 12 will also stop supplying the power required by the plug-and-play storage device 6 . In this way, after the terminal 12 is electrically connected to a plug-and-play storage device 6, it can use an authentication mechanism to identify the user's identity and confirm its use authority, and limit the user's access according to its use authority. This will effectively retain the convenience of the plug-and-play storage device 6 and be more reliable in data control.

此外,为了让数据管理上更为严谨,管理者可利用远程管理程序2的安全等级管理模块22设定一终端机安全等级清单并下载至各终端机12的使用权限检索模块32,用以针对不同的终端机12,依其所设定的使有者职权的不同,对其所属的终端机12订定高、中、低不同的安全等级,以限制各终端机12是否可使用此随插即用储存装置6。其中,安全等级为高者,终端机12即被禁止随插即用储存装置6的使用,即终端机12不供应此随插即用储存装置6所需的电源,安全等级为中者,将只允许使用权限清单上的使用者使用随插即用储存装置6,安全等级为低者,终端机12将不对随插即用储存装置6作任何限制。In addition, in order to make the data management more rigorous, the administrator can use the security level management module 22 of the remote management program 2 to set a terminal security level list and download it to the use authority retrieval module 32 of each terminal 12 for targeting Different terminal machines 12 set high, medium, and low security levels for the terminal machines 12 they belong to according to the different functions and powers of the users they set, so as to limit whether each terminal machine 12 can use this plug-in Ready-to-use storage device6. Among them, if the security level is high, the terminal machine 12 is prohibited from using the plug-and-play storage device 6, that is, the terminal machine 12 does not supply the power required by the plug-and-play storage device 6, and if the security level is medium, the terminal machine 12 will be prohibited. Only users on the usage authority list are allowed to use the plug-and-play storage device 6 , and those whose security level is low, the terminal 12 will not impose any restrictions on the plug-and-play storage device 6 .

故,当终端机12开机后,使用权限检索模块32将先检视终端机12所属的安全等级。如此,本识别系统1即除了原先只针对使用者身份办识外,再增加一针对终端机12的安全等级做一限制。Therefore, when the terminal machine 12 is turned on, the usage authority retrieval module 32 will first check the security level to which the terminal machine 12 belongs. In this way, the identification system 1 adds a restriction on the security level of the terminal machine 12 in addition to the original identification of the user's identity.

此外,远程管理程序2另具有一文件纪录维护模块23,终端机12亦具有一文件系统驱动程序4。当确认使用者身份后,使用权限检索模块32将发送一信号,用以驱动文件系统驱动程序4纪录使用者的使用行为,并定期地传送此数据至远程管理程序2的文件纪录维护模块23,以供管理者所需查证纪录时使用。藉此,将可使数据的管理上更为严谨。In addition, the remote management program 2 also has a file record maintenance module 23 , and the terminal 12 also has a file system driver 4 . After confirming the identity of the user, the use authority retrieval module 32 will send a signal to drive the file system driver 4 to record the user's usage behavior, and regularly send this data to the file record maintenance module 23 of the remote management program 2, It is used when the administrator needs to verify the records. In this way, data management will be more rigorous.

参阅图1、图5及图6,依据上述使用随插即用装置的权限识别系统1的识别方法整理如下,首先如步骤701,终端机12检测到使用者连接一随插即用储存装置6至随插即用端口,步骤702,使用权限检索模块32判读终端机12的安全等级,当等级为高时,执行步骤703,等级为中时,执行步骤704。步骤703,若安全等级为高,则停止供应电源至随插即用储存装置6,步骤704,若安全等级为中,凭证验证模块31将搜寻一电子凭证,并于有搜寻到电子凭证时进入步骤706,反之,则至步骤705。Referring to Fig. 1, Fig. 5 and Fig. 6, according to the identification method of the authority identification system 1 using the plug-and-play device described above, the identification method is as follows. First, as in step 701, the terminal 12 detects that the user is connected to a plug-and-play storage device 6 To the plug-and-play port, step 702, the use authority retrieval module 32 judges the security level of the terminal 12, when the level is high, execute step 703, and when the level is medium, execute step 704. Step 703, if the security level is high, then stop supplying power to the plug-and-play storage device 6, step 704, if the security level is medium, the certificate verification module 31 will search for an electronic certificate, and enter when an electronic certificate is found Step 706, otherwise, go to step 705.

