CN112287415B - USB storage device access control method, system, medium, device and application - Google Patents

USB storage device access control method, system, medium, device and application Download PDF

Info

Publication number
CN112287415B
CN112287415B CN202011066171.6A CN202011066171A CN112287415B CN 112287415 B CN112287415 B CN 112287415B CN 202011066171 A CN202011066171 A CN 202011066171A CN 112287415 B CN112287415 B CN 112287415B
Authority
CN
China
Prior art keywords
storage device
usb storage
machine
encrypted
ordinary
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011066171.6A
Other languages
Chinese (zh)
Other versions
CN112287415A (en
Inventor
张志为
沈玉龙
许王哲
康晓宇
景玉
刘家继
邵梦园
徐智豪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xidian University
Original Assignee
Xidian University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xidian University filed Critical Xidian University
Priority to CN202011066171.6A priority Critical patent/CN112287415B/en
Publication of CN112287415A publication Critical patent/CN112287415A/en
Application granted granted Critical
Publication of CN112287415B publication Critical patent/CN112287415B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/82Protecting input, output or interconnection devices
    • G06F21/85Protecting input, output or interconnection devices interconnection devices, e.g. bus-connected or in-line devices
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

本发明属于可移动存储设备技术领域,公开了一种USB存储设备访问控制方法、系统、介质、设备及应用,包括:注册机,用于与用户协商模式、制定加密方式、密钥管理、对USB存储设备引导区进行加密、可选地对USB存储设备的数据区进行加密的通用计算机;涉密机,能解密并读取加密的USB存储设备,而不能读取普通非加密USB存储设备的通用计算机;分析机,既能解密读取加密USB存储设备,又能读取普通USB存储设备的通用计算机。本发明能够有效保障USB存储设备仅可以在限定的范围内使用,增强了USB存储设备及其数据的安全性,部署维护简单,支持多操作系统平台,适合个人和不同规模组织的使用场景。

Figure 202011066171

The invention belongs to the technical field of removable storage devices, and discloses a USB storage device access control method, system, medium, device and application, including: a registration machine, used for negotiating modes with users, formulating encryption methods, key management, pairing A general-purpose computer that encrypts the boot area of a USB storage device and optionally encrypts the data area of a USB storage device; a confidential machine that can decrypt and read an encrypted USB storage device, but cannot read the data of an ordinary non-encrypted USB storage device A general-purpose computer; an analysis machine, a general-purpose computer that can not only decrypt and read encrypted USB storage devices, but also read ordinary USB storage devices. The invention can effectively ensure that the USB storage device can only be used within a limited range, enhances the security of the USB storage device and its data, is simple to deploy and maintain, supports multiple operating system platforms, and is suitable for use scenarios of individuals and organizations of different scales.

Figure 202011066171

Description

USB存储设备访问控制方法、系统、介质、设备及应用USB storage device access control method, system, medium, device and application

技术领域technical field

本发明属于可移动存储设备技术领域,尤其涉及一种USB存储设备访问控制方法、系统、介质、设备及应用。The invention belongs to the technical field of removable storage devices, and in particular relates to a USB storage device access control method, system, medium, device and application.

背景技术Background technique

目前,USB存储设备作为一种可移动存储设备,包括了U盘、移动硬盘、SD卡等,以其方便快捷的特点被大众所广泛应用。由于USB存储设备易于引起信息的丢失,其访问控制策略也越来越引起人们的关注。USB存储设备按照特点和作用,其上的数据大致可以分为:引导区、文件信息区、数据区。引导区存储了USB存储设备本身的相关信息以及引导程序。文件信息区记录了USB存储设备各个分区的大小及位置信息,反映USB存储设备上各区域的使用情况等。数据区则存储了用户需要进行存储的数据。在USB存储设备插入硬件接口后,USB存储设备的硬件电路触发。接着,操作系统的某个进程会调用文件系统的API,然后通知I/O管理器产生IRP(I/O Request Package)。IRP首先被送到磁盘驱动,接着又被送到USB设备驱动、总线驱动。At present, as a removable storage device, the USB storage device includes a U disk, a mobile hard disk, an SD card, etc., and is widely used by the public because of its convenience and quickness. Because USB storage devices are easy to cause information loss, its access control strategy has attracted more and more attention. According to the characteristics and functions of the USB storage device, the data on it can be roughly divided into: boot area, file information area, and data area. The boot area stores the relevant information of the USB storage device itself and the boot program. The file information area records the size and location information of each partition of the USB storage device, and reflects the use of each area on the USB storage device. The data area stores the data that the user needs to store. After the USB storage device is inserted into the hardware interface, the hardware circuit of the USB storage device is triggered. Then, a certain process of the operating system will call the API of the file system, and then notify the I/O manager to generate an IRP (I/O Request Package). The IRP is first sent to the disk driver, and then sent to the USB device driver and bus driver.

针对现有USB存储设备的安全隐患,很多单位、企业、商家等也都实施了自己的USB存储设备访问控制方案。在很多党政机关部门,USB存储设备的保密控制仅仅局限在一人一负责的政策制定下,存在很大的安全隐患。而在当前市面上的USB存储设备访问控制方式有基于用户名口令的验证,有基于PKI的数字证书认证,有对USB存储设备的数据区域进行加密的,还有的通过过滤系统信号建立USB存储设备的访问控制中心等,都存在一些安全性不足、成本高、维护复杂等问题。Aiming at the potential safety hazards of existing USB storage devices, many units, enterprises, merchants, etc. have also implemented their own USB storage device access control schemes. In many party and government departments, the confidentiality control of USB storage devices is only limited to the policy formulation of one person, one responsibility, and there are great security risks. The current access control methods for USB storage devices on the market include authentication based on user name and password, digital certificate authentication based on PKI, encryption of the data area of USB storage devices, and establishment of USB storage devices by filtering system signals. The access control center of the equipment, etc., all have some problems such as insufficient security, high cost, and complicated maintenance.

由此可见,现有USB存储设备安全技术存在的问题和缺陷为:It can be seen that the problems and defects in the existing USB storage device security technology are:

(1)现有技术安全等级低:基于用户名口令的身份验证容易被破解;而建立访问控制中心也给黑客截获数据提供了可能。(1) The security level of the existing technology is low: the identity verification based on the user name and password is easy to be cracked; and the establishment of an access control center also provides the possibility for hackers to intercept data.

(2)现有技术成本高:基于PKI或者智能卡的身份认证需要专用的设备,造成成本高昂。(2) The cost of the existing technology is high: the identity authentication based on PKI or smart card requires special equipment, resulting in high cost.

(3)现有技术维护部署复杂:以上方法策略需要技术人员进行设备分发、维护集中管理平台等复杂操作。(3) Complex maintenance and deployment of existing technologies: The above methods and strategies require technicians to perform complex operations such as equipment distribution and maintenance of centralized management platforms.

(4)现有技术兼容性差:现有技术一般只能支持较少操作系统。(4) Poor compatibility of existing technologies: generally, existing technologies can only support fewer operating systems.

解决以上问题和缺陷的难度为:上述的问题及缺陷为组织和个人带来了极大的不便和安全隐患。为了解决现有技术的安全问题,需要利用密码学原理设计USB存储设备安全加密算法;需要结合操作系统,改写USB驱动;需要兼容各大平台,在驱动层面实现方便快捷又安全。The difficulty of solving the above problems and defects is as follows: the above problems and defects have brought great inconvenience and potential safety hazards to organizations and individuals. In order to solve the security problems of the existing technology, it is necessary to use the principles of cryptography to design a security encryption algorithm for USB storage devices; it is necessary to combine the operating system to rewrite the USB driver; it needs to be compatible with all major platforms, and it is convenient, fast and safe at the driver level.

解决以上问题和缺陷的意义为:本发明为了改善传统访问控制的隐患,设计并实现了USB存储设备访问控制方法、系统、介质、设备及应用。本发明通过修改USB存储设备驱动,设计能够加密、解密的格式化USB存储设备的软件,能够保障数据安全,实现USB存储设备的访问控制,避免了网络黑客攻击的风险,在保障了其它USB设备正常使用的前提之下,极大地提高了生产环境的安全性。本发明可以在现有的设备上进行部署,为用户降低了成本。而且本发明部署维护简单,兼容多个平台。The significance of solving the above problems and defects is: the present invention designs and implements a USB storage device access control method, system, medium, device and application in order to improve the hidden dangers of traditional access control. The present invention modifies the driver of the USB storage device, designs the software of the formatted USB storage device capable of encryption and decryption, can guarantee data security, realizes the access control of the USB storage device, avoids the risk of network hacker attack, and guarantees other USB devices Under the premise of normal use, the security of the production environment is greatly improved. The present invention can be deployed on existing equipment, reducing costs for users. Moreover, the present invention is simple to deploy and maintain, and is compatible with multiple platforms.

