A mobile storage device data security management method and device
By using a dynamic key fragment generation method, combined with collaborative verification between the terminal device and the policy server, and by binding the physical status of the mobile storage device in real time, the problem of data leakage caused by static authorization is solved. This achieves a strong correlation between security permissions and real-time status, thereby improving data security and forward security of access.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- ZHIXUN CIPHER (SHANGHAI) TESTING TECH CO LTD
- Filing Date
- 2026-04-01
- Publication Date
- 2026-07-03
AI Technical Summary
The static passwords or built-in encryption schemes of existing mobile storage devices allow for long-term access with a single authorization, which means that even if the device is lost or illegally removed, the internal sensitive data will still be at risk of continuous exposure.
A dynamic key fragment generation method is adopted. Through the collaboration between the terminal device and the policy server, the location and timestamp are verified in real time to generate dynamic key fragments, which are then placed under the control of the terminal device. This separates the control layer from the data layer and ensures that each decryption key request is bound to a fresh physical state.
It achieves a strong correlation and dynamic synchronization between the real-time status and security permissions of mobile storage devices, preventing data loss due to unauthorized location changes and improving the security of the runtime environment and forward security for continuous access.
Smart Images

Figure CN122339747A_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of data security, specifically to a method and apparatus for data security management of mobile storage devices. Background Technology
[0002] The widespread adoption of mobile storage devices has brought convenient data exchange, but it has also raised serious challenges to data security. Current mainstream static passwords or built-in encryption schemes generally suffer from rigid and outdated security mechanisms.
[0003] Existing technologies typically employ a one-time authentication model, granting long-term or permanent access once a device or user is authenticated at a certain point. This "once and for all" access authorization means that even if a device is lost or illegally removed, sensitive internal data remains at risk of continuous exposure. Summary of the Invention
[0004] In view of the above problems, this application provides a method for managing data security of mobile storage devices, which overcomes or at least partially solves the problem of data leakage caused by long-term access with a single authorization.
[0005] One aspect of this application provides a method for data security management of a mobile storage device. The method includes: sending a session request to a terminal device; receiving an identity verification certificate and identity challenge returned by the terminal device; after verifying the identity verification certificate returned by the terminal device, obtaining the current location and timestamp; sending the current location and timestamp to a location service platform for verification; receiving a verification credential returned by the location service platform; the verification credential is a credential for verifying the current location and timestamp. The method involves responding to the identity challenge from the terminal device and submitting the verification credential to the terminal device; after the terminal device obtains an authorization token from a policy server based on the verification credential and generates a dynamic key fragment, receiving the dynamic key fragment; and generating a data decryption key based on the dynamic key fragment to decrypt the file encryption key and decrypt user data.
[0006] In this embodiment, the mobile storage device submits verification credentials to the terminal device. After the terminal device obtains an authorization token from the policy server based on the verification credentials and generates a dynamic key fragment, receiving the dynamic key fragment provides a dynamic access control method that is linked to the physical environment, effectively overcoming the security lag of static authorization. When initiating access, the mobile storage device not only performs identity verification but also actively obtains and submits real-time status proof containing timestamps and geographical locations. This ensures that each decryption key application is bound to a fresh and verifiable physical state. When the location state of the mobile storage device undergoes an unauthorized change, it will be unable to provide a new, compliant location state proof, thus immediately losing data access capabilities. This achieves a strong correlation and dynamic synchronization between security permissions and the real-time state of the mobile storage device.
[0007] Furthermore, this application places the dynamic key fragment under the control of the terminal device, while the mobile storage device itself only retains a fixed basic key. This design separates the control layer from the data layer, so even if an attacker physically possesses the mobile storage device, they cannot unilaterally obtain a valid data decryption key, thus solving the problem of easy data leakage caused by long-term access granted with a single authorization.
[0008] In one alternative approach, the session request includes the mobile storage device identifier and a first random number.
[0009] In one alternative approach, the authentication includes a certificate of the terminal device and a signature of the terminal device on a first random number; the authentication challenge is a second random number sent by the terminal device to the mobile storage device.
[0010] In one alternative approach, the renewal seed generated by the terminal device based on the authorization token and the extracted session identifier are obtained.
[0011] In one alternative approach, after generating a data decryption key based on a dynamic key fragment to decrypt the file encryption key and decrypting the user data, the method further includes: encrypting the file encryption key again using the data decryption key.
[0012] In this way, the plaintext state of the file encryption key in the working memory is only transient, and it is immediately re-encrypted and written back to storage after the data decryption task is completed. This effectively eliminates the risk that the plaintext of the file encryption key may be read by malicious programs or physical attacks due to its remaining in memory, thus improving the security of the runtime environment.
