CN102244576A - System and method for realizing terminal safety storage - Google Patents
System and method for realizing terminal safety storage Download PDFInfo
- Publication number
- CN102244576A CN102244576A CN201010166210XA CN201010166210A CN102244576A CN 102244576 A CN102244576 A CN 102244576A CN 201010166210X A CN201010166210X A CN 201010166210XA CN 201010166210 A CN201010166210 A CN 201010166210A CN 102244576 A CN102244576 A CN 102244576A
- Authority
- CN
- China
- Prior art keywords
- key
- storage
- terminal
- control center
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention relates to a system and method for realizing terminal safety storage. The system comprises a safety control centre, a fixed key device, a separation key device and an encryption storage device, wherein the fixed key device is arranged in a terminal in a non-detachable manner and used for storing a fixed key of a storage key; the separation key device is detachably arranged in the terminal and used for storing a separation key of the storage key; the safety control centre is used for authenticating the fixed key device, the separation key device and the encryption storage device, compounding the fixed key in the fixed key device and the separation key in the separation key device into an integrated storage key and transmitting the integrated storage key to the encryption storage device; and the encryption storage device is used for installing the storage key and encrypting input data/decrypting output data by using the storage key. According the system and method provided by the invention, the probability that the storage key is breached or an identity authentication method is breached is greatly reduced and the safety in terminal data storage is increased.
Description
Technical field
The present invention relates to information security field, relate in particular to a kind of system and method for realizing the terminal security storage.
Background technology
Along with the development of information technology, the problem of Information Security is much accounted of gradually, and in the various information safety problem, the safety of data especially fail safe of confidential data is particularly important.And illegally steal in the main means of data, directly steal data storage carrier and be a kind of directly but be difficult to take precautions against, and bigger means of menace.
At present each Terminal Type for example the storage of data that produce of PC, mobile phone, PDA (Personal DigitalAssistant, personal digital assistant) in this locality be the important hidden danger of Information Security always.The terminal that has does not possess encryption feature, in case the memory device partial loss of terminal or terminal, the person of stealing secret information will be very easy to obtain the data in the storage medium.Though the terminal that has possesses data encryption feature, but the fail safe of encryption key can't guarantee again, the data encryption key of this Terminal Type often is stored in the memory device, perhaps be stored on the terminal other can't dismounting equipment on, in case key is broken or identity identifying method is broken, also will make Information Security become empty talk.
In sum, improve further that security of storage data is still one of present urgent problem in the terminal.
Summary of the invention
Technical problem to be solved by this invention provides a kind of system and method for realizing the terminal security storage, reduces the probability that storage key is broken or identity identifying method is broken of terminal, improves the fail safe of terminal data storage
For solving the problems of the technologies described above, the present invention proposes a kind of system that realizes the terminal security storage, comprise security control center, fixed key device, separate key device and encrypt storage device, wherein:
Described fixed key device is installed in the terminal non-dismountablely, is used for the fixed key of store storage key;
Described separation key device is removably installed in the terminal, is used for the separation key of store storage key;
Described security control center, be used for described fixed key device, separation key device and encrypt storage device authenticating, and the fixed key in the described fixed key device synthesized complete storage key with the described separation key that separates in the key device, send to described encryption storage device;
Described encryption storage device is used to install described storage key, and with described storage key the input data is encrypted/dateout is decrypted.
Further, said system also can have following characteristics, and described terminal is PC, mobile phone or personal digital assistant PDA.
For solving the problems of the technologies described above, the invention allows for a kind of method that realizes the terminal security storage, system based on aforesaid realization terminal security storage, be stored in the different device of terminal with the data in the terminal with to the storage key that these data are carried out encrypting and decrypting, and the part of storage key is kept in the device that is installed on described terminal non-dismountablely, another part is kept in the device that is removably installed in described terminal, when using described storage key, two parts storage key is synthesized complete storage key, data are carried out encrypt/decrypt with complete storage key.