发明内容Contents of the invention

针对现有技术存在的问题,本发明提供了一种USB存储设备访问控制方法、系统、介质、设备及应用。Aiming at the problems existing in the prior art, the present invention provides a USB storage device access control method, system, medium, device and application.

本发明是这样实现的,一种USB存储设备访问控制系统,所述USB存储设备访问控制系统包括:The present invention is achieved in this way, a USB storage device access control system, the USB storage device access control system includes:

注册机,用于与用户协商模式、制定加密方式、密钥管理、对USB存储设备引导区进行加密、可选地对USB存储设备的数据区进行加密的通用计算机;Keygen, a general-purpose computer for negotiating modes with users, formulating encryption methods, key management, encrypting the boot area of the USB storage device, and optionally encrypting the data area of the USB storage device;

涉密机,能解密读取加密USB存储设备,而不能读取普通USB存储设备的通用计算机;Secret-related machine, a general-purpose computer that can decrypt and read encrypted USB storage devices, but cannot read ordinary USB storage devices;

分析机,既能解密读取加密USB存储设备,又能读取普通USB存储设备的通用计算机。The analysis machine is a general-purpose computer that can not only decrypt and read encrypted USB storage devices, but also read ordinary USB storage devices.

进一步,所述注册机包括:Further, the registration machine includes:

用于加密USB存储设备数据区的多种方式和算法,用于管理和记录加密算法、加密USB存储设备信息的管理单元;A variety of methods and algorithms for encrypting the data area of the USB storage device, a management unit for managing and recording the encryption algorithm and encrypting the information of the USB storage device;

用于与用户交互并协商是否加密数据区信息和采用可选算法的加密算法协商单元;An encryption algorithm negotiation unit for interacting with users and negotiating whether to encrypt data area information and adopt optional algorithms;

用于存储管理用户选择算法的密钥的密钥管理单元;a key management unit for storing keys for managing user-selected algorithms;

用于加密USB存储设备引导区、加密USB存储设备数据区的加密单元。The encryption unit is used for encrypting the boot area of the USB storage device and encrypting the data area of the USB storage device.

进一步,所述涉密机包括:Further, the confidential machine includes:

通过修改过的计算机USB驱动程序,用于解密插入USB存储设备的文件引导区、解密加密过的数据区文件信息的解密单元;A decryption unit for decrypting the file boot area inserted into the USB storage device and decrypting the encrypted data area file information through the modified computer USB driver;

用于对信息变更的加密USB存储设备进行重新加密的加密单元。An encryption unit for re-encrypting an encrypted USB storage device whose information has been changed.

进一步,所述分析机包括:Further, the analysis machine includes:

修改过的计算机USB驱动程序,用于对不能识别的USB存储设备进行解密操作的解密单元;A modified computer USB driver, a decryption unit used for decrypting unrecognizable USB storage devices;

既能读取加密USB存储设备又能读取普通USB存储设备的读取单元;A reading unit that can read both encrypted USB storage devices and ordinary USB storage devices;

用于对信息变更的加密USB存储设备进行重新加密的加密单元。An encryption unit for re-encrypting an encrypted USB storage device whose information has been changed.

本发明的另一目的在于提供一种运行所述USB存储设备访问控制系统的USB存储设备访问控制方法,所述USB存储设备访问控制方法包括:Another object of the present invention is to provide a USB storage device access control method running the USB storage device access control system, the USB storage device access control method comprising:

步骤一,用户选择对USB存储设备的数据区域不进行加密;Step 1, the user chooses not to encrypt the data area of the USB storage device;

步骤二,普通USB存储设备经过注册机变成加密USB存储设备,注册机对USB存储设备的引导区域进行加密,加密后的USB存储设备因为引导区变为密文不能被普通计算机所识别;Step 2, the ordinary USB storage device becomes an encrypted USB storage device through the registration machine, and the registration machine encrypts the boot area of the USB storage device, and the encrypted USB storage device cannot be recognized by an ordinary computer because the boot area becomes ciphertext;

步骤三,涉密机能识别加密USB存储设备,不能识别普通USB存储设备;涉密机检测到USB存储设备后,对文件的引导区进行解密操作,加密USB存储设备解密后的文件系统引导区为正常信息,涉密机进行读取USB存储设备;而普通USB存储设备的文件系统引导区进行解密后变成密文,不能被涉密机所识别;Step 3: The secret-involved machine can identify the encrypted USB storage device, but not the ordinary USB storage device; after the secret-involved machine detects the USB storage device, it decrypts the boot area of the file, and the decrypted file system boot area of the encrypted USB storage device is For normal information, the secret machine reads the USB storage device; while the file system boot area of the ordinary USB storage device is decrypted and becomes ciphertext, which cannot be recognized by the secret machine;

步骤四,分析机能识别加密USB存储设备和普通USB存储设备;分析机对加密USB存储设备的文件系统引导区进行解密,使得USB存储设备可以进行正常读取;Step 4, the analysis machine can identify the encrypted USB storage device and the common USB storage device; the analysis machine decrypts the file system boot area of the encrypted USB storage device, so that the USB storage device can be read normally;

步骤五,分析机在对加密USB存储设备读取写入结束后,再对其引导区域进行加密,过程如步骤二所示。Step 5: After the analyzer finishes reading and writing the encrypted USB storage device, it encrypts its boot area. The process is shown in Step 2.

进一步,所述USB存储设备访问控制方法包括:Further, the USB storage device access control method includes:

步骤一,用户选择对USB存储设备的数据区域进行加密,根据注册机提供的选项,选择合适的对USB存储设备数据区进行加密的方式,获取到对数据区加密的密钥;Step 1, the user chooses to encrypt the data area of the USB storage device, selects an appropriate method of encrypting the data area of the USB storage device according to the options provided by the registration machine, and obtains the key for encrypting the data area;

步骤二,注册机将用户决定的加密方式的密钥安全地存储在USB存储设备的引导区域,然后利用此密钥对USB存储设备的数据区域的内容进行加密;Step 2, the registration machine securely stores the key of the encryption method determined by the user in the boot area of the USB storage device, and then uses this key to encrypt the contents of the data area of the USB storage device;

步骤三,注册机对USB存储设备中包含密钥的引导区域进行加密;Step 3, the registration machine encrypts the boot area containing the key in the USB storage device;

步骤四,涉密机的USB存储设备驱动程序进行改写后,在检测到USB存储设备插入时,对USB存储设备的引导区域进行解密;Step 4, after rewriting the driver program of the USB storage device of the confidential machine, when the insertion of the USB storage device is detected, the boot area of the USB storage device is decrypted;

步骤五,涉密机对USB存储设备的引导区域进行解密后,提取写入的密钥,并对USB存储设备的数据区域的内容进行解密操作;而当插入USB存储设备为普通USB存储设备时,解密引导区域的内容为密文,不能被涉密机所识别;Step 5: After decrypting the boot area of the USB storage device, the confidential machine extracts the written key, and decrypts the contents of the data area of the USB storage device; and when the inserted USB storage device is an ordinary USB storage device , the content of the decryption guide area is ciphertext, which cannot be recognized by the confidential machine;

步骤六,分析机插入普通USB存储设备时,正常使用;当检测到无法识别的USB存储设备时,分析机对加密的USB存储设备的引导区和数据区进行解密,使得加密USB存储设备变成普通USB存储设备,实现对加密USB存储设备的读写;Step 6: When the analysis machine is inserted into an ordinary USB storage device, it can be used normally; when an unrecognizable USB storage device is detected, the analysis machine will decrypt the boot area and data area of the encrypted USB storage device, so that the encrypted USB storage device becomes Ordinary USB storage device, realize reading and writing to encrypted USB storage device;

步骤七,分析机/涉密机在对加密USB存储设备读取写入结束后,若USB设备数据发生更改,则对其按照原先的密钥对数据区进行加密,再对引导区域进行加密,过程如步骤二、三所示。Step 7: After the analysis machine/confidential machine reads and writes the encrypted USB storage device, if the data of the USB device changes, it encrypts the data area according to the original key, and then encrypts the boot area. The process is shown in steps 2 and 3.