[0013] In an alternative approach, the method further includes: obtaining new authentication credentials from the location service platform before the dynamic key fragment expires; sending a renewal request containing a session identifier, new authentication credentials, and a renewal seed to the terminal device; receiving a new dynamic key fragment generated by the terminal device; generating a new data decryption key based on the new dynamic key fragment; decrypting the file encryption key using the previously generated data decryption key, and immediately reencrypting the file encryption key using the new data decryption key to update the storage.
[0014] This embodiment completes the periodic and mandatory rotation of data decryption keys without interrupting the data stream service, ensuring that the file encryption key is never exposed in plaintext form to unprotected storage at any time, and achieving forward security in continuous access scenarios, that is, the leakage of old data decryption keys does not affect data security.
[0015] Another aspect of this application provides a method for data security management of a mobile storage device, comprising: receiving a session request sent by the mobile storage device; providing identity verification to the mobile storage device and initiating an identity challenge; receiving the mobile storage device's response to the identity challenge and verification credentials, and verifying the mobile storage device's response to the identity challenge; sending the verification credentials to a policy server to request location compliance verification; upon receiving an access permission instruction and an authorization token, generating a dynamic key fragment and a renewal seed, and extracting a session identifier from the authorization token; encrypting the dynamic key fragment and the renewal seed using the mobile storage device's public key; and sending the encrypted dynamic key fragment, the renewal seed, and the session identifier to the mobile storage device.
[0016] This embodiment constructs a secure, controllable, and auditable key distribution hub. Specifically, the terminal device does not simply forward requests, but acts as the first line of defense for policy enforcement, proactively initiating identity challenges and verifying the mobile storage device's response to the challenges, initially filtering out invalid or malicious requests. Upon receiving the policy server's instruction to allow access and authorization token, a dynamic key fragment is generated, ensuring the legitimacy and authority of the key distribution. By encrypting the dynamic key fragment and renewal seed using the mobile storage device's public key, end-to-end confidentiality of the key distribution is ensured; even if the communication channel is intercepted, attackers cannot obtain the key content. Simultaneously, the generation and secure distribution of the renewal seed lays the groundwork for a subsequent implementation of an efficient session renewal mechanism that eliminates the need for repeated full authentication and only verifies location compliance, thus balancing security and continuous availability.
[0017] In one optional approach, the method further includes: receiving a renewal request from a mobile storage device, the renewal request containing a session identifier, new verification credentials, and a renewal seed; querying the local storage renewal seed based on the session identifier, and verifying whether the received renewal seed matches the local storage renewal seed; after verifying that the received renewal seed matches the local storage renewal seed, sending the new verification credentials to the policy server to request renewal location compliance verification; upon receiving an access permission instruction and a new authorization token, generating a new dynamic key fragment and a new renewal seed, and extracting the new session identifier from the authorization token; encrypting the new dynamic key fragment and the new renewal seed using the mobile storage device's public key; and sending the encrypted new dynamic key fragment, the new renewal seed, and the new session identifier to the mobile storage device.
[0018] By querying and comparing renewal seeds, a highly efficient and secure session continuity verification mechanism is implemented. This enables terminal devices to quickly verify the legitimacy of mobile storage device renewal requests—that is, to prove they are the legitimate holders of the previous authorized session—without relying on complex identity re-authentication. Only compliance verification of the new verification credentials is required. This simplifies the renewal process, reduces the interaction load and computational overhead with the policy server, and thus improves overall efficiency and response speed in long-term data access scenarios while ensuring strict enforcement of location continuity compliance, achieving an optimized balance between security and performance.
[0019] Another aspect of this application embodiment provides a mobile storage device data security management apparatus, the apparatus comprising: a first sending module, configured to send a session request to a terminal device; a first receiving module, configured to receive an identity certificate and identity challenge returned by the terminal device; a verification acquisition module, configured to acquire the current location and timestamp after verifying the identity certificate returned by the terminal device; a second sending module, configured to send the current location and timestamp to a location service platform for verification; a second receiving module, configured to receive a verification credential returned by the location service platform; the verification credential is a credential for verifying the current location and timestamp; a response submission module, configured to respond to the identity challenge of the terminal device and submit the verification credential to the terminal device; a third receiving module, configured to receive the dynamic key fragment after the terminal device obtains an authorization token from a policy server based on the verification credential and generates a dynamic key fragment; and a decryption module, configured to generate a data decryption key based on the dynamic key fragment to decrypt the file encryption key and decrypt user data.
[0020] Another embodiment of this application provides a data security management device for a mobile storage device. The device includes: a fourth receiving module for receiving a session request sent by the mobile storage device; a proof challenge module for providing identity proof to the mobile storage device and initiating an identity challenge; a receiving verification module for receiving the mobile storage device's response to the identity challenge and verification credentials; a response verification module for verifying the mobile storage device's response to the identity challenge; a request module for sending the verification credentials to a policy server to request location compliance verification; a generation module for generating a dynamic key fragment and a renewal seed upon receiving an access permission instruction and an authorization token, and extracting a session identifier from the authorization token; an encryption module for encrypting the dynamic key fragment and the renewal seed using the mobile storage device's public key; and a third sending module for sending the encrypted dynamic key fragment, renewal seed, and session identifier to the mobile storage device.