Further, said method also can have following characteristics, described two parts storage key is synthesized complete storage key, and the process of data being carried out encrypt/decrypt with complete storage key comprises:
Step a, system powers on, and drags down the master cpu power supply of terminal, and master cpu is not powered on;
Step b, security control center authenticates fixed key device, separation key device, user's identity, encryption storage device respectively, if then execution in step c is passed through in authentication, otherwise the cut-out system power supply;
Step c, security control center is obtained the part of storage key from the fixed key device, obtains another part of storage key from separate key device, then two parts is synthesized complete storage key, sends to the encryption storage device;
Steps d is encrypted storage device and is received, installs complete storage key, and notifies security control center with the information of storage key installation;
Step e after security control center receives the notice of storage key installation, draws high the master cpu power supply, makes the master cpu electrifying startup, encrypts storage device and with complete storage key the input data is encrypted/dateout is decrypted.
Further, said method also can have following characteristics, and among the described step b, security control center to the process that fixed key device, separation key device and encryption storage device authenticate is:
Step b1, authenticating party sends the control command that requires authentication to certified side, and described authenticating party is a security control center, and described certified side is the fixed key device, separates key device or encrypt storage device;
Step b2, certified direction authenticating party return authentication data contain characteristic value in the described verify data;
Step b3, authenticating party carries out comparing after the computing to characteristic value, if then authenticating, the characteristic value coupling passes through, otherwise authentification failure.
The present invention separates storage key with memory device, and storage key is divided into part and the separated portions that is fixed in the terminal, greatly reduces the probability that storage key is broken or identity identifying method is broken, and has improved the fail safe of terminal data storage.
Description of drawings
Fig. 1 realizes the system construction drawing of terminal security storage for the present invention;
Fig. 2 is the authentication schematic diagram of fixed key device;
Fig. 3 is for separating the authentication schematic diagram of key device;
Fig. 4 is for encrypting the authentication schematic diagram of storage device;
Fig. 5 is starting terminal Principle of Process figure;
Fig. 6 is the workflow diagram of security control center;
Fig. 7 authenticates the flow chart of other devices for security control center.
Embodiment
Main design of the present invention is, storage key is separated with memory device, also be about to storage key and storage data separating, and storage key is divided into part and the separated portions that is fixed in the terminal, so just the probability that storage key is broken or identity identifying method is broken can be reduced greatly, thereby the fail safe of terminal data storage can be improved.Illustrate a bit that herein, storage key promptly is the data encryption/decryption key herein.
Below in conjunction with accompanying drawing principle of the present invention and feature are described, institute gives an actual example and only is used to explain the present invention, is not to be used to limit scope of the present invention.
Fig. 1 realizes the system construction drawing of terminal security storage for the present invention.As shown in Figure 1, the present invention realizes that the system 106 of terminal security storage comprises security control center 101, fixed key device 102, separates key device 103 and encrypts storage device 104.Wherein, fixed key device 102 is installed in the terminal non-dismountablely, is used for the fixed key of store storage key; Separate key device 103 and be removably installed in the terminal, be used for the separation key of store storage key; Security control center 101 is used for fixed key device 102, separation key device 103 and encrypts storage device 104 authenticating, and the fixed key in the fixed key device 102 synthesized complete storage key with separation key in separating key device 103, send to and encrypt storage device 104; Encrypt storage device 104 and be used to install storage key, and the input data are encrypted/dateout is decrypted with storage key.
Wherein, terminal can be PC, mobile phone, PDA etc.Wherein, the fixed key device with separate key device and can adopt the implementation of the multiple memory device in the known technology to realize, do not repeat them here.
Below the present invention is realized that the operation principle of the system of terminal security storage describes.