步骤705,无搜寻到任一电子凭证,限制使用者只可读取随插即用储存装置6中的数据。步骤706、707,凭证验证模块31使用管理者公开密钥对电子凭证进行验证(authentication),以识别此电子凭证的真伪,其中,若验证结果显示该电子凭证为有效,将取得使用者公开密钥(k1)及凭证申请数据,并代表此电子凭证是由一被认同的凭证管理模块21所核发,是为一合法的电子凭证,即进入步骤708,反之,则至步骤703。Step 705, if no electronic certificate is found, the user is restricted to only read the data in the plug-and-play storage device 6 . In steps 706 and 707, the certificate verification module 31 uses the administrator's public key to verify the electronic certificate (authentication) to identify the authenticity of the electronic certificate. If the verification result shows that the electronic certificate is valid, it will obtain the user's public key. The key (k1) and certificate application data represent that the electronic certificate is issued by an approved certificate management module 21 and is a legal electronic certificate, that is, go to step 708, otherwise, go to step 703.

步骤708,凭证验证模块31产生一组随机数(R),步骤709,利用验证后得到的使用者公开密钥对此组随机数进行加密,而产生一密文(cipher)。此加密步骤可由下列方程式来完成:In step 708, the credential verification module 31 generates a set of random numbers (R). In step 709, the set of random numbers is encrypted with the user's public key obtained after verification to generate a cipher. This encryption step can be accomplished by the following equation:

C=Ek1(R),C = E k1 (R),

其中,E代表加密函数(encrypt),k1代表使用者公开密钥,R代表随机数(random number),而C代表利用使用者公开密钥k1加密随机数R所得的密文(cipher)。接下来在步骤710、711中,凭证验证模块31请求使用者输入一组密码,即使用者专用密钥(k2)来对此密文解密。此解密步骤可由下列方程式来完成:Among them, E represents the encryption function (encrypt), k1 represents the user's public key, R represents a random number (random number), and C represents the ciphertext (cipher) obtained by encrypting the random number R with the user's public key k1. Next in steps 710, 711, the credential verification module 31 requests the user to input a set of passwords, that is, the user's private key (k2) to decrypt the ciphertext. This decryption step can be accomplished by the following equation:

R’=Dk2(C),R' = D k2 (C),

其中,D代表解密函数(decrypt),k2代表使用者专用密钥,C代表利用使用者公开密钥k1加密随机数R所得的密文(cipher),而R’代表解密后所得到的随机数数据。接下来在步骤712中,判别解密后得到的数据,是否同等于原先凭证验证模块31产生的随机数,若不同,则至步骤703,若相同,则可确认此使用者是为一合法的使用者,并至步骤713。步骤713,使用权限检索模块32依使用者身份检索使用权限清单,以依使用者的使用权限来限制可被允许的使用行为。Among them, D represents the decryption function (decrypt), k2 represents the user's private key, C represents the ciphertext (cipher) obtained by encrypting the random number R with the user's public key k1, and R' represents the random number obtained after decryption data. Next in step 712, determine whether the data obtained after decryption is equal to the random number generated by the original certificate verification module 31, if different, then go to step 703, if the same, then it can be confirmed that this user is a legal use Or, go to step 713. Step 713 , the use right retrieval module 32 searches the use right list according to the identity of the user, so as to limit the allowed use behaviors according to the user's use right.

其中,若使用者权限是可读/写随插即用储存装置6则进入步骤714,若只可读取随插即用储存装置6所储存的数据,则进入步骤705,若此使用权限清单上无使用者的名字,则其将视为一不合法的使用者,即进入步骤703。步骤714-716,当确认使用者身份后,使用权限检索模块32将发送一信号,驱动文件系统驱动程序4纪录使用者的使用行为,并定期地传送此纪录至远程管理中心12的文件纪录维护模块23储存,以供管理者所需查证纪录时使用。Wherein, if the user authority is to read/write the plug-and-play storage device 6, then enter step 714, if only the data stored in the plug-and-play storage device 6 can be read, then enter step 705, if the use authority list If there is no user's name above, then it will be regarded as an illegal user, that is, enter step 703. Steps 714-716, after confirming the identity of the user, the use authority retrieval module 32 will send a signal to drive the file system driver 4 to record the user's usage behavior, and periodically send this record to the file record maintenance of the remote management center 12 Module 23 is stored for use when the administrator needs to verify records.