[0021] The above description is merely an overview of the technical solutions of the embodiments of this application. In order to better understand the technical means of the embodiments of this application and to implement them in accordance with the contents of the specification, and to make the above and other objects, features and advantages of the embodiments of this application more obvious and understandable, specific implementation methods of this application are described below. Attached Figure Description
[0022] To more clearly illustrate the technical solutions of the embodiments of this application, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0023] Figure 1 This is a flowchart illustrating a method for managing data security in a mobile storage device, provided in some embodiments of this application.
[0024] Figure 2 A flowchart illustrating another method for managing data security of mobile storage devices provided in some embodiments of this application.
[0025] Figure 3 This application provides a mobile storage device data security management and control device according to an embodiment of the present application.
[0026] Figure 4 Another mobile storage device data security management device is provided as an embodiment of this application. Detailed Implementation
[0027] To make the objectives, technical solutions, and advantages of the embodiments of this application clearer, the technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this application.
[0028] Unless otherwise defined, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs; the terminology used herein in the specification of the application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application.
[0029] The terms "comprising" and "having," and any variations thereof, used in the specification, claims, and drawings of this application are intended to cover without excluding other meanings. The words "a" or "an" do not exclude the presence of multiples.
[0030] The term "embodiment" as used herein means that a particular feature, structure, or characteristic described in connection with an embodiment may be included in at least one embodiment of this application. The appearance of the phrase "embodiment" in various places throughout the specification does not necessarily refer to the same embodiment, nor is it a separate or alternative embodiment mutually exclusive with other embodiments. It will be explicitly and implicitly understood by those skilled in the art that the embodiments described herein can be combined with other embodiments.
[0031] Furthermore, the terms "first," "second," etc., in the specification and claims of this application or in the aforementioned drawings are used to distinguish different objects rather than to describe a specific order, and may explicitly or implicitly include one or more of the features.
[0032] In the description of this application, unless otherwise stated, "multiple" means two or more (including two), and similarly, "multiple groups" means two or more (including two groups).
[0033] In the description of this application, it should be noted that, unless otherwise explicitly specified and limited, the terms "installation," "connection," and "linkage" should be interpreted broadly. For example, "connection" or "linkage" in mechanical structures can refer to a physical connection, such as a fixed connection, for example, a connection fixed by fasteners, such as a connection fixed by screws, bolts, or other fasteners; a physical connection can also be a detachable connection, such as a snap-fit or interlocking connection; a physical connection can also be an integral connection, such as a connection formed by welding, bonding, or integral molding. In circuit structures, "connection" or "linkage" can refer not only to a physical connection but also to an electrical connection or a signal connection. For example, it can be a direct connection, i.e., a physical connection, or an indirect connection through at least one intermediate component, as long as the circuit is connected; it can also refer to the internal connection of two components. Signal connection can refer not only to signal connection through a circuit but also to signal connection through a media, such as radio waves. Those skilled in the art can understand the specific meaning of the above terms in this application based on the specific circumstances.
[0034] This application provides a method for data security management of mobile storage devices. Please refer to... Figure 1 , Figure 1 This is a flowchart illustrating a method for managing data security in a mobile storage device, provided in some embodiments of this application.
[0035] like Figure 1 As shown, the mobile storage device data security management method provided in this application embodiment includes the following steps 101 to 108: Step 101: Send a session request to the terminal device.
[0036] The session request includes a removable storage device identifier and a first random number.
[0037] Step 102: Receive the identity verification and identity challenge returned by the terminal device.
[0038] The identity verification includes the terminal device's certificate and the terminal device's signature on the first random number; the identity challenge is the second random number sent by the terminal device to the mobile storage device.
[0039] Step 103: After verifying the identity certificate returned by the terminal device, obtain the current location and timestamp.
[0040] For example, a mobile storage device can verify the terminal device's certificate, such as verifying the certificate's validity. The terminal device's public key can be extracted from the root certificate of a pre-configured policy server to verify the terminal device's signature on a first random number.
[0041] Step 104: Send the current location and timestamp to the location service platform for verification.
[0042] In practical applications, the mobile storage device also simultaneously sends a mobile storage device identifier, a first random number / second random number, and a signature of the current location, timestamp, mobile storage device identifier, and digest of the first / second random number to the location service platform. This signature of the current location, timestamp, mobile storage device identifier, and digest of the first / second random number can be used to inform the location service platform what information it has sent.
[0043] The location service platform can extract the public key of the mobile storage device from the root certificate of the pre-installed policy server to verify the signature of the mobile storage device. It also verifies the freshness of the timestamp by cross-verifying the current location of the mobile storage device using triangulation from the base station. Once the above verifications are successful, the location service platform sends verification credentials to the mobile storage device.
[0044] Step 105: Receive the verification credentials returned by the location service platform.