(1) terminal powers on
The present invention realizes in the system of terminal security storage, security control center 101 is security kernel devices of terminal, the present invention realizes that the system of terminal security storage does not comprise master cpu, before master cpu started the control of taking over terminal system, safety control 101 was wanted the following process of control terminal process:
1) fixed key device authentication process;
2) separate the key device verification process;
3) user's authentication process;
4) encrypt the storage device verification process;
5) other peripheral hardware metrics process;
6) key loading procedure;
7) CPU takes over the control process.
Be after terminal powers on, what at first start is security control center 101, and by its power supply with the interface of master cpu 105 pulling master cpu, allow master cpu be in not power-up state, carry out fixed key device authentication, the authentication of separation key device, user's authentication process then, encrypt storage device authentication and other peripheral hardware tolerance.In these processes, there is any one process authentication unsuccessful, then security control center 101 cut-outs separate getting in touch of key device 103 and terminal other parts, and the control power management, allow master cpu 105 and encryption storage device 104 all be in off-position.If verification process is success all, then security control center 101 starts the key loading procedure, data encryption key is packed into encrypt storage device 104.At last, security control center 101 will start master cpu 105, and give master cpu with system's control.The overall flow of security control center 101 work is with reference to Fig. 6, and we will describe in detail the flow process of Fig. 6 at further part.
(2) fixed key device authentication process
Fig. 2 is the authentication schematic diagram of fixed key device.As shown in Figure 2, in fixed key device authentication process, security control center 201 is by control 12, requirement and fixed key device 202 authenticate, security control center 201 is carried out the exchange of verify data by the data 12 of output and the data 21 of input, and in security control center 201, finish authentication, concrete identifying procedure as shown in Figure 7, we will be described in detail later about the flow process of Fig. 7.
(3) separate the key device verification process
Fig. 3 is for separating the authentication schematic diagram of key device.As shown in Figure 3, in separating the key device verification process, security control center 301 is by control 13, require and separate key device 303 and authenticate, security control center 301 is carried out the exchange of verify data by the data 13 of output and the data 31 of input, and in security control center 301, finish authentication, concrete identifying procedure is as shown in Figure 7.
(4) user's authentication process
This process promptly utilizes user's proof of identity interface of separating in key device or the security control center or method that user's identity is authenticated, and technology and device that this process is used belong to prior art, do not do narration at this.
(5) encrypt the storage device verification process
Fig. 4 is for encrypting the authentication schematic diagram of storage device.As shown in Figure 4, in encrypting the storage device verification process, security control center 401 is by control 14, requirement and encryption storage device 404 carry out the characteristic value authentication, the characteristic value that security control center 401 obtains encrypting storage device 404 by the data of importing 41, and finish authentication in security control center 401 inside, concrete identifying procedure is as shown in Figure 7.
(6) other peripheral hardware metrics process
Promptly use security control center, tolerance is removed the process of other peripheral hardware legitimacy of terminal and integrality, and technology and device that this process is used belong to prior art, do not do narration at this.
(7) key is packed into and master cpu adapter control process
Fig. 5 is starting terminal Principle of Process figure.As shown in Figure 5, in this process, security control center 501 is at first by control 12, require fixed key device 502 that a part of storage key of its inside is sent to security control center 501 by data 21, require separation key device 503 another part storage key that it is inner to send to security control center 501 by controlling 13 again by data 31.Security control center 501 uses the key composition algorithm with the synthetic complete storage key of two parts storage key that obtains, and this key is sent to encryption storage device 504 by data 14.Encrypt that storage device 504 obtains and installation key after, tell the installation of security control center 501 keys by data 41, security control center 501 starts master cpus 505 by control 15 immediately, and system's control is surrendered.The data of encrypting storage device 504 by control 54 controls by master cpu 505 are come in and gone out afterwards.Being input to the data 54 of encrypting storage device this moment will encrypt in encrypting storage device 504, data 45 when encrypting storage device 505 outputs with decrypted, the key that uses is exactly the complete storage key that is synthesized and installed by security control center 501, thereby realize the safe storage of data, idiographic flow is seen Fig. 6.