本发明的另一目的在于提供一种计算机设备,所述计算机设备包括存储器和处理器,所述存储器存储有计算机程序,所述计算机程序被所述处理器执行时,使得所述处理器执行如下步骤:Another object of the present invention is to provide a computer device, the computer device includes a memory and a processor, the memory stores a computer program, and when the computer program is executed by the processor, the processor performs the following step:

步骤一,用户对USB存储设备选择加密模式;Step 1, the user selects an encryption mode for the USB storage device;

步骤二,普通USB存储设备经过注册机变成加密USB存储设备,注册机对USB存储设备的引导区域进行加密,根据用户选择的加密模式对USB存储设备的数据区进行加密或者不加密,加密后的USB存储设备因为引导区变为密文不能被普通计算机所识别;Step 2: The ordinary USB storage device becomes an encrypted USB storage device through the registration machine, and the registration machine encrypts the boot area of the USB storage device, and encrypts or does not encrypt the data area of the USB storage device according to the encryption mode selected by the user. The USB storage device cannot be recognized by ordinary computers because the boot area becomes ciphertext;

步骤三,涉密机能识别加密USB存储设备,不能识别普通USB存储设备;当涉密机检测到USB存储设备后,对文件的引导区进行解密操作,加密USB存储设备解密后的文件系统引导区为明文信息,涉密机进行读取USB存储设备,若为全加密模式,则再对数据区进行解密;而普通USB存储设备的文件系统引导区进行解密后变成密文,不能被涉密机所识别;Step 3: The secret-involved machine can identify the encrypted USB storage device, but not the ordinary USB storage device; when the secret-involved machine detects the USB storage device, it decrypts the boot area of the file, and encrypts the decrypted file system boot area of the USB storage device It is plaintext information, and the confidential machine reads the USB storage device, and if it is in full encryption mode, then decrypts the data area; while the file system boot area of the ordinary USB storage device is decrypted and becomes ciphertext, which cannot be classified. identified by the machine;

步骤四,分析机能识别加密USB存储设备和普通USB存储设备;分析机对加密USB存储设备的文件系统引导区进行解密,若为全加密模式则再对数据区进行解密,使得其成为普通可识别USB存储设备,然后进行正常读取;Step 4: The analysis machine can identify the encrypted USB storage device and the ordinary USB storage device; the analysis machine decrypts the file system boot area of the encrypted USB storage device, and if it is in full encryption mode, then decrypts the data area to make it an ordinary identifiable USB storage device, and then read normally;

步骤五,分析机/涉密机在对加密USB存储设备读取结束后,若USB设备数据发生更改,则再对其引导区进行加密,若为全加密模式则再加密数据区。Step 5: After the analysis machine/secret-related machine reads the encrypted USB storage device, if the data of the USB device changes, it encrypts its boot area again, and encrypts the data area again if it is in full encryption mode.

本发明的另一目的在于提供一种计算机可读存储介质,存储有计算机程序,所述计算机程序被处理器执行时,使得所述处理器执行如下步骤:Another object of the present invention is to provide a computer-readable storage medium, which stores a computer program, and when the computer program is executed by a processor, the processor performs the following steps:

步骤一,用户对USB存储设备选择加密模式;Step 1, the user selects an encryption mode for the USB storage device;

步骤二,普通USB存储设备经过注册机变成加密USB存储设备,注册机对USB存储设备的引导区域进行加密,根据用户选择的加密模式对USB存储设备的数据区进行加密或者不加密,加密后的USB存储设备因为引导区变为密文不能被普通计算机所识别;Step 2: The ordinary USB storage device becomes an encrypted USB storage device through the registration machine, and the registration machine encrypts the boot area of the USB storage device, and encrypts or does not encrypt the data area of the USB storage device according to the encryption mode selected by the user. The USB storage device cannot be recognized by ordinary computers because the boot area becomes ciphertext;

步骤三,涉密机能识别加密USB存储设备,不能识别普通USB存储设备;当涉密机检测到USB存储设备后,对文件的引导区进行解密操作,加密USB存储设备解密后的文件系统引导区为明文信息,涉密机进行读取USB存储设备,若为全加密模式,则再对数据区进行解密;而普通USB存储设备的文件系统引导区进行解密后变成密文,不能被涉密机所识别;Step 3: The secret-involved machine can identify the encrypted USB storage device, but not the ordinary USB storage device; when the secret-involved machine detects the USB storage device, it decrypts the boot area of the file, and encrypts the decrypted file system boot area of the USB storage device It is plaintext information, and the confidential machine reads the USB storage device, and if it is in full encryption mode, then decrypts the data area; while the file system boot area of the ordinary USB storage device is decrypted and becomes ciphertext, which cannot be classified. identified by the machine;

步骤四,分析机能识别加密USB存储设备和普通USB存储设备;分析机对加密USB存储设备的文件系统引导区进行解密,若为全加密模式则再对数据区进行解密,使得其成为普通可识别USB存储设备,然后进行正常读取;Step 4: The analysis machine can identify the encrypted USB storage device and the ordinary USB storage device; the analysis machine decrypts the file system boot area of the encrypted USB storage device, and if it is in full encryption mode, then decrypts the data area to make it an ordinary identifiable USB storage device, and then read normally;

步骤五,分析机/涉密机在对加密USB存储设备读取结束后,若USB设备数据发生更改,则再对其引导区进行加密,若为全加密模式则再加密数据区。Step 5: After the analysis machine/secret-related machine reads the encrypted USB storage device, if the data of the USB device changes, it encrypts its boot area again, and encrypts the data area again if it is in full encryption mode.

本发明的另一目的在于提供一种U盘,所述U盘安装有所述USB存储设备访问控制系统。Another object of the present invention is to provide a USB flash drive installed with the USB storage device access control system.

本发明的另一目的在于提供一种移动硬盘,所述移动硬盘安装有所述USB存储设备访问控制系统。Another object of the present invention is to provide a mobile hard disk installed with the USB storage device access control system.

结合上述的所有技术方案,本发明所具备的优点及积极效果为:In combination with all the above-mentioned technical solutions, the advantages and positive effects of the present invention are:

本发明为了改善传统访问控制的隐患,设计并实现了一套USB存储设备访问控制系统及方法。本发明通过修改USB存储设备驱动,设计能够加密、解密的格式化USB存储设备的软件,能够保障数据安全,实现USB存储设备的访问控制,避免了网络黑客攻击的风险,在保障了其它USB设备正常使用的前提之下,极大地提高了生产环境的安全性。本发明可以在现有的设备上进行部署,为用户降低了成本。而且本发明部署维护简单,兼容多个平台。本发明与其它产品的比较如表1所示。In order to improve the hidden dangers of traditional access control, the present invention designs and implements a set of USB storage device access control system and method. The present invention modifies the driver of the USB storage device, designs the software of the formatted USB storage device capable of encryption and decryption, can guarantee data security, realizes the access control of the USB storage device, avoids the risk of network hacker attack, and guarantees other USB devices Under the premise of normal use, the security of the production environment is greatly improved. The present invention can be deployed on existing equipment, reducing costs for users. Moreover, the present invention is simple to deploy and maintain, and is compatible with multiple platforms. The comparison between the present invention and other products is shown in Table 1.

表1本发明与其它产品比较Table 1 The present invention compares with other products

Figure BDA0002713812510000081
Figure BDA0002713812510000081

注:t1:驱动读取USB存储设备时间;t2:挂载USB存储设备时间;t3:软件加载时间;t4:软件加载存储设备时间;t5:软件加密时间。Note: t1: The time when the driver reads the USB storage device; t2: The time when the USB storage device is mounted; t3: The time when the software is loaded; t4: The time when the software is loaded into the storage device; t5: The time when the software is encrypted.

附图说明Description of drawings

为了更清楚地说明本申请实施例的技术方案,下面将对本申请实施例中所需要使用的附图做简单地介绍,显而易见地,下面所描述的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下还可以根据这些附图获得其它的附图。In order to more clearly illustrate the technical solutions of the embodiments of the present application, the following will briefly introduce the accompanying drawings that need to be used in the embodiments of the present application. Obviously, the accompanying drawings described below are only some embodiments of the present application. Those of ordinary skill in the art can also obtain other drawings based on these drawings without any creative effort.

图1是本发明实施例提供的USB存储设备访问控制方法流程图。FIG. 1 is a flowchart of a method for controlling access to a USB storage device provided by an embodiment of the present invention.

图2是本发明实施例提供的USB存储设备访问控制系统的结构示意图;2 is a schematic structural diagram of a USB storage device access control system provided by an embodiment of the present invention;

图2中:1、注册机;2、涉密机;3、分析机;实线表示可访问,虚线表示不可访问。In Fig. 2: 1. Registration machine; 2. Confidentiality-related machine; 3. Analysis machine; the solid line indicates that it is accessible, and the dotted line indicates that it is not accessible.