[0045] Among them, the verification credential is a credential used to verify the current location and timestamp.
[0046] Step 106: Respond to the identity challenge from the terminal device and submit verification credentials to the terminal device.
[0047] Step 107: After the terminal device obtains the authorization token from the policy server based on the verification credentials and generates a dynamic key fragment, it receives the dynamic key fragment.
[0048] Step 108: Generate a data decryption key based on the dynamic key fragment to decrypt the file encryption key and decrypt the user data.
[0049] In some embodiments, the terminal device may send an authorization token signed by the policy server to the mobile storage device, and the mobile storage device may verify the authenticity of the authorization token's signature based on the root certificate of the pre-installed policy server.
[0050] The mobile storage device internally stores a master key. The master key and a dynamic key fragment are used to derive a data decryption key through a key derivation function. The data decryption key is used to decrypt the plaintext into a symmetric key, which is then used to decrypt the user data.
[0051] In this embodiment, the mobile storage device submits verification credentials to the terminal device. After the terminal device obtains an authorization token from the policy server based on the verification credentials and generates a dynamic key fragment, receiving the dynamic key fragment provides a dynamic access control method that is linked to the physical environment, effectively overcoming the security lag of static authorization. When initiating access, the mobile storage device not only performs identity verification but also actively obtains and submits real-time status proof containing timestamps and geographical locations. This ensures that each decryption key application is bound to a fresh and verifiable physical state. When the location state of the mobile storage device undergoes an unauthorized change, it will be unable to provide a new, compliant location state proof, thus immediately losing data access capabilities. This achieves a strong correlation and dynamic synchronization between security permissions and the real-time state of the mobile storage device.
[0052] Furthermore, this application places the dynamic key fragment under the control of the terminal device, while the mobile storage device itself only retains a fixed basic key. This design separates the control layer from the data layer, so even if an attacker physically possesses the mobile storage device, they cannot unilaterally obtain a valid data decryption key.
[0053] In some embodiments, the terminal device obtains the renewal seed generated based on the authorization token and the extracted session identifier.
[0054] In some embodiments, after generating a data decryption key based on a dynamic key fragment to decrypt the file encryption key and decrypt user data, the method further includes: encrypting the file encryption key again using the data decryption key.
[0055] In this way, the plaintext state of the file encryption key in the working memory is only transient, and it is immediately re-encrypted and written back to storage after the data decryption task is completed. This effectively eliminates the risk that the plaintext of the file encryption key may be read by malicious programs or physical attacks due to its remaining in memory, thus improving the security of the runtime environment.
[0056] In some embodiments, the mobile storage device further calculates the renewal trigger time based on the generation time and lifespan of the dynamic key fragment sent by the terminal device. For example, the renewal trigger time is obtained by adding the generation time of the dynamic key fragment to the lifespan and subtracting the reserved trigger time. The reserved trigger time can be 10 seconds.
[0057] In some embodiments, the method further includes: obtaining new authentication credentials from the location service platform before the dynamic key fragment expires; sending a renewal request containing a session identifier, new authentication credentials, and a renewal seed to the terminal device; receiving a new dynamic key fragment generated by the terminal device; generating a new data decryption key based on the new dynamic key fragment; decrypting the file encryption key using the previously generated data decryption key, and immediately reencrypting the file encryption key using the new data decryption key to update the storage.
[0058] The time to obtain new verification credentials from the location service platform should be after the renewal trigger time and before the expiration time of the dynamic key fragment.
[0059] Specifically, the mobile storage device sends a mobile storage device identifier, a new timestamp, a new current location, a session identifier sent by the terminal device, and a signature of a digest of the above information to the location service platform, and then obtains new authentication credentials from the location service platform. It then sends a renewal request to the terminal device containing the session identifier, the new authentication credentials, a renewal seed, and a signature of a digest of the above information.
[0060] After the terminal device obtains a new authorization token from the policy server based on the verification credentials, and generates a new dynamic key fragment, a new renewal seed, and a newly extracted session identifier, it receives and decrypts the new dynamic key fragment and the new renewal seed, and receives the new session identifier. Based on the new dynamic key fragment, a new data decryption key is generated. The old data decryption key is used to decrypt the file encryption key, and the new data decryption key is used to re-encrypt the file encryption key. Storage is overwritten, erasing the plaintext of the old data decryption key and the file encryption key. The session state is updated using the received new session identifier. This prevents the patterns of information transmission parameters from being broken, for example, through side-channel attacks. Attackers might analyze side-channel information such as power consumption, electromagnetic radiation, and timing of the mobile storage device to deduce the data decryption key. This application can prevent the leakage of the data decryption key from leading to the leakage of the file encryption key, allowing other devices to directly read user data on the mobile storage device.
[0061] This embodiment completes the periodic and mandatory rotation of data decryption keys without interrupting the data stream service, ensuring that the file encryption key is never exposed in plaintext form to unprotected storage at any time, and achieving forward security in continuous access scenarios, that is, the leakage of old data decryption keys does not affect data security.