Therefore, realize in the system of terminal security storage in the present invention, data and storage key are stored in the different device of terminal, and storage key is divided into two parts, a part is in the non-removable part fixed key of terminal device, another part need just can obtain complete storage key in conjunction with both in separating key device.Synthesizing in security control center of authentication and key finished, and can remove from terminal and separate key device, promptly separates key device when taking care of at ordinary times and separates with the terminal other parts, increased the difficulty that terminal is stolen by integral body.
Therefore, the present invention realizes the system of terminal security storage, by storage key is separated with memory device, and storage key is divided into part and the separated portions that is fixed in the terminal, greatly reduce the probability that storage key is broken or identity identifying method is broken of terminal, improved the fail safe of terminal data storage.
System based on above-mentioned realization terminal security storage, the invention allows for a kind of method that realizes the terminal security storage, the main design of this method is, be stored in the different device of terminal with the data in the terminal with to the storage key that these data are carried out encrypting and decrypting, and the part of storage key is kept in the device that is installed on this terminal non-dismountablely, another part is kept in the device that is removably installed in this terminal, when using storage key, two parts storage key is synthesized complete storage key, data are carried out encrypt/decrypt with complete storage key.
Fig. 6 is the workflow diagram of security control center, the workflow of security control center also is how the present invention synthesizes complete storage key with two parts key that separates, and data are carried out the process of encrypt/decrypt with complete storage key, as shown in Figure 6, the flow process of the workflow of security control center is:
Step 602 drags down the master cpu power supply of terminal, and master cpu is not powered on;
Step 603 judges whether there is the fixed key device in the terminal system, is execution in step 604 then, otherwise execution in step 627;
Step 604 requires authentication fixed key device;
Step 605 judges whether to obtain fixed key device characteristic data (being characteristic value), is execution in step 606 then, otherwise execution in step 627;
Step 606 authenticates the fixed key device, and judges and whether the authentication of fixed key device is passed through, then execution in step 607, otherwise execution in step 627;
Step 607 judges whether there is the separation key device in the terminal system, is execution in step 608 then, otherwise execution in step 627;
Step 608 requires authentication to separate key device;
Step 609 judges whether to separate key device characteristic (being characteristic value), is execution in step 610 then, otherwise execution in step 627;
Step 610 authenticates separating key device, and judges and whether the authentication that separates key device is passed through, then execution in step 611, otherwise execution in step 627;
Step 611 requires authentication user identity;
Step 612 judges whether there is the encryption storage device in the terminal system, is execution in step 613 then, otherwise execution in step 627;
Step 613 requires the authenticated encryption storage device;
Step 614 judges whether to encrypt storage device characteristic (being characteristic value), is execution in step 615 then, otherwise execution in step 627;
Step 615 authenticates encrypting storage device, and judges and whether the authentication of encrypting storage device is passed through, then execution in step 616, otherwise execution in step 627;
Step 616 requires other equipment of tolerance;
Step 617 judges whether the tolerance result is legal, is execution in step 618 then, otherwise execution in step 627;
Step 618 requires to obtain encryption key A part from the fixed key device, and A partly represents to be stored in that part of storage key in the fixed key device herein;
Step 619 judges whether to obtain the A part, is execution in step 620 then, otherwise execution in step 627;
Step 620 requires to obtain encryption key B part from separating key device, and B partly represents to be stored in that part of storage key that separates in the key device herein;
Step 621 judges whether to obtain the B part, is execution in step 622 then, otherwise execution in step 627;
Step 623 mails to the encryption storage device with key E;
Step 624 judges whether to obtain key and finishes to install and reply, and is execution in step 625 then, otherwise execution in step 627, key is finished to install and is replied from encrypting storage device;
Step 625 is drawn high the master cpu power supply, makes the master cpu electrifying startup;
Step 628 finishes.