图3是本发明实施例提供的部分加密模式注册机的实现图。Fig. 3 is an implementation diagram of a partial encryption mode registration machine provided by an embodiment of the present invention.

图4是本发明实施例提供的部分加密模式涉密机的实现图。Fig. 4 is an implementation diagram of a partial encryption mode secret-related machine provided by an embodiment of the present invention.

图5是本发明实施例提供的部分加密模式分析机的实现图。Fig. 5 is an implementation diagram of a partial encryption mode analysis machine provided by an embodiment of the present invention.

图6是本发明实施例提供的全加密模式注册机的实现图。Fig. 6 is an implementation diagram of the full encryption mode registration machine provided by the embodiment of the present invention.

图7是本发明实施例提供的全加密模式涉密机的实现图。Fig. 7 is an implementation diagram of a full-encryption mode secret-related machine provided by an embodiment of the present invention.

图8是本发明实施例提供的全加密模式分析机的实现图。Fig. 8 is an implementation diagram of a fully encrypted mode analysis machine provided by an embodiment of the present invention.

具体实施方式Detailed ways

为了使本发明的目的、技术方案及优点更加清楚明白,以下结合实施例,对本发明进行进一步详细说明。应当理解,此处所描述的具体实施例仅仅用以解释本发明,并不用于限定本发明。In order to make the object, technical solution and advantages of the present invention more clear, the present invention will be further described in detail below in conjunction with the examples. It should be understood that the specific embodiments described here are only used to explain the present invention, not to limit the present invention.

针对现有技术存在的问题,本发明提供了一种USB存储设备访问控制方法、系统、介质、设备及应用,下面结合附图对本发明作详细的描述。Aiming at the problems existing in the prior art, the present invention provides a USB storage device access control method, system, medium, equipment and application. The present invention will be described in detail below in conjunction with the accompanying drawings.

如图1所示,本发明提供的USB存储设备访问控制方法包括以下步骤:As shown in Figure 1, the USB storage device access control method provided by the present invention comprises the following steps:

S101:用户选择对USB存储设备的加密模式。S101: The user selects an encryption mode for the USB storage device.

S102:普通USB存储设备经过注册机变成加密USB存储设备,注册机对USB存储设备的引导区域进行加密,根据用户选择的加密模式对USB存储设备的数据区进行加密或者不加密,加密后的USB存储设备因为引导区变为密文不能被普通计算机所识别。S102: The ordinary USB storage device becomes an encrypted USB storage device through the registration machine. The registration machine encrypts the boot area of the USB storage device, encrypts or does not encrypt the data area of the USB storage device according to the encryption mode selected by the user, and encrypts the encrypted USB storage device. The USB storage device cannot be recognized by ordinary computers because the boot area becomes ciphertext.

S103:涉密机能识别加密USB存储设备,不能识别普通USB存储设备;当涉密机检测到USB存储设备后,对文件的引导区进行解密操作,加密USB存储设备解密后的文件系统引导区为明文信息,涉密机进行读取USB存储设备,若为全加密模式,则再对数据区进行解密;而普通USB存储设备的文件系统引导区进行解密后变成密文,不能被涉密机所识别。S103: The secret-related machine can identify the encrypted USB storage device, but not the ordinary USB storage device; when the secret-related machine detects the USB storage device, it decrypts the boot area of the file, and the decrypted file system boot area of the encrypted USB storage device is For plaintext information, the confidential computer reads the USB storage device, and if it is in full encryption mode, then decrypts the data area; while the file system boot area of an ordinary USB storage device is decrypted and becomes ciphertext, which cannot be encrypted by the confidential computer. recognized.

S104:分析机能识别加密USB存储设备和普通USB存储设备;分析机对加密USB存储设备的文件系统引导区进行解密,若为全加密模式则再对数据区进行解密,使得其成为普通可识别USB存储设备,然后进行正常读取。S104: The analysis machine can identify encrypted USB storage devices and ordinary USB storage devices; the analysis machine decrypts the file system boot area of the encrypted USB storage device, and if it is in full encryption mode, then decrypts the data area to make it an ordinary identifiable USB storage device, followed by a normal read.

S105:分析机/涉密机在对加密USB存储设备读取结束后,若USB设备数据发生更改,则再对其引导区进行加密,若为全加密模式则再加密数据区。S105: After the analysis machine/secret-related machine finishes reading the encrypted USB storage device, if the data of the USB device is changed, then encrypt the boot area, and if it is in full encryption mode, then encrypt the data area.

本发明提供的USB存储设备访问控制方法业内的普通技术人员还可以采用其它的步骤实施,图1的本发明提供的USB存储设备访问控制方法仅仅是一个具体实施例而已。Those of ordinary skill in the industry can implement the USB storage device access control method provided by the present invention by using other steps, and the USB storage device access control method provided by the present invention in FIG. 1 is only a specific embodiment.

如图2所示,本发明提供的USB存储设备访问控制系统包括:As shown in Figure 2, the USB storage device access control system provided by the present invention includes:

注册机,用于与用户协商模式、制定加密方式、密钥管理、对USB存储设备引导区进行加密、可选地对USB存储设备的数据区进行加密的通用计算机。The registration machine is a general-purpose computer used for negotiating modes with users, formulating encryption methods, key management, encrypting the boot area of the USB storage device, and optionally encrypting the data area of the USB storage device.

涉密机,能解密读取加密USB存储设备,而不能读取普通USB存储设备的通用计算机。Secret-related machine, a general-purpose computer that can decrypt and read encrypted USB storage devices, but cannot read ordinary USB storage devices.

分析机,既能解密读取加密USB存储设备,又能读取普通USB存储设备的通用计算机。The analysis machine is a general-purpose computer that can not only decrypt and read encrypted USB storage devices, but also read ordinary USB storage devices.

下面结合附图对本发明的技术方案作进一步的描述。The technical scheme of the present invention will be further described below in conjunction with the accompanying drawings.

如图2所示(以U盘为例),本发明实施提供的基于加密的USB存储设备访问控制系统包括:As shown in Figure 2 (taking U disk as an example), the USB storage device access control system based on encryption provided by the implementation of the present invention includes:

注册机1:配置有USB接口的通用计算机设备。它可以通过软件与用户协商模式、制定加密方式、密钥管理、对USB存储设备引导区进行加密、可选地对USB存储设备的数据区进行加密;Registration machine 1: a general-purpose computer device equipped with a USB interface. It can negotiate the mode with the user through software, formulate the encryption method, key management, encrypt the boot area of the USB storage device, and optionally encrypt the data area of the USB storage device;

涉密机2:配置有USB接口的通用计算机设备。它可以解密后读取加密USB存储设备,而不能读取普通USB存储设备;Secret-related machine 2: a general-purpose computer device equipped with a USB interface. It can read encrypted USB storage devices after decryption, but not ordinary USB storage devices;

分析机3:配置有USB接口的通用计算机设备。它既能解密读取加密USB存储设备,又能读取普通USB存储设备。Analysis machine 3: a general-purpose computer device equipped with a USB interface. It can not only decrypt and read encrypted USB storage devices, but also read ordinary USB storage devices.

注册机1包含了用于加密USB存储设备数据区的多种方式和算法,用于管理和记录加密算法、加密USB存储设备信息的管理单元,用于与用户协商是否加密数据区信息和采用可选算法的加密算法协商单元,用于存储管理用户选择算法的密钥的密钥管理单元,用于加密USB存储设备引导区、加密USB存储设备数据区的加密单元。The registration machine 1 includes a variety of methods and algorithms for encrypting the data area of the USB storage device, a management unit for managing and recording the encryption algorithm and encrypting the information of the USB storage device, and for negotiating with the user whether to encrypt the data area information and adopt the available An encryption algorithm negotiating unit for selecting an algorithm, a key management unit for storing and managing a key of an algorithm selected by a user, and an encryption unit for encrypting the boot area of the USB storage device and encrypting the data area of the USB storage device.

涉密机2通过修改计算机USB驱动程序解密USB存储设备引导区域,解密加密过的数据区文件信息。而普通USB存储设备的文件系统引导区进行解密后变成密文,不能被涉密机所识别。The confidential machine 2 decrypts the boot area of the USB storage device by modifying the computer USB driver, and decrypts the encrypted data area file information. However, the file system boot area of an ordinary USB storage device is decrypted and becomes ciphertext, which cannot be recognized by a confidential machine.