[0062] Figure 2 A flowchart illustrating another method for data security management of mobile storage devices provided in some embodiments of this application. For example... Figure 2 As shown, the mobile storage device data security management method provided in this application embodiment includes the following steps 201 to 208: Step 201: Receive a session request sent by the mobile storage device.
[0063] Step 202: Provide proof of identity to the mobile storage device and initiate an identity challenge.
[0064] Step 203: Receive the mobile storage device's response to the identity challenge and verification credentials.
[0065] In this context, the mobile storage device's response to the identity challenge refers to the mobile storage device signing the second random number sent by the terminal device.
[0066] Step 204: Verify the mobile storage device's response to the identity challenge.
[0067] Terminal devices can extract the public key of the mobile storage device from the root certificate of the pre-installed policy server to verify the signature of the mobile storage device.
[0068] Step 205: Send the verification credentials to the policy server to request location compliance verification.
[0069] In practical applications, before sending the verification credentials to the policy server, the terminal device can also verify the credentials for the current location. Specifically, the terminal device can extract the public key of the location service platform from the root certificate of the pre-installed policy server to verify the credentials for the current location. The terminal device can also verify the freshness of the timestamp.
[0070] The terminal device can also pre-judge the location information in the certificate of the current location based on the electronic fence range issued by the policy server. After pre-judging that the location information in the certificate of the current location is within the electronic fence range, the terminal device will send the verification certificate to the policy server to request location compliance verification.
[0071] Specifically, sending verification credentials to the policy server to request location compliance verification includes sending an evidence package and a digest of the evidence package signed by the terminal device to the policy server. The evidence package may include a first random number, a second random number, a signature of the second random number sent by the mobile storage device to the terminal device, the current location of the mobile storage device, and verification credentials, etc.
[0072] Step 206: Upon receiving the access permission instruction and authorization token, generate a dynamic key fragment and a renewal seed, and extract the session identifier from the authorization token.
[0073] In some embodiments, the terminal device may also receive the policy server's signature on the authorization token. The terminal device may extract the policy server's public key from the preset policy server's root certificate to verify the policy server's signature on the authorization token.
[0074] Step 207: Encrypt the dynamic key fragment and renewal seed using the public key of the mobile storage device.
[0075] Step 208: Send the encrypted dynamic key fragment, renewal seed, and session identifier to the removable storage device.
[0076] In some embodiments, the terminal device also sends the signature of the authorization token by the policy server, the generation time of the dynamic key fragment, the lifecycle time, and the signature of the digest of all sent content to the mobile storage device.
[0077] This embodiment constructs a secure, controllable, and auditable key distribution hub. Specifically, the terminal device does not simply forward requests, but acts as the first line of defense for policy enforcement, proactively initiating identity challenges and verifying the mobile storage device's response to the challenges, initially filtering out invalid or malicious requests. Upon receiving the policy server's instruction to allow access and authorization token, a dynamic key fragment is generated, ensuring the legitimacy and authority of the key distribution. By encrypting the dynamic key fragment and renewal seed using the mobile storage device's public key, end-to-end confidentiality of the key distribution is ensured; even if the communication channel is intercepted, attackers cannot obtain the key content. Simultaneously, the generation and secure distribution of the renewal seed lays the groundwork for a subsequent implementation of an efficient session renewal mechanism that eliminates the need for repeated full authentication and only verifies location compliance, thus balancing security and continuous availability.
[0078] In some embodiments, the method further includes: receiving a renewal request sent by a mobile storage device, the renewal request including a session identifier, a new verification credential, and a renewal seed; querying the locally stored renewal seed based on the session identifier, and verifying whether the received renewal seed is consistent with the locally stored renewal seed; after verifying that the received renewal seed is consistent with the locally stored renewal seed, sending the new verification credential to the policy server to request renewal location compliance verification; upon receiving an instruction to allow access and a new authorization token, generating a new dynamic key fragment and a new renewal seed, and extracting the new session identifier from the authorization token; the terminal device storing the new renewal seed and the new session identifier extracted from the new authorization token; the terminal device encrypting the new dynamic key fragment and the new renewal seed using the public key of the mobile storage device; and sending the encrypted new dynamic key fragment, the new renewal seed, and the new session identifier to the mobile storage device.
[0079] By querying and comparing renewal seeds, a highly efficient and secure session continuity verification mechanism is implemented. This enables terminal devices to quickly verify the legitimacy of mobile storage device renewal requests—that is, to prove they are the legitimate holders of the previous authorized session—without relying on complex identity re-authentication. Only compliance verification of the new verification credentials is required. This simplifies the renewal process, reduces the interaction load and computational overhead with the policy server, and thus improves overall efficiency and response speed in long-term data access scenarios while ensuring strict enforcement of location continuity compliance, achieving an optimized balance between security and performance.