Fig. 7 authenticates the flow chart of other devices for security control center.Other devices described here comprise the fixed key device, separate key device, encrypt storage device etc.As shown in Figure 7, the security control center flow process that authenticates other devices comprises:
With step 702 accordingly, in the step 712, other devices are handled verify datas, for example public key encryption sends to security control center by step 713 with verify data then;
Step 705, authentification failure;
Step 706 is handled verify data, for example private key deciphering;
Therefore the present invention realizes that the method for terminal security storage greatly reduces the probability that storage key is broken or identity identifying method is broken of terminal, has improved the fail safe of terminal data storage.
The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being done, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (5)
1. a system that realizes the terminal security storage is characterized in that, comprise security control center, fixed key device, separate key device and encrypt storage device, wherein:
Described fixed key device is installed in the terminal non-dismountablely, is used for the fixed key of store storage key;
Described separation key device is removably installed in the terminal, is used for the separation key of store storage key;
Described security control center, be used for described fixed key device, separation key device and encrypt storage device authenticating, and the fixed key in the described fixed key device synthesized complete storage key with the described separation key that separates in the key device, send to described encryption storage device;
Described encryption storage device is used to install described storage key, and with described storage key the input data is encrypted/dateout is decrypted.
2. the system of realization terminal security storage according to claim 1 is characterized in that described terminal is PC, mobile phone or personal digital assistant PDA.
3. method that realizes terminal security storage, system based on the described realization terminal security storage of claim 1, it is characterized in that, be stored in the different device of terminal with the data in the terminal with to the storage key that these data are carried out encrypting and decrypting, and the part of storage key is kept in the device that is installed on described terminal non-dismountablely, another part is kept in the device that is removably installed in described terminal, when using described storage key, two parts storage key is synthesized complete storage key, data are carried out encrypt/decrypt with complete storage key.
4. the method for realization terminal security according to claim 3 storage is characterized in that, described two parts storage key is synthesized complete storage key, and the process of data being carried out encrypt/decrypt with complete storage key comprises:
Step a, system powers on, and drags down the master cpu power supply of terminal, and master cpu is not powered on;
Step b, security control center authenticates fixed key device, separation key device, user's identity, encryption storage device respectively, if then execution in step c is passed through in authentication, otherwise the cut-out system power supply;
Step c, security control center is obtained the part of storage key from the fixed key device, obtains another part of storage key from separate key device, then two parts is synthesized complete storage key, sends to the encryption storage device;
Steps d is encrypted storage device and is received, installs complete storage key, and notifies security control center with the information of storage key installation;
Step e after security control center receives the notice of storage key installation, draws high the master cpu power supply, makes the master cpu electrifying startup, encrypts storage device and with complete storage key the input data is encrypted/dateout is decrypted.
5. the method for realization terminal security storage according to claim 4 is characterized in that, among the described step b, security control center to the process that fixed key device, separation key device and encryption storage device authenticate is:
Step b1, authenticating party sends the control command that requires authentication to certified side, and described authenticating party is a security control center, and described certified side is the fixed key device, separates key device or encrypt storage device;
Step b2, certified direction authenticating party return authentication data contain characteristic value in the described verify data;
Step b3, authenticating party carries out comparing after the computing to characteristic value, if then authenticating, the characteristic value coupling passes through, otherwise authentification failure.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010166210XA CN102244576A (en) | 2010-05-10 | 2010-05-10 | System and method for realizing terminal safety storage |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010166210XA CN102244576A (en) | 2010-05-10 | 2010-05-10 | System and method for realizing terminal safety storage |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102244576A true CN102244576A (en) | 2011-11-16 |
Family
ID=44962436
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010166210XA Pending CN102244576A (en) | 2010-05-10 | 2010-05-10 | System and method for realizing terminal safety storage |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102244576A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2014063361A1 (en) * | 2012-10-26 | 2014-05-01 | Nokia Corporation | Methods and apparatus for data access control |
| US10581856B2 (en) | 2015-01-19 | 2020-03-03 | Nokia Technologies Oy | Method and apparatus for heterogeneous data storage management in cloud computing |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1234574A (en) * | 1998-01-14 | 1999-11-10 | 耶德托公司 | Integrated circuit and smart card comprising such circuit |
| US20040034600A1 (en) * | 2002-06-03 | 2004-02-19 | Matsushita Electric Industrial Co., Ltd. | Contents distribution system, contents distribution apparatus, terminal, and method of distributing contents |
| CN101562040A (en) * | 2008-04-15 | 2009-10-21 | 航天信息股份有限公司 | High-security mobile memory and data processing method thereof |
-
2010
- 2010-05-10 CN CN201010166210XA patent/CN102244576A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1234574A (en) * | 1998-01-14 | 1999-11-10 | 耶德托公司 | Integrated circuit and smart card comprising such circuit |
| US20040034600A1 (en) * | 2002-06-03 | 2004-02-19 | Matsushita Electric Industrial Co., Ltd. | Contents distribution system, contents distribution apparatus, terminal, and method of distributing contents |
| CN101562040A (en) * | 2008-04-15 | 2009-10-21 | 航天信息股份有限公司 | High-security mobile memory and data processing method thereof |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2014063361A1 (en) * | 2012-10-26 | 2014-05-01 | Nokia Corporation | Methods and apparatus for data access control |
| CN104756441A (en) * | 2012-10-26 | 2015-07-01 | 诺基亚技术有限公司 | Methods and apparatus for data access control |
| US9602480B2 (en) | 2012-10-26 | 2017-03-21 | Nokia Technologies Oy | Methods and apparatus for data access control |
| CN104756441B (en) * | 2012-10-26 | 2018-05-18 | 诺基亚技术有限公司 | For the method and apparatus of data access control |
| US10581856B2 (en) | 2015-01-19 | 2020-03-03 | Nokia Technologies Oy | Method and apparatus for heterogeneous data storage management in cloud computing |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100490372C (en) | A method for backup and recovery of encryption key | |
| US9479329B2 (en) | Motor vehicle control unit having a cryptographic device | |
| US10693641B2 (en) | Secure container based protection of password accessible master encryption keys | |
| CN108924147B (en) | Communication terminal digital certificate issuing method, server and communication terminal | |
| CN101674575B (en) | Method for protecting security of mobile communication terminal data and device thereof | |
| EP2290873B1 (en) | Protocol for protecting content protection data | |
| CN100495421C (en) | Authentication protection method based on USB device | |
| CN106911476B (en) | Encryption and decryption device and method | |
| CN102781001A (en) | Method for encrypting built-in file of mobile terminal and mobile terminal | |
| CN109035519B (en) | Biological feature recognition device and method | |
| CN107864124B (en) | Terminal information security protection method, terminal and Bluetooth lock | |
| CN102831346B (en) | A kind of file protecting system carries out the method for file encryption-decryption | |
| WO2005091149A1 (en) | Backup device, backed-up device, backup intermediation device, backup system, backup method, data restoration method, program, and recording medium | |
| CN106533663B (en) | Data ciphering method, encryption method, apparatus and data decryption method, decryption method, apparatus | |
| CN103560892A (en) | Secret key generation method and secret key generation device | |
| CN1901443A (en) | Remote de-locking method of information safety device | |
| CN103414564A (en) | Secrete key card, secrete key device and method for protecting private key | |
| CN101815292A (en) | Device and method for protecting data of mobile terminal | |
| CN105631298A (en) | Encryption/decryption device and method | |
| CN108173926A (en) | One-key start automobile method, system and user terminal and T-box terminals | |
| CN108959962B (en) | API (application programming interface) secure calling method of dynamic library | |
| CN201716734U (en) | Usb safe storage encryption device | |
| CN102244576A (en) | System and method for realizing terminal safety storage | |
| EP2747334B1 (en) | A secure storage system including a virtual safe device and a mobile secure storage device | |
| JP5169904B2 (en) | Data backup system, decryption device, and data backup method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20111116 |