分析机3通过修改计算机USB驱动程序对不能识别的USB存储设备进行解密操作,可以对读取写入后的USB存储设备重新加密,既能读取加密USB存储设备又能读取普通USB存储设备。Analyzer 3 decrypts unrecognized USB storage devices by modifying the computer’s USB driver, and can re-encrypt the read and written USB storage devices. It can read both encrypted USB storage devices and ordinary USB storage devices. .

其中注册机和分析机可以是同一台计算机。The registration machine and the analysis machine can be the same computer.

本发明对基于加密的USB访问控制系统有部分加密模式和全加密模式两种模式,下面结合附图对两种模式分别进一步说明。The present invention has two modes for the encryption-based USB access control system, a partial encryption mode and a full encryption mode, and the two modes will be further described below in conjunction with the accompanying drawings.

部分加密模式的步骤如下:The steps for partial encryption mode are as follows:

步骤一,用户选择对USB存储设备的数据区域不进行加密;Step 1, the user chooses not to encrypt the data area of the USB storage device;

步骤二,如图3所示,普通USB存储设备经过注册机变成加密USB存储设备,注册机对USB存储设备的引导区域进行加密,加密后的USB存储设备因为引导区变为密文不能被普通计算机所识别;Step 2, as shown in Figure 3, the ordinary USB storage device becomes an encrypted USB storage device through the registration machine, and the registration machine encrypts the boot area of the USB storage device, and the encrypted USB storage device cannot be encrypted because the boot area becomes ciphertext. Recognized by ordinary computers;

步骤三,如图4所示,涉密机能识别加密USB存储设备,不能识别普通USB存储设备;涉密机检测到USB存储设备后,对文件的引导区进行解密操作,加密USB存储设备解密后的文件系统引导区为正常信息,涉密机进行读取USB存储设备;而普通USB存储设备的文件系统引导区进行解密后变成密文,不能被涉密机所识别;Step 3, as shown in Figure 4, the classified machine can identify the encrypted USB storage device, but not the ordinary USB storage device; after the classified machine detects the USB storage device, it decrypts the boot area of the file, and the encrypted USB storage device is decrypted The boot area of the file system of the file system is normal information, and the confidential machine reads the USB storage device; while the file system boot area of the ordinary USB storage device is decrypted and becomes ciphertext, which cannot be recognized by the confidential machine;

步骤四,如图5所示,分析机能识别加密USB存储设备和普通USB存储设备;分析机对加密USB存储设备的文件系统引导区进行解密,使得USB存储设备可以进行正常读取;Step 4, as shown in Figure 5, the analysis machine can identify the encrypted USB storage device and the common USB storage device; the analysis machine decrypts the file system boot area of the encrypted USB storage device, so that the USB storage device can be read normally;

步骤五,涉密机/分析机在对加密USB存储设备读取写入结束后,若USB设备数据发生更改,则再对其引导区域进行加密,如步骤二。Step 5: After the confidentiality-related machine/analysis machine finishes reading and writing the encrypted USB storage device, if the data of the USB device changes, then encrypt its boot area again, as in step 2.

全加密模式的步骤如下:The steps of full encryption mode are as follows:

步骤一,用户选择对USB存储设备的数据区域进行加密,根据注册机提供的选项,选择合适的对USB存储设备数据区进行加密的方式,获取到对数据区加密的密钥;Step 1, the user chooses to encrypt the data area of the USB storage device, selects an appropriate method of encrypting the data area of the USB storage device according to the options provided by the registration machine, and obtains the key for encrypting the data area;

步骤二,如图6所示,注册机将用户决定的加密方式的密钥安全地存储在USB存储设备的引导区域,然后利用此密钥对USB存储设备的数据区域的内容进行加密;Step 2, as shown in Figure 6, the registration machine safely stores the key of the encryption method decided by the user in the boot area of the USB storage device, and then uses this key to encrypt the contents of the data area of the USB storage device;

步骤三,如图7所示,注册机对USB存储设备中包含密钥的引导区域进行加密;Step 3, as shown in Figure 7, the registration machine encrypts the boot area containing the key in the USB storage device;

步骤四,如图7所示,涉密机的USB存储设备驱动程序进行改写后,在检测到USB存储设备插入时,对USB存储设备的引导区域进行解密;Step 4, as shown in Figure 7, after rewriting the USB storage device driver of the classified machine, when the USB storage device is detected to be inserted, the boot area of the USB storage device is decrypted;

步骤五,如图7所示,涉密机对USB存储设备的引导区域进行解密后,提取写入的密钥,并对USB存储设备的数据区域的内容进行解密操作;而当插入USB存储设备为普通USB存储设备时,解密引导区域的内容为密文,不能被涉密机所识别;Step 5, as shown in Figure 7, after decrypting the boot area of the USB storage device, the confidential machine extracts the written key, and decrypts the contents of the data area of the USB storage device; and when the USB storage device is inserted When it is an ordinary USB storage device, the content of the decrypted boot area is ciphertext, which cannot be recognized by the confidential machine;

步骤六,如图8所示,分析机插入普通USB存储设备时,正常使用;当检测到无法识别的USB存储设备时,分析机对加密的USB存储设备的引导区和数据区进行解密,使得加密USB存储设备变成普通USB存储设备,实现对加密USB存储设备的读写;Step 6, as shown in Figure 8, when the analysis machine is inserted into a common USB storage device, it can be used normally; when an unrecognizable USB storage device is detected, the analysis machine decrypts the boot area and data area of the encrypted USB storage device, so that The encrypted USB storage device becomes an ordinary USB storage device, and the encrypted USB storage device can be read and written;

步骤七,分析机/涉密机在对加密USB存储设备读取写入结束后,若USB设备数据发生更改,则对其按照原先的密钥对数据区进行加密,再对引导区域进行加密,过程如步骤二、三所示。Step 7: After the analysis machine/confidential machine reads and writes the encrypted USB storage device, if the data of the USB device changes, it encrypts the data area according to the original key, and then encrypts the boot area. The process is shown in steps 2 and 3.

本发明还包括计算机设备,包括存储器和处理器,所述存储器存储有计算机程序,所述计算机程序被所述处理器执行时,使得所述处理器执行如下步骤:The present invention also includes computer equipment, including a memory and a processor, the memory stores a computer program, and when the computer program is executed by the processor, the processor performs the following steps:

步骤一,用户对USB存储设备选择加密模式;Step 1, the user selects an encryption mode for the USB storage device;

步骤二,普通USB存储设备经过注册机变成加密USB存储设备,注册机对USB存储设备的引导区域进行加密,根据用户选择的加密模式对USB存储设备的数据区进行加密或者不加密,加密后的USB存储设备因为引导区变为密文不能被普通计算机所识别;Step 2: The ordinary USB storage device becomes an encrypted USB storage device through the registration machine, and the registration machine encrypts the boot area of the USB storage device, and encrypts or does not encrypt the data area of the USB storage device according to the encryption mode selected by the user. The USB storage device cannot be recognized by ordinary computers because the boot area becomes ciphertext;

步骤三,涉密机能识别加密USB存储设备,不能识别普通USB存储设备;当涉密机检测到USB存储设备后,对文件的引导区进行解密操作,加密USB存储设备解密后的文件系统引导区为明文信息,涉密机进行读取USB存储设备,若为全加密模式,则再对数据区进行解密;而普通USB存储设备的文件系统引导区进行解密后变成密文,不能被涉密机所识别;Step 3: The secret-involved machine can identify the encrypted USB storage device, but not the ordinary USB storage device; when the secret-involved machine detects the USB storage device, it decrypts the boot area of the file, and encrypts the decrypted file system boot area of the USB storage device It is plaintext information, and the confidential machine reads the USB storage device, and if it is in full encryption mode, then decrypts the data area; while the file system boot area of the ordinary USB storage device is decrypted and becomes ciphertext, which cannot be classified. identified by the machine;

步骤四,分析机能识别加密USB存储设备和普通USB存储设备;分析机对加密USB存储设备的文件系统引导区进行解密,若为全加密模式,则再对数据区进行解密,使得其成为普通可识别USB存储设备,然后进行正常读取;Step 4, the analysis machine can identify the encrypted USB storage device and the ordinary USB storage device; the analysis machine decrypts the file system boot area of the encrypted USB storage device, and if it is in full encryption mode, then decrypts the data area to make it an ordinary usable storage device. Identify the USB storage device, and then read it normally;

步骤五,分析机/涉密机在对加密USB存储设备读取结束后,若USB设备数据发生更改,则再对其引导区进行加密,若为全加密模式则再加密数据区。Step 5: After the analysis machine/secret-related machine reads the encrypted USB storage device, if the data of the USB device changes, it encrypts its boot area again, and encrypts the data area again if it is in full encryption mode.