归纳上述,本发明使用随插即用装置的权限识别方法及应用此方法的系统,是当使用者电连接一随插即用储存装置6至终端机12后,利用一电子凭证及使用者再行输入的使用者专用密钥,进行一身份识别及权限确认的管制,并利用一文件系统驱动程序4纪录使用者的使用行为,并定期地传送此纪录至远程管理中心12,以供管理者所需查证纪录时使用,而能有效的管理及监控数据的流向,以维护公司的权益,故确实能达成其发明目的。To sum up the above, the present invention uses a plug-and-play device authority identification method and a system applying this method. After the user electrically connects a plug-and-play storage device 6 to the terminal 12, an electronic certificate and the user's re-entry Enter the user's private key to carry out the control of identity identification and authority confirmation, and use a file system driver 4 to record the user's usage behavior, and regularly send this record to the remote management center 12 for the administrator It is used when checking records, and can effectively manage and monitor the flow of data to protect the company's rights and interests, so it can indeed achieve the purpose of its invention.

惟以上所述者,仅为本发明的较佳实施例而已,当不能以此限定本发明实施的范围,即大凡依本发明申请专利范围及发明说明书内容所作的简单的等效变化与修饰,皆应仍属本发明专利涵盖的范围内。But the above are only preferred embodiments of the present invention, and should not limit the scope of the present invention with this, that is, all simple equivalent changes and modifications made according to the patent scope of the present invention and the content of the description of the invention, All should still belong to the scope that the patent of the present invention covers.

Claims (8)

1.一种使用随插即用储存装置的权限识别方法,用以判断电性连接于一数据处理装置的随插即用端口上的随插即用储存装置是否为一合法装置,该方法包含下述步骤:1. A permission identification method for using a plug-and-play storage device, for judging whether the plug-and-play storage device electrically connected to a plug-and-play port of a data processing device is a legitimate device, the method comprising Follow the steps below: A)检测在该随插即用储存装置及该数据处理装置其中之一,是否存在至少一电子凭证;A) detecting whether at least one electronic certificate exists in one of the plug-and-play storage device and the data processing device; B)若有,要求一使用者输入一使用者专用密钥;B) If so, require a user to enter a user-specific key; C)核对该使用者专用密钥;C) check the user's private key; D)若核对无误,容许数据写入该随插即用储存装置,D) If the verification is correct, allow data to be written into the plug-and-play storage device, 其中,该电子凭证是由一管理者专用密钥加密而产生,且该电子凭证中具有一使用者公开密钥,该步骤B)更具有下列子步骤:Wherein, the electronic certificate is generated by encrypting with an administrator's private key, and there is a user public key in the electronic certificate, and the step B) further has the following sub-steps: B1)使用一相对应该管理者专用密钥的管理者公开密钥对该电子凭证进行验证,借以得到该使用者公开密钥;B1) Verify the electronic certificate using a manager's public key corresponding to the manager's private key, so as to obtain the user's public key; B2)产生一随机数,并以该使用者公开密钥对该随机数进行加密而形成一密文;及B2) generating a random number, and encrypting the random number with the user's public key to form a ciphertext; and B3)要求输入该使用者专用密钥;B3) request to input the user's private key; 其中,该步骤C)是利用该使用者专用密钥对该密文进行解密,并核对该解密后所得的数据是否同等于该随机数;Wherein, the step C) is to use the user-specific key to decrypt the ciphertext, and check whether the decrypted data is equal to the random number; 其中,该步骤D)更具有下列子步骤:Wherein, the step D) has the following sub-steps: D1)若核对该解密后的数据同等于该随机数,则判读该使用者权限;D1) If it is checked that the decrypted data is equal to the random number, then the user authority is read; D2)若该使用者具有可写入数据至该随插即用储存装置的权限,则容许数据写入该随插即用储存装置。D2) If the user has the permission to write data into the plug-and-play storage device, allow data to be written into the plug-and-play storage device. 2.根据权利要求1所述的权限识别方法,其中,该步骤A)更具有下列子步骤:2. The authorization identification method according to claim 1, wherein, the step A) further has the following sub-steps: A1)要求输入一用以搜寻该电子凭证的地址数据;及A1) requesting input of address data for searching the electronic certificate; and A2)依该地址数据搜寻该电子凭证。A2) Search for the electronic certificate according to the address data. 3.一种使用随插即用储存装置的权限识别方法,用以判断电性连接于一数据处理装置的随插即用端口上的随插即用储存装置是否为一合法装置,是应用于一控制端及一使用者端,该控制端及该使用者端借由一网络彼此互相连结,其中,该控制端具有一服务器,该使用者端具有至少一该数据处理装置,该数据处理装置储存有一由该服务器发送的电子凭证,该方法包含下述步骤:3. A permission identification method using a plug-and-play storage device, used to judge whether a plug-and-play storage device electrically connected to a plug-and-play port of a data processing device is a legal device, and is applied to A control terminal and a user terminal, the control terminal and the user terminal are connected to each other through a network, wherein the control terminal has a server, the user terminal has at least one data processing device, and the data processing device Storing an electronic certificate sent by the server, the method includes the following steps: A)检测在该随插即用储存装置及该数据处理装置其中之一,是否存在该电子凭证;A) detecting whether the electronic certificate exists in one of the plug-and-play storage device and the data processing device; B)若有,要求一使用者输入一使用者专用密钥;B) If so, require a user to enter a user-specific key; C)核对该使用者专用密钥;C) check the user's private key; D)若核对无误,容许数据写入该随插即用储存装置,D) If the verification is correct, allow data to be written into the plug-and-play storage device, 其中,该电子凭证是由一管理者专用密钥加密而产生,且该电子凭证中具有一使用者公开密钥,该步骤B)更具有下列子步骤:Wherein, the electronic certificate is generated by encrypting with an administrator's private key, and there is a user public key in the electronic certificate, and the step B) further has the following sub-steps: B1)使用一相对应该管理者专用密钥的管理者公开密钥对该电子凭证进行验证,藉以得到该使用者公开密钥;B1) Verify the electronic certificate using a manager's public key corresponding to the manager's private key, so as to obtain the user's public key; B2)产生一随机数,并以该使用者公开密钥对该随机数进行加密而形成一密文;及B2) generating a random number, and encrypting the random number with the user's public key to form a ciphertext; and B3)要求输入该使用者专用密钥;B3) request to input the user's private key; 其中,该步骤C)是利用该使用者专用密钥对该密文进行解密,并核对解密后的数据是否同等于该随机数;Wherein, the step C) is to use the user-specific key to decrypt the ciphertext, and check whether the decrypted data is equal to the random number; 其中,该步骤D)更具有下列子步骤:Wherein, the step D) has the following sub-steps: D1)若核对该解密后的数据同等于该随机数,则判读该使用者权限;D1) If it is checked that the decrypted data is equal to the random number, then the user authority is read; D2)若该使用者具有可写入数据至该随插即用储存装置的权限,则容许数据写入该随插即用储存装置。D2) If the user has the permission to write data into the plug-and-play storage device, allow data to be written into the plug-and-play storage device. 4.根据权利要求3所述的权限识别方法,更包含一定期地传送一使用者行为纪录数据至服务器的步骤E)。4. The authority identification method according to claim 3, further comprising a step E) of periodically sending a user behavior record data to the server. 5.根据权利要求3所述的权限识别方法,其中,该步骤A)更具有下列子步骤:5. The authorization identification method according to claim 3, wherein, the step A) further has the following sub-steps: A1)要求输入一用以搜寻该电子凭证的地址数据;及A1) requesting input of address data for searching the electronic certificate; and A2)依该地址数据搜寻该电子凭证。A2) Search for the electronic certificate according to the address data. 6.根据权利要求3所述的权限识别方法,其中,该数据处理装置依据一使用者使用权限清单来判读该使用者权限。6. The authorization identification method according to claim 3, wherein the data processing device judges the user authorization according to a user authorization list. 7.根据权利要求4所述的权限识别方法,其中,该数据处理装置定期地由该服务器下载该管理者公开密钥。7. The authority identification method according to claim 4, wherein the data processing device downloads the administrator's public key from the server periodically. 8.根据权利要求6所述的权限识别方法,其中,该数据处理装置定期地由该服务器下载该使用者使用权限清单。8. The authorization identification method according to claim 6, wherein the data processing device periodically downloads the user authorization list from the server.
CNB2004100559731A 2004-08-03 2004-08-03 Authority identification method using plug-and-play device and system applying method Expired - Fee Related CN100390699C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB2004100559731A CN100390699C (en) 2004-08-03 2004-08-03 Authority identification method using plug-and-play device and system applying method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2004100559731A CN100390699C (en) 2004-08-03 2004-08-03 Authority identification method using plug-and-play device and system applying method

Publications (2)

Publication Number Publication Date
CN1734387A CN1734387A (en) 2006-02-15
CN100390699C true CN100390699C (en) 2008-05-28

Family

ID=36076845

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2004100559731A Expired - Fee Related CN100390699C (en) 2004-08-03 2004-08-03 Authority identification method using plug-and-play device and system applying method

Country Status (1)

Country Link
CN (1) CN100390699C (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI566103B (en) * 2015-11-16 2017-01-11 宇瞻科技股份有限公司 Pcie bridge transformation device and method thereof

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102195780A (en) * 2010-03-15 2011-09-21 英威康科技股份有限公司 Electronic key system
CN102332073A (en) * 2011-07-07 2012-01-25 曙光信息产业股份有限公司 Method for controlling universal serial bus (USB) port equipment switch
CN102867151B (en) * 2011-07-08 2015-09-23 纬创资通股份有限公司 Electronic device with information encryption function and information encryption method

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2000019301A2 (en) * 1998-09-30 2000-04-06 Phoenix Technologies Ltd. Automatic generation of acpi source language for peripheral resource configuration
WO2001035193A1 (en) * 1999-11-08 2001-05-17 International Business Machines Corporation Wireless security access management for a portable data storage cartridge
CN1400602A (en) * 2001-07-31 2003-03-05 台均实业有限公司 Portable readable and writable memory with USB interface and its data management method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2000019301A2 (en) * 1998-09-30 2000-04-06 Phoenix Technologies Ltd. Automatic generation of acpi source language for peripheral resource configuration
WO2001035193A1 (en) * 1999-11-08 2001-05-17 International Business Machines Corporation Wireless security access management for a portable data storage cartridge
CN1400602A (en) * 2001-07-31 2003-03-05 台均实业有限公司 Portable readable and writable memory with USB interface and its data management method

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI566103B (en) * 2015-11-16 2017-01-11 宇瞻科技股份有限公司 Pcie bridge transformation device and method thereof

Also Published As

Publication number Publication date
CN1734387A (en) 2006-02-15

Similar Documents

Publication Publication Date Title
US8966580B2 (en) System and method for copying protected data from one secured storage device to another via a third party
US8898477B2 (en) System and method for secure firmware update of a secure token having a flash memory controller and a smart card
KR101657613B1 (en) Backing up digital content that is stored in a secured storage device
US8621601B2 (en) Systems for authentication for access to software development kit for a peripheral device
US20090276474A1 (en) Method for copying protected data from one secured storage device to another via a third party
KR101254209B1 (en) Apparatus and method for moving and copying right objects between device and portable storage device
JP4550050B2 (en) Usage authentication method, usage authentication program, information processing apparatus, and recording medium
KR100608575B1 (en) Home network device, home network system and method therefor capable of automatic ownership authentication
US20090150631A1 (en) Self-protecting storage device
KR20050094273A (en) Digital rights management structure, handheld storage deive and contents managing method using handheld storage device
JP4610557B2 (en) DATA MANAGEMENT METHOD, PROGRAM THEREOF, AND PROGRAM RECORDING MEDIUM
KR102777277B1 (en) Storage device providing safe discard of data and Operating method thereof
JP2008005408A (en) Recording data processing device
JP2008033512A (en) Security chip and platform
CN1965278A (en) Authentication method for authenticating a first party to a second party
US20090293117A1 (en) Authentication for access to software development kit for a peripheral device
CN100390699C (en) Authority identification method using plug-and-play device and system applying method
JP2004070875A (en) Secure system
CN100555205C (en) Portable memory and in portable memory the method for management document
CN115618306B (en) Software protection method, device, system, CPU chip and electronic equipment
CN116842545A (en) File encryption-based data anti-luxury method and system
JP4673150B2 (en) Digital content distribution system and token device
KR101241413B1 (en) Apparatus and method for moving and copying right objects between device and portable storage device
JP2008529339A (en) Method for preventing unauthorized distribution of content in a DRM system for commercial or personal content
JP2008191851A (en) Electronic equipment and information processing method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20080528

CF01 Termination of patent right due to non-payment of annual fee