[0080] The following is a detailed description of the mobile storage device data security management method according to an embodiment of this application, using a specific example.
[0081] In the initial stage, the policy server sends parameters such as the geofence range, cryptographic algorithm logic, dynamic key fragments, trust root certificate, and time verification to the terminal device.
[0082] The mobile storage device sends a session request to the terminal device. The session request includes the mobile storage device identifier and a first random number. The terminal device receives the session request from the mobile storage device, provides identity verification to the mobile storage device, and initiates an identity challenge. The mobile storage device receives the identity verification and identity challenge returned by the terminal device. The identity verification includes the terminal device's certificate and the terminal device's signature on the first random number; the identity challenge is a second random number sent by the terminal device to the mobile storage device. After verifying the identity verification returned by the terminal device, the mobile storage device obtains its current location and timestamp. The mobile storage device sends its current location, timestamp, mobile storage device identifier, first random number / second random number, and a signature of the digest of the current location, timestamp, mobile storage device identifier, and first random number / second random number to the location service platform. The location service platform can extract the mobile storage device's public key from the root certificate of the pre-installed policy server to verify the mobile storage device's signature. The timestamp's freshness is verified by cross-verifying the mobile storage device's current location using triangulation from the base station. After successful verification, the location service platform sends verification credentials to the mobile storage device. The mobile storage device receives the verification credentials returned by the location service platform. The verification credential is used to verify the current location and timestamp. The mobile storage device responds to the terminal device's identity challenge and submits the verification credential to the terminal device. The terminal device receives the mobile storage device's response to the identity challenge and the verification credential, and verifies the mobile storage device's response to the identity challenge. The terminal device can extract the public key of the location service platform from the root certificate of the pre-installed policy server to verify the current location credential. The terminal device can also verify the freshness of the timestamp. The terminal device can also pre-judge the location information in the current location credential based on the electronic fence range issued by the policy server. After pre-judging that the location information in the current location credential is within the electronic fence range, the terminal device sends the verification credential to the policy server to request location compliance verification. Sending the verification credential to the policy server to request location compliance verification includes sending an evidence package and a digest of the evidence package signed by the terminal device to the policy server. The evidence package may include a first random number, a second random number, the signature of the second random number sent by the mobile storage device to the terminal device, the current location of the mobile storage device, and the verification credential, etc. The policy server verifies the evidence package signed by the terminal device and verifies the signature of the second random number sent by the mobile storage device to the terminal device to determine the identities of the mobile storage device and the terminal device, respectively. The policy server verifies the credentials for the current location and timestamp. These credentials are signed by the location service platform, which can extract the platform's public key from the root certificate to verify them. The policy server further compares the current location with the geofence range. If the current location is within the geofence range, it generates a session identifier and sends an access permission command and authorization token to the terminal device.The session identifier, Session_S1, is determined by a first random number, Nonce_N, and a second random number, Nonce_B, i.e., Session_S1 = Hash(Nonce_N || Nonce_B). When the current location is outside the electronic fence range, an access denial command is sent to the terminal device.
[0083] When the terminal device receives the access permission instruction and authorization token, it generates a dynamic key fragment and a renewal seed, and extracts a session identifier from the authorization token. The terminal device also receives the policy server's signature on the authorization token. The terminal device can extract the policy server's public key from the pre-installed policy server's root certificate to verify the policy server's signature on the authorization token. The terminal device uses the removable storage device's public key to encrypt the dynamic key fragment and renewal seed, and sends the encrypted dynamic key fragment, renewal seed, and session identifier to the removable storage device. The terminal device also sends the policy server's signature on the authorization token, the generation time and lifespan of the dynamic key fragment, and a signature of the digest of all sent content to the removable storage device.
[0084] The mobile storage device receives and decrypts a dynamic key fragment, a renewal seed, and a session identifier. The mobile storage device verifies the authenticity of the authorization token's signature based on the root certificate of a pre-installed policy server. The mobile storage device internally stores a master key; the master key and the dynamic key fragment are used to derive a data decryption key through a key derivation function. The data decryption key decrypts the plaintext symmetric key, which is then used to decrypt the user data. After decrypting the user data, the mobile storage device re-encrypts the file encryption key using the data decryption key. The mobile storage device also calculates the renewal trigger time based on the generation time and lifespan of the dynamic key fragment sent by the terminal device. For example, adding the lifespan of the dynamic key fragment to the generation time and subtracting the reserved trigger time gives the renewal trigger time. The reserved trigger time can be 10 seconds. Before the dynamic key fragment expires, the mobile storage device retrieves a new verification credential from the location service platform. The mobile storage device sends a renewal request to the terminal device containing the session identifier, new verification credential, and a renewal seed. The terminal device queries its locally stored renewal seed based on the session identifier and verifies whether the received renewal seed matches the locally stored renewal seed. After verifying that the received renewal seed matches the locally stored renewal seed, the new verification credentials are sent to the policy server to request renewal location compliance verification. The policy server further compares the new current location with the geofence range. If the new current location is within the geofence range, a new session identifier is generated, and an access permission instruction and a new authorization token are sent to the terminal device.
[0085] When the terminal device receives an access permission instruction and a new authorization token, it generates a new dynamic key fragment, a new renewal seed, and extracts a new session identifier from the new authorization token. The terminal device stores the new renewal seed and the new session identifier extracted from the new authorization token. The terminal device encrypts the new dynamic key fragment and the new renewal seed using the public key of the removable storage device. It then sends the generation time of the dynamic key fragment, its lifespan, the encrypted new dynamic key fragment, the new renewal seed, and the new session identifier to the removable storage device.
[0086] The mobile storage device receives new dynamic key fragments generated by the terminal device; it then generates a new data decryption key based on these new dynamic key fragments. The previously generated data decryption key is used to decrypt the file encryption key, and the new data decryption key is immediately used to re-encrypt the file encryption key to update the storage. Throughout the renewal request process, the mobile storage device continues to transmit data.
[0087] Figure 3 A mobile storage device data security management device is provided as an embodiment of this application, with reference to... Figure 3 This application provides a mobile storage device data security management device 3, comprising: a first sending module 31, used to send a session request to a terminal device; a first receiving module 32, used to receive the identity certificate and identity challenge returned by the terminal device; a verification acquisition module 33, used to acquire the current location and timestamp after verifying the identity certificate returned by the terminal device; a second sending module 34, used to send the current location and timestamp to a location service platform for verification; a second receiving module 35, used to receive a verification credential returned by the location service platform; the verification credential is a credential for verifying the current location and timestamp; a response submission module 36, used to respond to the identity challenge of the terminal device and submit the verification credential to the terminal device; a third receiving module 37, used to receive the dynamic key fragment after the terminal device obtains an authorization token from a policy server based on the verification credential and generates a dynamic key fragment; and a decryption module 38, used to generate a data decryption key based on the dynamic key fragment to decrypt the file encryption key and decrypt user data.
[0088] This embodiment provides a mobile storage device data security management device 3, which can be used to perform the above-mentioned... Figure 1 The technical solutions of the method embodiments shown are similar in principle and in effect, and will not be described again here.
[0089] Figure 4 Another mobile storage device data security management device provided in an embodiment of this application, referencing Figure 4An embodiment of this application provides another mobile storage device data security management device 4, comprising: a fourth receiving module 41, used to receive a session request sent by the mobile storage device; a proof challenge module 42, used to provide identity proof to the mobile storage device and initiate an identity challenge; a receiving verification module 43, used to receive the mobile storage device's response to the identity challenge and verification credentials; a response verification module 44, used to verify the mobile storage device's response to the identity challenge; a request module 45, used to send the verification credentials to a policy server to request location compliance verification; a generation module 46, used to generate a dynamic key fragment and a renewal seed, and extract a session identifier from the authorization token when receiving an access permission instruction and an authorization token; an encryption module 47, used to encrypt the dynamic key fragment and the renewal seed using the mobile storage device's public key; and a third sending module 48, used to send the encrypted dynamic key fragment, renewal seed, and session identifier to the mobile storage device.
[0090] Another mobile storage device data security management device 4 in this embodiment can be used to perform the above-described... Figure 2 The technical solutions of the method embodiments shown are similar in principle and in effect, and will not be described again here.
[0091] Another embodiment of this application provides a computer device, including: a memory and a processor, wherein the memory stores a computer program, and when the processor executes the computer program, it implements the embodiments of this application. Figure 1 The method shown, or the implementation of the embodiments of this application. Figure 3 The method shown.
[0092] Another embodiment of this application provides a computer-readable storage medium storing a computer program. When the computer program is executed by a processor, it can implement the embodiments of this application. Figure 1 The method shown, or the implementation of the embodiments of this application. Figure 3 The method shown.
[0093] Another embodiment of this application provides a computer device, including: a memory and a processor, wherein the memory stores a computer program, and when the processor executes the computer program, it implements the embodiments of this application. Figure 1 The method shown, or the implementation of the embodiments of this application. Figure 2 The method shown.
[0094] Another embodiment of this application provides a computer-readable storage medium storing a computer program. When the computer program is executed by a processor, it can implement the embodiments of this application. Figure 1 The method shown, or the implementation of the embodiments of this application. Figure 2 The method shown.
[0095] Those skilled in the art will understand that although some embodiments herein include certain features included in other embodiments, combinations of features from different embodiments are intended to be within the scope of this application and form different embodiments. For example, in the claims, any of the claimed embodiments can be used in any combination.
[0096] The above-described embodiments are only used to illustrate the technical solutions of this application, and are not intended to limit them. Although this application has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features. Such modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of this application.
Claims
1. A method for data security management and control of mobile storage devices, characterized in that, The method includes: Send a session request to the terminal device; Receive the identity verification and identity challenge returned by the terminal device; After verifying the identity verification returned by the terminal device, obtain the current location and timestamp; Send the current location and the timestamp to the location service platform for verification; Receive the verification credentials returned by the location service platform; the verification credentials are credentials for verifying the current location and the timestamp; Respond to the identity challenge from the terminal device and submit the verification credentials to the terminal device; After the terminal device obtains an authorization token from the policy server based on the verification credentials and generates a dynamic key fragment, it receives the dynamic key fragment. Based on the dynamic key fragment, a data decryption key is generated to decrypt the file encryption key and decrypt user data.
2. The method according to claim 1, characterized in that, The session request includes the mobile storage device identifier and a first random number.
3. The method according to claim 2, characterized in that, The identity verification includes the terminal device's certificate and the terminal device's signature on the first random number; the identity challenge is a second random number sent by the terminal device to the mobile storage device.
4. The method according to claim 1, characterized in that, The method further includes: obtaining the renewal seed generated by the terminal device based on the authorization token and the extracted session identifier.
5. The method according to claim 4, characterized in that, After generating a data decryption key based on the dynamic key fragment to decrypt the file encryption key and decrypt the user data, the method further includes: The file encryption key is then encrypted again using the data decryption key.
6. The method according to claim 5, characterized in that, The method further includes: Before the dynamic key fragment expires, a new verification credential is obtained from the location service platform. Send a renewal request to the terminal device, which includes the session identifier, the new verification credential, and the renewal seed; Receive a new dynamic key fragment generated by the terminal device; A new data decryption key is generated based on the new dynamic key fragment; The file encryption key is decrypted using the previously generated data decryption key, and the file encryption key is immediately re-encrypted using the new data decryption key to update the storage.
7. A method for data security management and control of mobile storage devices, characterized in that, The method includes: Receive a session request sent by the mobile storage device; Provide identity verification to the mobile storage device and initiate an identity challenge; Receive the mobile storage device's response to the identity challenge and verification credentials; Verify the mobile storage device's response to the identity challenge; Send the verification credentials to the policy server to request location compliance verification; Upon receiving an access permission instruction and an authorization token, a dynamic key fragment and a renewal seed are generated, and a session identifier is extracted from the authorization token; The dynamic key fragment and the renewal seed are encrypted using the public key of the mobile storage device; The encrypted dynamic key fragment, the renewal seed, and the session identifier are sent to the mobile storage device.
8. The method according to claim 7, characterized in that, The method further includes: Receive a renewal request sent by the mobile storage device, the renewal request including the session identifier, new verification credentials and the renewal seed; Based on the session identifier, query the locally stored renewal seed and verify whether the received renewal seed is consistent with the locally stored renewal seed; After verifying that the received renewal seed is consistent with the locally stored renewal seed, the new verification credential is sent to the policy server to request renewal location compliance verification. Upon receiving an instruction to grant access and a new authorization token, a new dynamic key fragment and a new renewal seed are generated, and a new session identifier is extracted from the new authorization token; The new dynamic key fragment and the new renewal seed are encrypted using the public key of the mobile storage device; The encrypted new dynamic key fragment, the new renewal seed, and the new session identifier are sent to the mobile storage device.
9. A data security management and control device for mobile storage devices, characterized in that, The device includes: The first sending module is used to send a session request to the terminal device; The first receiving module is used to receive the identity verification and identity challenge returned by the terminal device; The verification acquisition module is used to acquire the current location and timestamp after the identity verification returned by the terminal device is successful; The second sending module is used to send the current location and the timestamp to the location service platform for verification. The second receiving module is used to receive the verification credential returned by the location service platform; the verification credential is a credential for verifying the current location and the timestamp. The response submission module is used to respond to the identity challenge of the terminal device and submit the verification credential to the terminal device. The third receiving module is used to receive the dynamic key fragment after the terminal device obtains the authorization token from the policy server based on the verification credential and generates the dynamic key fragment. The decryption module is used to generate a data decryption key based on the dynamic key fragment to decrypt the file encryption key and decrypt user data.
10. A data security management and control device for mobile storage devices, characterized in that, The device includes: The fourth receiving module is used to receive the session request sent by the mobile storage device; The authentication challenge module is used to provide authentication to the mobile storage device and initiate an authentication challenge. A receiving verification module is used to receive the mobile storage device's response to the identity challenge and verification credentials; A response verification module is used to verify the mobile storage device's response to the identity challenge; The request module is used to send the verification credentials to the policy server to request location compliance verification; The generation module is used to generate a dynamic key fragment and a renewal seed when it receives an access permission instruction and an authorization token, and to extract a session identifier from the authorization token; An encryption module is used to encrypt the dynamic key fragment and the renewal seed using the public key of the mobile storage device; The third sending module is used to send the encrypted dynamic key fragment, the renewal seed, and the session identifier to the mobile storage device.