本发明还包括了计算机可读存储介质,存储有计算机程序,所述计算机程序被处理器执行时,使得所述处理器执行如下步骤:The present invention also includes a computer-readable storage medium storing a computer program, and when the computer program is executed by a processor, the processor is made to perform the following steps:

步骤一,用户对USB存储设备选择加密模式;Step 1, the user selects an encryption mode for the USB storage device;

步骤二,普通USB存储设备经过注册机变成加密USB存储设备,注册机对USB存储设备的引导区域进行加密,根据用户选择的加密模式对USB存储设备的数据区进行加密或者不加密,加密后的USB存储设备因为引导区变为密文不能被普通计算机所识别;Step 2: The ordinary USB storage device becomes an encrypted USB storage device through the registration machine, and the registration machine encrypts the boot area of the USB storage device, and encrypts or does not encrypt the data area of the USB storage device according to the encryption mode selected by the user. The USB storage device cannot be recognized by ordinary computers because the boot area becomes ciphertext;

步骤三,涉密机能识别加密USB存储设备,不能识别普通USB存储设备;当涉密机检测到USB存储设备后,对文件的引导区进行解密操作,加密USB存储设备解密后的文件系统引导区为明文信息,涉密机进行读取USB存储设备,若为全加密模式,则再对数据区进行解密;而普通USB存储设备的文件系统引导区进行解密后变成密文,不能被涉密机所识别;Step 3: The secret-involved machine can identify the encrypted USB storage device, but not the ordinary USB storage device; when the secret-involved machine detects the USB storage device, it decrypts the boot area of the file, and encrypts the decrypted file system boot area of the USB storage device It is plaintext information, and the confidential machine reads the USB storage device, and if it is in full encryption mode, then decrypts the data area; while the file system boot area of the ordinary USB storage device is decrypted and becomes ciphertext, which cannot be classified. identified by the machine;

步骤四,分析机能识别加密USB存储设备和普通USB存储设备;分析机对加密USB存储设备的文件系统引导区进行解密,若为全加密模式,则再对数据区进行解密,使得其成为普通可识别USB存储设备,然后进行正常读取;Step 4, the analysis machine can identify the encrypted USB storage device and the ordinary USB storage device; the analysis machine decrypts the file system boot area of the encrypted USB storage device, and if it is in full encryption mode, then decrypts the data area to make it an ordinary usable storage device. Identify the USB storage device, and then read it normally;

步骤五,分析机/涉密机在对加密USB存储设备读取结束后,若USB设备数据发生更改,则再对其引导区进行加密,若为全加密模式则再加密数据区。Step 5: After the analysis machine/secret-related machine reads the encrypted USB storage device, if the data of the USB device changes, it encrypts its boot area again, and encrypts the data area again if it is in full encryption mode.

证明部分,本发明与其它产品的比较如表2所示。The proof part, the comparison between the present invention and other products is shown in Table 2.

表2本发明与其它产品比较Table 2 The present invention compares with other products

Figure BDA0002713812510000141
Figure BDA0002713812510000141

Figure BDA0002713812510000151
Figure BDA0002713812510000151

注:t1:驱动读取USB存储设备时间;t2:挂载USB存储设备时间;t3:软件加载时间;t4:软件加载存储设备时间;t5:软件加密时间。Note: t1: The time when the driver reads the USB storage device; t2: The time when the USB storage device is mounted; t3: The time when the software is loaded; t4: The time when the software is loaded into the storage device; t5: The time when the software is encrypted.

应当注意,本发明的实施方式可以通过硬件、软件或者软件和硬件的结合来实现。硬件部分可以利用专用逻辑来实现;软件部分可以存储在存储器中,由适当的指令执行系统,例如微处理器或者专用设计硬件来执行。本领域的普通技术人员可以理解上述的设备和方法可以使用计算机可执行指令和/或包含在处理器控制代码中来实现,例如在诸如磁盘、CD或DVD-ROM的载体介质、诸如只读存储器(固件)的可编程的存储器或者诸如光学或电子信号载体的数据载体上提供了这样的代码。本发明的设备及其模块可以由诸如超大规模集成电路或门阵列、诸如逻辑芯片、晶体管等的半导体、或者诸如现场可编程门阵列、可编程逻辑设备等的可编程硬件设备的硬件电路实现,也可以用由各种类型的处理器执行的软件实现,也可以由上述硬件电路和软件的结合例如固件来实现。It should be noted that the embodiments of the present invention can be realized by hardware, software, or a combination of software and hardware. The hardware part can be implemented using dedicated logic; the software part can be stored in memory and executed by a suitable instruction execution system such as a microprocessor or specially designed hardware. Those of ordinary skill in the art will understand that the above-described devices and methods can be implemented using computer-executable instructions and/or contained in processor control code, for example, on a carrier medium such as a magnetic disk, CD or DVD-ROM, such as a read-only memory Such code is provided on a programmable memory (firmware) or on a data carrier such as an optical or electronic signal carrier. The device and its modules of the present invention may be implemented by hardware circuits such as VLSI or gate arrays, semiconductors such as logic chips, transistors, etc., or programmable hardware devices such as field programmable gate arrays, programmable logic devices, etc., It can also be realized by software executed by various types of processors, or by a combination of the above hardware circuits and software such as firmware.

以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,凡在本发明的精神和原则之内所作的任何修改、等同替换和改进等,都应涵盖在本发明的保护范围之内。The above is only a specific embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Anyone familiar with the technical field within the technical scope disclosed in the present invention, whoever is within the spirit and principles of the present invention Any modifications, equivalent replacements and improvements made within shall fall within the protection scope of the present invention.

Claims (10)

1.一种USB存储设备访问控制系统,其特征在于,所述USB存储设备访问控制系统包括:1. A USB storage device access control system, characterized in that, the USB storage device access control system comprises: 注册机,用于与用户协商模式、制定加密方式、密钥管理、对USB存储设备引导区进行加密、可选地对USB存储设备的数据区进行加密的通用计算机;Keygen, a general-purpose computer for negotiating modes with users, formulating encryption methods, key management, encrypting the boot area of the USB storage device, and optionally encrypting the data area of the USB storage device; 涉密机,能解密读取加密USB存储设备,而不能读取普通USB存储设备的通用计算机;涉密机识别加密USB存储设备,不能识别普通USB存储设备;涉密机检测到USB存储设备后,对文件的引导区进行解密操作,加密USB存储设备解密后的文件系统引导区为正常信息,涉密机进行读取USB存储设备;而普通USB存储设备的文件系统引导区进行解密后变成密文,被涉密机所不识别;Secret-related machine, which can decrypt and read encrypted USB storage devices, but not general-purpose computers that can read ordinary USB storage devices; secret-related machines can identify encrypted USB storage devices, but cannot recognize ordinary USB storage devices; after secret-related machines detect USB storage devices , to decrypt the boot area of the file, the file system boot area of the encrypted USB storage device after decryption is normal information, and the secret machine reads the USB storage device; while the file system boot area of the ordinary USB storage device is decrypted and becomes The ciphertext is not recognized by the confidential machine; 分析机,既能解密读取加密USB存储设备,又能读取普通USB存储设备的通用计算机;分析机识别加密USB存储设备和普通USB存储设备,分析机对加密USB存储设备的文件系统引导区进行解密和改写,使得其成为普通可识别USB存储设备,然后进行正常读取。Analytical machine, a general-purpose computer that can not only decrypt and read encrypted USB storage devices, but also read ordinary USB storage devices; the analytical machine can identify encrypted USB storage devices and ordinary USB storage devices, and the analytical machine can read the file system boot area of encrypted USB storage devices Decrypt and rewrite it to make it an ordinary recognizable USB storage device, and then read it normally. 2.如权利要求1所述的USB存储设备访问控制系统,其特征在于,所述注册机包括:2. USB storage device access control system as claimed in claim 1, is characterized in that, described registration machine comprises: 用于加密USB存储设备数据区的多种方式和算法,用于管理和记录加密算法、加密USB存储设备信息的管理单元;A variety of methods and algorithms for encrypting the data area of the USB storage device, a management unit for managing and recording the encryption algorithm and encrypting the information of the USB storage device; 用于与用户交互并协商是否加密数据区信息和采用可选算法的加密算法协商单元;An encryption algorithm negotiation unit for interacting with users and negotiating whether to encrypt data area information and adopt optional algorithms; 用于存储管理用户选择算法的密钥的密钥管理单元;a key management unit for storing keys for managing user-selected algorithms; 用于加密USB存储设备引导区、加密USB存储设备数据区的加密单元。The encryption unit is used for encrypting the boot area of the USB storage device and encrypting the data area of the USB storage device. 3.如权利要求1所述的USB存储设备访问控制系统,其特征在于,所述涉密机包括:3. USB storage device access control system as claimed in claim 1, is characterized in that, described confidential machine comprises: 通过修改过的计算机USB驱动程序,用于解密插入USB存储设备的文件引导区、解密加密过的数据区文件信息的解密单元;A decryption unit for decrypting the file boot area inserted into the USB storage device and decrypting the encrypted data area file information through the modified computer USB driver; 用于对信息变更的加密USB存储设备进行重新加密的加密单元。An encryption unit for re-encrypting an encrypted USB storage device whose information has been changed. 4.如权利要求1所述的USB存储设备访问控制系统,其特征在于,所述分析机包括:4. USB storage device access control system as claimed in claim 1, is characterized in that, described analyzer comprises: 通过修改过的计算机USB驱动程序,用于对不能识别的USB存储设备进行解密操作的解密单元;A decryption unit for decrypting an unrecognizable USB storage device through a modified computer USB driver; 既能读取加密USB存储设备又能读取普通USB存储设备的读取单元;用于对信息变更的加密USB存储设备进行重新加密的加密单元。A reading unit capable of reading both an encrypted USB storage device and an ordinary USB storage device; an encryption unit used to re-encrypt an encrypted USB storage device whose information has been changed. 5.一种运行权利要求1~4任意一项所述USB存储设备访问控制系统的USB存储设备访问控制方法,其特征在于,所述USB存储设备访问控制方法包括:5. A USB storage device access control method for operating the USB storage device access control system described in any one of claims 1 to 4, wherein the USB storage device access control method comprises: 步骤一,用户选择对USB存储设备的数据区域不进行加密;Step 1, the user chooses not to encrypt the data area of the USB storage device; 步骤二,普通USB存储设备经过注册机变成加密USB存储设备,注册机对USB存储设备的引导区域进行加密,加密后的USB存储设备因为引导区变为密文不能被普通计算机所识别;Step 2, the ordinary USB storage device becomes an encrypted USB storage device through the registration machine, and the registration machine encrypts the boot area of the USB storage device, and the encrypted USB storage device cannot be recognized by an ordinary computer because the boot area becomes ciphertext; 步骤三,涉密机能识别加密USB存储设备,不能识别普通USB存储设备;涉密机检测到USB存储设备后,对文件的引导区进行解密操作,加密USB存储设备解密后的文件系统引导区为正常信息,涉密机进行读取USB存储设备;而普通USB存储设备的文件系统引导区进行解密后变成密文,不能被涉密机所识别;Step 3: The secret-involved machine can identify the encrypted USB storage device, but not the ordinary USB storage device; after the secret-involved machine detects the USB storage device, it decrypts the boot area of the file, and the decrypted file system boot area of the encrypted USB storage device is For normal information, the secret machine reads the USB storage device; while the file system boot area of the ordinary USB storage device is decrypted and becomes ciphertext, which cannot be recognized by the secret machine; 步骤四,分析机能识别加密USB存储设备和普通USB存储设备;分析机对加密USB存储设备的文件系统引导区进行解密,使得USB存储设备可以进行正常读取;Step 4, the analysis machine can identify the encrypted USB storage device and the common USB storage device; the analysis machine decrypts the file system boot area of the encrypted USB storage device, so that the USB storage device can be read normally; 步骤五,分析机/涉密机在对加密USB存储设备读取写入结束后,若USB设备数据发生更改,则再对其引导区域进行加密,过程如步骤二所示。Step 5: After the analysis machine/confidential machine reads and writes to the encrypted USB storage device, if the data of the USB device changes, it encrypts its boot area again. The process is shown in step 2. 6.如权利要求5所述的USB存储设备访问控制方法,其特征在于,所述USB存储设备访问控制方法包括:6. the USB storage device access control method as claimed in claim 5, is characterized in that, described USB storage device access control method comprises: 步骤一,用户选择对USB存储设备的数据区域进行加密,根据注册机提供的选项,选择合适的对USB存储设备数据区进行加密的方式,获取到对数据区加密的密钥;Step 1, the user chooses to encrypt the data area of the USB storage device, selects an appropriate method of encrypting the data area of the USB storage device according to the options provided by the registration machine, and obtains the key for encrypting the data area; 步骤二,注册机将用户决定的加密方式的密钥安全地存储在USB存储设备的引导区域,然后利用此密钥对USB存储设备的数据区域的内容进行加密;Step 2, the registration machine securely stores the key of the encryption method determined by the user in the boot area of the USB storage device, and then uses this key to encrypt the contents of the data area of the USB storage device; 步骤三,注册机对USB存储设备中包含密钥的引导区域进行加密;Step 3, the registration machine encrypts the boot area containing the key in the USB storage device; 步骤四,涉密机的USB存储设备驱动程序进行改写后,在检测到USB存储设备插入时,对USB存储设备的引导区域进行解密;Step 4, after rewriting the driver program of the USB storage device of the confidential machine, when the insertion of the USB storage device is detected, the boot area of the USB storage device is decrypted; 步骤五,涉密机对USB存储设备的引导区域进行解密后,提取写入的密钥,并对USB存储设备的数据区域的内容进行解密操作;而当插入USB存储设备为普通USB存储设备时,解密引导区域的内容为密文,不能被涉密机所识别;Step 5: After decrypting the boot area of the USB storage device, the confidential machine extracts the written key, and decrypts the contents of the data area of the USB storage device; and when the inserted USB storage device is an ordinary USB storage device , the content of the decryption guide area is ciphertext, which cannot be recognized by the confidential machine; 步骤六,分析机插入普通USB存储设备时,正常使用;当检测到无法识别的USB存储设备时,分析机对加密的USB存储设备的引导区和数据区进行解密,使得加密USB存储设备变成普通USB存储设备,实现对加密USB存储设备的读写;Step 6: When the analysis machine is inserted into an ordinary USB storage device, it can be used normally; when an unrecognizable USB storage device is detected, the analysis machine will decrypt the boot area and data area of the encrypted USB storage device, so that the encrypted USB storage device becomes Ordinary USB storage device, realize reading and writing to encrypted USB storage device; 步骤七,分析机/涉密机在对加密USB存储设备读取写入结束后,若USB设备数据发生更改,则对其按照原先的密钥对数据区进行加密,再对引导区域进行加密,过程如步骤二、三所示。Step 7: After the analysis machine/confidential machine reads and writes the encrypted USB storage device, if the data of the USB device changes, it encrypts the data area according to the original key, and then encrypts the boot area. The process is shown in steps 2 and 3. 7.一种计算机设备,其特征在于,所述计算机设备包括存储器和处理器,所述存储器存储有计算机程序,所述计算机程序被所述处理器执行时,使得所述处理器执行如下步骤:7. A computer device, characterized in that the computer device includes a memory and a processor, the memory stores a computer program, and when the computer program is executed by the processor, the processor is made to perform the following steps: 步骤一,用户对USB存储设备选择加密模式;Step 1, the user selects an encryption mode for the USB storage device; 步骤二,普通USB存储设备经过注册机变成加密USB存储设备,注册机对USB存储设备的引导区域进行加密,根据用户选择的加密模式对USB存储设备的数据区进行加密或者不加密,加密后的USB存储设备因为引导区变为密文不能被普通计算机所识别;Step 2: The ordinary USB storage device becomes an encrypted USB storage device through the registration machine, and the registration machine encrypts the boot area of the USB storage device, and encrypts or does not encrypt the data area of the USB storage device according to the encryption mode selected by the user. The USB storage device cannot be recognized by ordinary computers because the boot area becomes ciphertext; 步骤三,涉密机能识别加密USB存储设备,不能识别普通USB存储设备;当涉密机检测到USB存储设备后,对文件的引导区进行解密操作,加密USB存储设备解密后的文件系统引导区为明文信息,涉密机进行读取USB存储设备,若为全加密模式,则再对数据区进行解密;而普通USB存储设备的文件系统引导区进行解密后变成密文,不能被涉密机所识别;Step 3: The secret-involved machine can identify the encrypted USB storage device, but not the ordinary USB storage device; when the secret-involved machine detects the USB storage device, it decrypts the boot area of the file, and encrypts the decrypted file system boot area of the USB storage device It is plaintext information, and the confidential machine reads the USB storage device, and if it is in full encryption mode, then decrypts the data area; while the file system boot area of the ordinary USB storage device is decrypted and becomes ciphertext, which cannot be classified. identified by the machine; 步骤四,分析机能识别加密USB存储设备和普通USB存储设备;分析机对加密USB存储设备的文件系统引导区进行解密,若为全加密模式则再对数据区进行解密,使得其成为普通可识别USB存储设备,然后进行正常读取;Step 4: The analysis machine can identify the encrypted USB storage device and the ordinary USB storage device; the analysis machine decrypts the file system boot area of the encrypted USB storage device, and if it is in full encryption mode, then decrypts the data area to make it an ordinary identifiable USB storage device, and then read normally; 步骤五,分析机/涉密机在对加密USB存储设备读取结束后,若USB设备数据发生更改,则再对其引导区进行加密,若为全加密模式则再加密数据区。Step 5: After the analysis machine/secret-related machine reads the encrypted USB storage device, if the data of the USB device changes, it encrypts its boot area again, and encrypts the data area again if it is in full encryption mode. 8.一种计算机可读存储介质,存储有计算机程序,所述计算机程序被处理器执行时,使得所述处理器执行如下步骤:8. A computer-readable storage medium, storing a computer program, when the computer program is executed by a processor, the processor is made to perform the following steps: 步骤一,用户对USB存储设备选择加密模式;Step 1, the user selects an encryption mode for the USB storage device; 步骤二,普通USB存储设备经过注册机变成加密USB存储设备,注册机对USB存储设备的引导区域进行加密,根据用户选择的加密模式对USB存储设备的数据区进行加密或者不加密,加密后的USB存储设备因为引导区变为密文不能被普通计算机所识别;Step 2: The ordinary USB storage device becomes an encrypted USB storage device through the registration machine, and the registration machine encrypts the boot area of the USB storage device, and encrypts or does not encrypt the data area of the USB storage device according to the encryption mode selected by the user. The USB storage device cannot be recognized by ordinary computers because the boot area becomes ciphertext; 步骤三,涉密机能识别加密USB存储设备,不能识别普通USB存储设备;当涉密机检测到USB存储设备后,对文件的引导区进行解密操作,加密USB存储设备解密后的文件系统引导区为明文信息,涉密机进行读取USB存储设备,若为全加密模式,则再对数据区进行解密;而普通USB存储设备的文件系统引导区进行解密后变成密文,不能被涉密机所识别;Step 3: The secret-involved machine can identify the encrypted USB storage device, but not the ordinary USB storage device; when the secret-involved machine detects the USB storage device, it decrypts the boot area of the file, and encrypts the decrypted file system boot area of the USB storage device It is plaintext information, and the confidential machine reads the USB storage device, and if it is in full encryption mode, then decrypts the data area; while the file system boot area of the ordinary USB storage device is decrypted and becomes ciphertext, which cannot be classified. identified by the machine; 步骤四,分析机能识别加密USB存储设备和普通USB存储设备;分析机对加密USB存储设备的文件系统引导区进行解密,若为全加密模式则再对数据区进行解密,使得其成为普通可识别USB存储设备,然后进行正常读取;Step 4: The analysis machine can identify the encrypted USB storage device and the ordinary USB storage device; the analysis machine decrypts the file system boot area of the encrypted USB storage device, and if it is in full encryption mode, then decrypts the data area to make it an ordinary identifiable USB storage device, and then read normally; 步骤五,分析机/涉密机在对加密USB存储设备读取结束后,若USB设备数据发生更改,则再对其引导区进行加密,若为全加密模式则再加密数据区。Step 5: After the analysis machine/secret-related machine reads the encrypted USB storage device, if the data of the USB device changes, it encrypts its boot area again, and encrypts the data area again if it is in full encryption mode. 9.一种U盘,其特征在于,所述U盘安装有权利要求1~4任意一项所述USB存储设备访问控制系统。9. A USB flash drive, characterized in that the USB storage device access control system according to any one of claims 1 to 4 is installed on the USB flash drive. 10.一种移动硬盘,其特征在于,所述移动硬盘安装有权利要求1~4任意一项所述USB存储设备访问控制系统。10. A mobile hard disk, characterized in that, the mobile hard disk is equipped with the USB storage device access control system according to any one of claims 1 to 4.
CN202011066171.6A 2020-09-30 2020-09-30 USB storage device access control method, system, medium, device and application Active CN112287415B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011066171.6A CN112287415B (en) 2020-09-30 2020-09-30 USB storage device access control method, system, medium, device and application

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011066171.6A CN112287415B (en) 2020-09-30 2020-09-30 USB storage device access control method, system, medium, device and application

Publications (2)

Publication Number Publication Date
CN112287415A CN112287415A (en) 2021-01-29
CN112287415B true CN112287415B (en) 2022-11-29

Family

ID=74422799

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011066171.6A Active CN112287415B (en) 2020-09-30 2020-09-30 USB storage device access control method, system, medium, device and application

Country Status (1)

Country Link
CN (1) CN112287415B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113420339B (en) * 2021-07-02 2022-03-11 广东全芯半导体有限公司 Encrypted USB flash disk and authorization method

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1866224A (en) * 2005-05-20 2006-11-22 联想(北京)有限公司 Mobile memory device and method for accessing encrypted data in mobile memory device
US8646054B1 (en) * 2012-03-23 2014-02-04 Western Digital Technologies, Inc. Mechanism to manage access to user data area with bridged direct-attached storage devices
US10268814B1 (en) * 2015-12-16 2019-04-23 Western Digital Technologies, Inc. Providing secure access to digital storage devices
CN109977038A (en) * 2019-03-19 2019-07-05 湖南麒麟信安科技有限公司 A kind of access control method of encrypted U disk, system and medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1866224A (en) * 2005-05-20 2006-11-22 联想(北京)有限公司 Mobile memory device and method for accessing encrypted data in mobile memory device
US8646054B1 (en) * 2012-03-23 2014-02-04 Western Digital Technologies, Inc. Mechanism to manage access to user data area with bridged direct-attached storage devices
US10268814B1 (en) * 2015-12-16 2019-04-23 Western Digital Technologies, Inc. Providing secure access to digital storage devices
CN109977038A (en) * 2019-03-19 2019-07-05 湖南麒麟信安科技有限公司 A kind of access control method of encrypted U disk, system and medium

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
基于虚拟磁盘的移动存储介质管理系统设计与实现;周春雷等;《电力信息化》;20090615(第06期);全文 *
涉密网USB移动存储介质可信管理系统研究;黄宏文;《硕士电子期刊》;20111015;全文 *
移动存储介质安全防护系统设计;夏辉等;《通信技术》;20080910(第09期);全文 *

Also Published As

Publication number Publication date
CN112287415A (en) 2021-01-29

Similar Documents

Publication Publication Date Title
CN101196855B (en) Mobile encrypted memory device and cipher text storage area data encrypting and deciphering processing method
CN112560058B (en) SSD partition encryption storage system based on intelligent password key and implementation method thereof
WO2021164166A1 (en) Service data protection method, apparatus and device, and readable storage medium
EP2267628A2 (en) Token passing technique for media playback devices
US20120303974A1 (en) Secure Removable Media and Method for Managing the Same
US11405202B2 (en) Key processing method and apparatus
WO2022251987A1 (en) Data encryption and decryption method and apparatus
JP2013232219A (en) Methods and apparatus for secure handling of data in microcontroller
CN114629639A (en) Key management method, device and electronic device based on trusted execution environment
WO2004044751A1 (en) A method for realizing security storage and algorithm storage by means of semiconductor memory device
TW201530344A (en) Application program access protection method and application program access protection device
CN116886356B (en) Chip-level transparent file encryption storage system, method and equipment
US20250193161A1 (en) Secure Application Processing Systems and Methods
CN1889426B (en) Method and system for realizing network safety storing and accessing
CN105515757B (en) Security information exchange device based on credible performing environment
CN102053926A (en) Storage device and data security control method thereof
CN103207976A (en) Mobile storage file leakage-preventing method and confidential U-disk based on same
CN112287415B (en) USB storage device access control method, system, medium, device and application
CN107861892B (en) Method and terminal for realizing data processing
CN103699853B (en) A kind of intelligent SD card and control system thereof and method
CN114340051B (en) Portable gateway based on high-speed transmission interface
CN205430299U (en) Switch with USB encryption authentication
CN111343421B (en) Video sharing method and system based on white-box encryption
CN105224892A (en) A kind of hard disk data protection method, device and system
KR100952300B1 (en) Terminal device, memory, and method thereof for secure data management of storage media

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant