[go: up one dir, main page]

CN120342714A - A secure sharing system for external devices between internal and external network devices - Google Patents

A secure sharing system for external devices between internal and external network devices

Info

Publication number
CN120342714A
CN120342714A CN202510537227.8A CN202510537227A CN120342714A CN 120342714 A CN120342714 A CN 120342714A CN 202510537227 A CN202510537227 A CN 202510537227A CN 120342714 A CN120342714 A CN 120342714A
Authority
CN
China
Prior art keywords
external
computer host
internal
host
video data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202510537227.8A
Other languages
Chinese (zh)
Inventor
徐建锋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Yaqingda Intelligent System Co ltd
Original Assignee
Guangzhou Yaqingda Intelligent System Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Yaqingda Intelligent System Co ltd filed Critical Guangzhou Yaqingda Intelligent System Co ltd
Priority to CN202510537227.8A priority Critical patent/CN120342714A/en
Publication of CN120342714A publication Critical patent/CN120342714A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N7/00Television systems
    • H04N7/10Adaptations for transmission by electrical cable

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Multimedia (AREA)
  • Small-Scale Networks (AREA)

Abstract

The application provides an external equipment safety sharing system between internal and external network equipment, which comprises a control signal processor for safely transmitting control instructions of external HID equipment between the equipment, wherein the control signal processor is respectively connected with an external computer host connected with an external network and an internal computer host connected with an internal network and isolated from the external network, the control instructions of the external HID equipment received by the external computer host are safely transmitted to the internal computer host through the control signal processor, and the data safety of the internal computer host is ensured by adopting hardware isolation, protocol conversion, data encryption and watermarking. The application can effectively ensure the data security of the internal computer host while realizing the sharing of the external equipment by the internal computer host and the external computer host.

Description

External equipment safety sharing system between internal and external network equipment
Technical Field
The application relates to the field of computer security unidirectional communication, in particular to an external equipment security sharing system between internal and external network equipment.
Background
In many application scenarios with high security requirements, such as medical field, financial field, government departments, etc., strict isolation of internal and external network devices is implemented to prevent internal network data from leaking to external networks. However, in actual operation, it is required to temporarily share the graphical user interface of the internal computer connected to the internal network to the personnel of the external network to view, and even authorize the external network personnel to operate the internal computer, and in order to improve the operational convenience and the desktop cleanliness of the personnel, it is desirable that the internal computer and the external computer connected to the external network share external HID devices such as a keyboard, a mouse, a display, etc.
The traditional KVM scheme allows a user to control a plurality of computers through one set of KVM, and two modes are a network scheme, wherein the two computers realize KVM sharing through network connection and sharing control software, and a hardware KVM switcher scheme, so that sharing switching is realized.
The network scheme is based on network protocols such as IP-KVM, and special software is required to be installed on two computers, so that the two-way communication risk is provided, the network attacker can penetrate the internal network by utilizing the protocol loophole, and the internal network has the problem of low safety.
Disclosure of Invention
Aiming at the problems in the prior art, the application provides an external equipment safety sharing system between internal and external network equipment, which can realize that an internal computer host shares external equipment of an external computer host, and meanwhile, the data safety isolation between the internal and external network computers achieves the safety level of physical isolation.
The external equipment safety sharing system between the internal and external network equipment comprises a control signal processor and a safety isolation system framework, wherein the control signal processor is used for safely transmitting control instructions of external HID equipment between the equipment;
The control signal processor is respectively connected with an external computer host connected with an external network and an internal computer host connected with an internal network and isolated from the external network, and is used for safely transmitting control instructions of external HID equipment received by the external computer host to the internal computer host through the control signal processor;
The security isolation system architecture comprises hardware isolation, protocol conversion, data encryption and watermarking, and ensures the data security of an internal computer host.
Further, the control signal processor comprises a first interface connected with the external computer host, a second interface connected with the internal computer host and a secure encryption and decryption module, wherein the first interface adopts a virtual serial port protocol to establish an encrypted communication link with the external computer host, the second interface accords with the USB HID1.11 protocol specification, and the secure encryption and decryption module integrates an SM4 national encryption algorithm chip and an HMAC-SH256 verification unit and is respectively connected with the first interface and the second interface;
the external computer host converts the control instruction of the external HID device into data meeting a virtual serial port protocol, encrypts the data based on an SM4-CBC mode to obtain an encrypted control instruction, and sends the encrypted control instruction to the control signal processor;
the control signal processor receives the encryption control instruction through the first interface and transmits the encryption control instruction to the secure encryption and decryption module;
The secure encryption and decryption module decrypts the encrypted control instruction to obtain a decrypted control instruction of the external HID device, and transmits the decrypted control instruction of the external HID device to the second interface after checking the integrity of the decrypted control instruction of the external HID device through CRC-32;
and the second interface converts the decrypted control instruction of the external HID device into a standard report format conforming to the USB HID protocol specification and transmits the standard report format to the internal computer host.
Further, a unidirectional video data transmission cable allowing transmission of only unidirectional video data streams;
the unidirectional video data transmission cable is respectively connected with the internal computer host and the external computer host, and the internal computer host can only unidirectional transmit video data streams to the external computer host through the unidirectional video data transmission cable, wherein the video data streams are used for displaying graphical user interface pictures which are dynamically updated after the internal computer host responds to the control instructions.
The video data transmission system comprises a video acquisition card, a video data transmission cable, a video data transmission module and a video data transmission module, wherein the video acquisition card is arranged on an external computer host;
The external computer host generates an internal computer host display window and renders the video data stream to the internal computer host display window, wherein the internal computer host display window is an independent application window of the external computer host.
Further, the external computer host monitors the current active window handle in real time, obtains the current active window handle through GetForegroundWindow functions, and if the internal computer host display window is in an active state, the external computer host transmits a control instruction of the external HID device to the internal computer host through the control signal processor;
And if the display window of the internal computer host is in an inactive state, the external computer host executes the operation corresponding to the control instruction of the external HID device according to the control instruction of the external HID device.
Further, the external computer host generates a first watermark image comprising the external computer host and login information, and merges the first watermark image with the video data stream.
Further, after the external computer host establishes remote connection with the remote computer host, the remote control instruction of the external HID device sent by the remote computer host is received, and the remote control instruction is unidirectionally transmitted to the internal computer host through the control signal processor.
Further, the external host computer generates a second watermark image comprising the remote host computer and login information, and merges the second watermark image with the video data stream.
Further, the external computer host monitors the current active window handle in real time, and if the internal computer host display window is in an active state, authority authentication operation is carried out on the identity information of an operator;
If the authority authentication is passed, allowing the external computer host to transmit the control instruction of the external HID device to the internal computer host through the control signal processor;
and if the authority authentication is not passed, prohibiting the external computer host from transmitting the control instruction of the external HID device to the internal computer host through the control signal processor.
Further, the external host computer generates a third watermark image comprising the identity information of the operator and merges the third watermark image with the video data stream.
Further, the unidirectional video data transmission cable at least comprises an HDMI cable, and a CEC pin and an HEC pin of the HDMI cable are in a cut-off state and are electrically connected with a reverse communication channel in a physical mode.
Compared with the prior art, the application connects the internal computer host in the internal network with the external computer host in the external network through the unidirectional video data transmission cable and the control signal processor, thereby only allowing the video data stream of the internal computer host to be unidirectional transmitted into the external computer host through the unidirectional video data transmission cable. In addition, the external computer host transmits the control instruction of the external HID device to the internal computer host in one direction through the control signal processor. Therefore, the application avoids the possibility that the external computer host carries out reverse osmosis or data theft on the internal network through the unidirectional video data transmission cable through physical isolation, and meanwhile, the external computer host can only transmit control instructions to carry out limited operation on the internal computer host and cannot acquire the data of the internal computer host from the control signal processor, thereby effectively improving the safety of the internal network.
In order that the application may be more clearly understood, specific embodiments thereof will be described below with reference to the accompanying drawings.
Drawings
FIG. 1 is a schematic diagram of an external device secure sharing system between an internal and external network device according to the present application;
FIG. 2 is a schematic diagram of an external device security sharing system between an internal network device and an external network device, including a video acquisition card;
FIG. 3 is a schematic diagram of an external HID device in a secure sharing system for external devices between an internal and external network device;
Fig. 4 is a specific schematic diagram of a control signal processor in an external device secure sharing system between an internal network device and an external network device;
fig. 5 is a schematic diagram of an external device security sharing system between an internal network device and an external network device, including a remote computer host.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application. It will be apparent that the described embodiments are only some, but not all, embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
It should be understood that the schematic drawings are not drawn to scale. A flowchart, as used in this disclosure, illustrates operations implemented according to some embodiments of the present application. It should be appreciated that the operations of the flow diagrams may be implemented out of order and that steps without logical context may be performed in reverse order or concurrently. Moreover, one or more other operations may be added to or removed from the flow diagrams by those skilled in the art under the direction of the present disclosure.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the application. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments.
Referring to fig. 1, fig. 1 is a schematic diagram of an external device security sharing system between an internal network device and an external network device according to the present application. The application provides an external equipment safety sharing system between internal and external network equipment, which particularly comprises a control signal processor, a unidirectional video data transmission cable and a safety isolation system framework, wherein the control signal processor is used for safely transmitting control instructions of external HID equipment between the equipment, and the unidirectional video data transmission cable only allows unidirectional video data streams to be transmitted;
the control signal processor is respectively connected with an external computer host connected with an external network and an internal computer host connected with an internal network and isolated from the external network, and the control instruction of the external HID device received by the external computer host is safely transmitted to the internal computer host through the control signal processor. The control signal processor transmits the control instruction of the external HID device in one direction through the device to the internal computer host, and the control instruction of the external HID device received by the external computer host is transmitted to the internal computer host in one direction through the control signal processor, so that the safe transmission between the external computer host and the internal computer host and other devices is realized.
The unidirectional video data transmission cable is respectively connected with the internal computer host and the external computer host, and the internal computer host can only unidirectional transmit video data streams to the external computer host through the unidirectional video data transmission cable, wherein the video data streams are used for displaying graphical user interface pictures which are dynamically updated after the internal computer host responds to the control instructions.
The security isolation system architecture comprises hardware isolation, protocol conversion, data encryption and watermarking, and ensures the data security of an internal computer host.
In this embodiment, the external network may be the public internet. The internal network can be an internal local area network in the medical field, the financial field and the like and is used for storing data with high confidentiality. For example, in the medical field, the internal network stores sensitive contents such as personal identification information of a patient, a disease diagnosis record, a treatment scheme, etc., and in the financial field, the internal network stores key data such as account information of a customer, a transaction record, etc. Therefore, the internal network strictly prohibits communication with the external network, so as to avoid leakage of data in the internal network due to potential threat of the external network, thereby protecting security and privacy of the data.
The external computer host is a computer device connected to the external network, so that a user can access the external network, and the external computer host is used as an operation terminal for interacting with the outside and controlling the internal computer host, such as a desktop computer, a notebook computer and the like which are used by a common user in daily life and are connected with the Internet. The internal computer host is a computer device, a medical device, a server and the like which are connected with the internal network.
Taking the medical field as an example, an internal computer host connected to a local area network of a hospital is deployed with an electronic medical record system, an image storage and transmission system (Picture ARCHIVING AND Communication Systems, PACS) and the like, and is used for storing information with high confidentiality such as medical information of patients. An external computer host connected to the Internet can be accessed to perform medical literature inquiry, online inquiry and the like.
The unidirectional video data transmission cable is a cable for only realizing unidirectional transmission of video data streams, and is characterized in that control signals with bidirectional data transmission capacity in the standard video data transmission cable are blocked, only video data streams can be transmitted from one end to the other end, so that the data of an internal computer host cannot leak to an external computer host through the unidirectional video data transmission cable, and meanwhile, the external computer host cannot send instructions for acquiring the data and the like to the internal computer host through the unidirectional video data transmission cable, and the safety of the system is improved. Preferably, the unidirectional video data transmission cable includes an HDMI cable, a DVI cable, and a VGA cable, where CEC (Consumer Electronics Control ) pins and (HDMI ETHERNET CHANNEL, HDMI ethernet channel) pins of the HDMI cable are in a cut-off state, specifically, 13 th pin, 14 th pin, and 19 th pin of the HDMI cable are in a cut-off state, and electrical connection of the reverse communication channel is physically cut off.
Compared with the prior art, the scheme connects the internal computer host in the internal network with the external computer host in the external network through the unidirectional video data transmission cable, and only allows the video data stream of the internal computer host to be transmitted to the external computer host in one way through the unidirectional video data transmission cable. In addition, the external computer host transmits the control instruction to the internal computer host in one direction through the control signal processor. Therefore, the application avoids the possibility that the external computer host carries out reverse osmosis or data theft on the internal network through the unidirectional video data transmission cable through physical isolation, and meanwhile, the external computer host can only transmit control instructions to carry out limited operation on the internal computer host and cannot acquire the data of the internal computer host from the control signal processor, thereby effectively improving the safety of the internal network.
In one embodiment, referring to fig. 2, fig. 2 is a schematic diagram of an external device security sharing system between an internal network device and an external network device, including a video capture card. The video acquisition card can be arranged in the external computer host, and can also be externally connected with the external computer host. The internal computer host is connected with the video acquisition card through the unidirectional video data transmission cable and unidirectional transmits the video data stream to the video acquisition card.
The external computer host generates an internal computer host display window and renders the video data stream to the internal computer host display window, wherein the internal computer host display window is an independent application window of the external computer host.
The external host computer may obtain the video data stream from the video capture card, and run a window application program, such as a Qt/WinForms-based window program, which displays the video data stream from the internal host computer in real time through a rendering engine, such as OpenGL or DirectX.
Through the display window of the internal computer host, a user can simultaneously compare and check the pictures of the external computer host and the internal computer host without frequent switching, and the working efficiency of the user is effectively improved. The hardware KVM switch based on the prior art only supports one-to-one signal switching through physical switch or electronic signal sharing switching, and can not realize that pictures of an external computer host and an internal computer host are compared and displayed in a mode of simultaneous split screen or picture-in-picture and the like, so that an operator can not view pictures of the external computer host and the internal computer host at the same time, and the working efficiency is reduced.
The video acquisition card is a device for acquiring video data, and can receive video data from a specific signal source (such as a signal transmitted by an internal computer host through a unidirectional video data transmission cable) and convert the video data into a digital signal format which can be processed by the computer. In this embodiment, the video capture card captures a video data stream transmitted from the internal host computer, so that the external host computer processes and displays the video data stream, and preferably, the video data capture card is an HDMI capture card that has been burned with fixed EDID information in advance, and CEC pins and HEC pins of the HDMI capture card are in a cut-off state, specifically, 13 th pin, 14 th pin and 19 th pin of the HDMI capture card are in a cut-off state.
The external computer host can generate the internal computer host display window in the external computer host based on the preset split screen proportion, and a user can simultaneously check the information of the local computer host and the internal computer host, so that interaction and operation are convenient. Specifically, the distribution ratio can be set to be 1:1, and the user can adjust the split screen ratio according to the own requirement. The display window of the internal computer host can also be freely adjusted in position and size and is controlled by a window manager.
The external computer host dynamically generates a first watermark image containing the external computer host and login information, and specifically, when a video data stream from the internal computer host is displayed in real time through a rendering engine by a window application program, the first watermark image is combined with the video data stream, wherein the external computer host and login information contains a user name, a host IP address, a login timestamp and the like of the external computer host. The first watermark image can be used as a tracking clue to help identify the source of the picture revealing the internal computer host, so that the data revealing behavior is effectively deterred and reduced, and the data security of the internal network is improved.
In another embodiment, referring to fig. 3, fig. 3 is a schematic diagram of an external HID device in an external device security sharing system between an internal network device and an external network device. The external HID device includes a mouse, a keyboard, a display, etc., and the embodiment is not limited, and the existing external HID device may be adopted. The mouse, keyboard and display are connected with the external computer host, and the display is used for displaying a local Graphical User Interface (GUI) of the external computer host. The control command of the external HID device comprises input signals of a mouse and a keyboard and the like.
The external computer host monitors the current active Window handle in real time, acquires the current active Window handle through GetForegroundWindow functions in an API of a Window system, and transmits a control instruction of the external HID device to the internal computer host through the control signal processor if the internal computer host display Window is in an active state;
And if the display window of the internal computer host is in an inactive state, the external computer host executes the operation corresponding to the control instruction of the external HID device according to the control instruction of the external HID device.
The control right of the internal computer host and the external computer host is dynamically switched by monitoring the active state of the display window of the internal computer host, so that the operation efficiency in a multi-window environment can be effectively improved.
Specifically, the external host computer may receive input signals from the mouse and the keyboard, for example, by performing corresponding operations, such as inputting a character or opening a file, through key code signals of the keyboard and movement, clicking signals of the mouse, etc. And after the current window is switched to the display window of the internal computer host, the external computer host transmits the control instruction of the external HID device to the internal computer host through the control signal processor. After the internal computer host receives the control instruction of the external HID, an operating system and a related driver of the internal computer host can analyze and process the control instruction of the external HID, so that the operation of the internal computer host is realized, and the operations of inputting a character, opening a file and the like are executed in an internal computer host clock.
In other embodiments, the mouse, keyboard and display are connected to the external host computer, and the internal host computer may be connected to only the display. The external computer host is connected with the internal computer host only through the control signal processor and is used for unidirectionally transmitting a control instruction of the external HID device of the external computer host to the internal computer host through the control signal processor.
The external computer host can receive input signals of the mouse and the keyboard, such as key code signals of the keyboard, movement of the mouse, clicking signals and the like, and execute corresponding operations, such as inputting a character or opening a file and the like. The external computer host can unidirectionally transmit the input signals of the mouse and the keyboard to the internal computer host through the control signal processor. After the internal computer host receives the input signals of the mouse and the keyboard, an operating system and a related driving program of the internal computer host can analyze and process the input signals of the mouse and the keyboard, so that the operation and the control of the internal computer host are realized.
Of course, one or more combination keys in the keyboard can be set as a switch control right shortcut key, the external computer host monitors the pressing event of the switch control right shortcut key by setting a monitoring program, and when the switch control right shortcut key is monitored to be pressed, the external computer host executes the operation of unidirectionally transmitting the input signals of the mouse and the keyboard to the internal computer host through the control signal processor.
In this embodiment, referring to fig. 4, fig. 4 is a specific schematic diagram of a control signal processor in an external device security sharing system between an internal network device and an external network device. The control signal processor comprises a first interface connected with the external computer host, a second interface connected with the internal computer host and a security encryption and decryption module, wherein the first interface adopts a virtual serial port protocol to establish an encryption communication link with the external computer host, the second interface is configured as a USB man-machine interaction equipment interface and accords with the USB HID1.11 protocol specification, the security encryption and decryption module is connected with the first interface and the second interface, and the security encryption and decryption module integrates an SM4 national encryption algorithm chip and an HMAC-SH256 verification unit.
The external computer host converts the control instruction of the external HID device into data meeting a virtual serial port protocol, encrypts the data based on an SM4-CBC mode to obtain an encrypted control instruction, and sends the encrypted control instruction to the control signal processor;
the control signal processor receives the encryption control instruction through the first interface and transmits the encryption control instruction to the secure encryption and decryption module;
The secure encryption and decryption module decrypts the encrypted control instruction to obtain a decrypted control instruction of the external HID device, and transmits the decrypted control instruction of the external HID device to the second interface after checking the integrity of the decrypted control instruction of the external HID device through CRC-32;
and the second interface converts the decrypted control instruction of the external HID device into a standard report format conforming to the USB HID protocol specification and transmits the standard report format to the internal computer host.
Specifically, the external computer host is connected with the first interface of the control signal processor through a USB CDC protocol, and is identified as virtual serial port equipment. And the external computer host calls a system function of an operating system to collect input data of peripheral equipment such as a keyboard, a mouse and the like of control instructions of the external HID equipment, encrypts the input data by using an AES-256-GCM algorithm, encapsulates the encrypted input data into a control instruction serial port data frame and sends the control instruction serial port data frame to the control signal processor through a first interface. Of course, encryption can be performed through an AES-128 algorithm or an SHA-256 algorithm, so that the encryption control instruction serial port data frame meets commercial password standards such as an international standard AES-256 algorithm or an SHA-256 algorithm.
The control signal processor may adopt an STM32F4 series MCU chip, and a controller having a dual USB physical interface, where the first USB physical interface and the second USB physical interface are the first interface and the second interface, respectively. The first USB physical interface receives an encryption control instruction of the external computer host in a Device mode, the second USB physical interface executes USB HID in the Device mode, converts the control instruction of the external HID into a standard report format conforming to the USB HID protocol specification, and sends the standard report format to the internal computer host, so that the internal computer host can identify the external computer host as HID equipment such as a keyboard or a mouse, and execute related operations.
Before the external host computer sends the encryption control instruction, the HMAC-SH256 is used for generating a verification authentication code for the control instruction of the external HID device, and after the control signal processor decrypts the control instruction, the control instruction of the external HID device is confirmed not to be tampered by a middleman through the verification authentication code.
IN addition, the first USB physical interface may be configured IN a receive-only mode, specifically, a transmitting endpoint (IN endpoint) is turned off IN firmware, and only a receiving endpoint (OUT endpoint) is reserved, or may be limited by a protocol layer, so that an external host cannot actively pull data through a virtual serial port, and only one-way transmission of an encryption control instruction is enabled. The first USB physical interface is used as standard HID input equipment (such as a keyboard/mouse) and only supports sending an HID report to the internal computer host, has no receiving function, and can disable an output endpoint in firmware implementation so as to ensure that the internal computer host cannot send data reversely.
The STM32F4 series MCU chip is also internally provided with the secure encryption and decryption module, and can be specifically a hardware encryption engine (AES/SM 4) and an OTP storage area, a preset secret key can be loaded from the OTP area, and the AES engine is called to decrypt the encryption control instruction.
The control signal processor only allows the HID signal to be transmitted to the internal computer host from the external computer host in one way, so that reverse leakage of data of the internal network to the external computer host can be effectively avoided, and the safety of the data of the internal network is improved.
And the confidentiality of the control instruction in the transmission process can be greatly improved by encrypting the control instruction of the external HID device. Meanwhile, encryption can also guarantee the integrity of the control instruction to a certain extent. By carrying out encryption processing on the instruction, when the security encryption and decryption module carries out decryption, whether the control instruction of the external HID device is tampered in the transmission process can be verified. Once an abnormality is detected, the error command is prevented from being executed by prohibiting the error command from being sent to the internal computer host, and the data security of the internal computer host is ensured.
In another embodiment, the external computer host monitors the current active window handle in real time, and if the internal computer host display window is in an active state, authority authentication operation is performed on the identity information of the operator;
If the authority authentication is passed, allowing a control instruction of the external HID device to be transmitted to the internal computer host through the control signal processor;
and if the authority authentication is not passed, prohibiting the control instruction of the external HID device from being transmitted to the internal computer host through the control signal processor.
By setting the authority authentication operation, unauthorized users can be prevented from accessing the internal network, and the data security of the internal network can be effectively improved.
Specifically, the authority authentication operation can be realized in various modes, such as user name and password authentication, digital certificate authentication, biological recognition, such as fingerprint recognition, facial recognition and the like, wherein an operator is required to input a user name and a password.
The external computer host dynamically generates a third watermark image containing the identity information of the operator, and specifically, when the video data stream from the internal computer host is displayed in real time through a rendering engine by a window application program, the third watermark image is combined with the video data stream, wherein the identity information of the operator contains the identity ID of the operator, a login timestamp and the like. The third watermark image can be used as a tracking clue to help identify personnel revealing the picture of the internal computer host, so that the data revealing behavior is effectively deterred and reduced, and the data security of the internal network is improved.
In this embodiment, referring to fig. 5, fig. 5 is a schematic diagram of an external device security sharing system between an internal network device and an external network device, including a remote host computer. After the external computer host establishes remote connection with the remote computer host, the remote control instruction of the external HID device sent by the remote computer host is received, and the remote control instruction is unidirectionally transmitted to the internal computer host through the control signal processor.
The remote computer host may establish a remote connection with the remote computer host through remote desktop software such as sunflower, TEAMVIEWER, etc. After the remote connection is established, the internal computer host window picture generated by the external computer host is sent to the remote computer host in real time through the remote software, so that a user can simultaneously view the local picture of the remote computer host and the picture of the internal computer host in the remote computer host.
The remote control command is a control command of an external HID device received by the remote computer host, for example, input signals of a keyboard and a mouse are used for controlling the internal computer host to execute corresponding operations. And the control signal processor is used for transmitting the remote control instruction to the internal computer host in one way, so that the safe interaction between the remote computer host and the internal computer host is realized, and the data security of the internal network is effectively improved.
The external computer host dynamically generates a second watermark image containing the remote computer host and login information, and specifically, when a video data stream from the internal computer host is displayed in real time through a rendering engine by a window application program, the second watermark image is combined with the video data stream, wherein the remote computer host and login information contains a user name, an IP address, a login timestamp and the like of the remote computer host. The second watermark image can be used as a tracking clue to help identify personnel revealing the picture of the internal computer host, so that the data revealing behavior is effectively deterred and reduced, and the data security of the internal network is improved.
The present application is not limited to the above-described embodiments, but, if various modifications or variations of the present application are not departing from the spirit and scope of the present application, the present application is intended to include such modifications and variations as fall within the scope of the claims and the equivalents thereof.

Claims (11)

1. The external equipment safety sharing system between the internal and external network equipment is characterized by comprising a control signal processor and a safety isolation system framework, wherein the control signal processor is used for safely transmitting control instructions of external HID equipment between the equipment;
The control signal processor is respectively connected with an external computer host connected with an external network and an internal computer host connected with an internal network and isolated from the external network, and is used for safely transmitting control instructions of external HID equipment received by the external computer host to the internal computer host through the control signal processor;
The security isolation system architecture comprises hardware isolation, protocol conversion, data encryption and watermarking, and ensures the data security of an internal computer host.
2. The system for securely sharing external devices between internal and external network devices according to claim 1, wherein said control signal processor comprises a first interface connected to said external computer host, a second interface connected to said internal computer host, and a secure encryption/decryption module, said first interface establishing an encrypted communication link with said external computer host using a virtual serial protocol, said second interface conforming to the USB HID1.11 protocol specification, said secure encryption/decryption module integrating an SM4 cryptographic algorithm chip and an HMAC-SH256 verification unit and connecting said first interface and said second interface, respectively;
the external computer host converts the control instruction of the external HID device into data meeting a virtual serial port protocol, encrypts the data based on an SM4-CBC mode to obtain an encrypted control instruction, and sends the encrypted control instruction to the control signal processor;
the control signal processor receives the encryption control instruction through the first interface and transmits the encryption control instruction to the secure encryption and decryption module;
The secure encryption and decryption module decrypts the encrypted control instruction to obtain a decrypted control instruction of the external HID device, and transmits the decrypted control instruction of the external HID device to the second interface after checking the integrity of the decrypted control instruction of the external HID device through CRC-32;
and the second interface converts the decrypted control instruction of the external HID device into a standard report format conforming to the USB HID protocol specification and transmits the standard report format to the internal computer host.
3. The external device security sharing system between internal and external network devices according to claim 2, further comprising a unidirectional video data transmission cable allowing transmission of only unidirectional video data streams;
the unidirectional video data transmission cable is respectively connected with the internal computer host and the external computer host, and the internal computer host can only unidirectional transmit video data streams to the external computer host through the unidirectional video data transmission cable, wherein the video data streams are used for displaying graphical user interface pictures which are dynamically updated after the internal computer host responds to the control instructions.
4. The system for securely sharing external devices between internal and external network devices according to claim 3, further comprising a video acquisition card disposed on an external computer host, wherein said internal computer host is connected to said video acquisition card via said unidirectional video data transmission cable and unidirectional transmits said video data stream to said video acquisition card;
The external computer host generates an internal computer host display window and renders the video data stream to the internal computer host display window, wherein the internal computer host display window is an independent application window of the external computer host.
5. The system according to claim 4, wherein the external host monitors the current active window handle in real time, obtains the current active window handle through GetForegroundWindow functions, and if the internal host display window is in an active state, the external host transmits the control command of the external HID device to the internal host through the control signal processor;
And if the display window of the internal computer host is in an inactive state, the external computer host executes the operation corresponding to the control instruction of the external HID device according to the control instruction of the external HID device.
6. The system for securely sharing external devices between an internal and external network device according to claim 4, comprising said external host computer generating a first watermark image comprising said external host computer and login information, and combining said first watermark image with said video data stream.
7. The system for securely sharing external devices between internal and external network devices according to claim 3, wherein after the external computer host establishes a remote connection with a remote computer host, the remote control command of the external HID device sent by the remote computer host is received, and the remote control command is unidirectionally transmitted to the internal computer host through the control signal processor.
8. The system of claim 7, wherein the external host computer generates a second watermark image comprising the remote host computer and login information, and combines the second watermark image with the video data stream.
9. The system for securely sharing external devices between internal and external network devices according to claim 5, wherein said external host computer monitors a currently active window handle in real time, and if said internal host computer display window is in an active state, performs a permission authentication operation on the identity information of the operator;
If the authority authentication is passed, allowing the external computer host to transmit the control instruction of the external HID device to the internal computer host through the control signal processor;
and if the authority authentication is not passed, prohibiting the external computer host from transmitting the control instruction of the external HID device to the internal computer host through the control signal processor.
10. The secure sharing system of external devices between internal and external network devices according to claim 9, wherein said external host computer generates a third watermark image containing said operator's identity information and merges said third watermark image with said video data stream.
11. The external device secure sharing system between an internal network device and an external network device according to claim 2, wherein the unidirectional video data transmission cable at least comprises an HDMI cable, and the CEC pin and the HEC pin of the HDMI cable are both in a disconnected state, and the electrical connection of the reverse communication channel is physically disconnected.
CN202510537227.8A 2025-04-27 2025-04-27 A secure sharing system for external devices between internal and external network devices Pending CN120342714A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202510537227.8A CN120342714A (en) 2025-04-27 2025-04-27 A secure sharing system for external devices between internal and external network devices

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202510537227.8A CN120342714A (en) 2025-04-27 2025-04-27 A secure sharing system for external devices between internal and external network devices

Publications (1)

Publication Number Publication Date
CN120342714A true CN120342714A (en) 2025-07-18

Family

ID=96357136

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202510537227.8A Pending CN120342714A (en) 2025-04-27 2025-04-27 A secure sharing system for external devices between internal and external network devices

Country Status (1)

Country Link
CN (1) CN120342714A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112073375A (en) * 2020-08-07 2020-12-11 中国电力科学研究院有限公司 Isolation device and isolation method suitable for power Internet of things client side
CN113190489A (en) * 2021-05-19 2021-07-30 郑州信大捷安信息技术股份有限公司 Double-host event sharing switching device and method
CN115801452A (en) * 2023-01-30 2023-03-14 北京万维盈创科技发展有限公司 Data acquisition instrument with network security isolation function
CN117749962A (en) * 2023-11-29 2024-03-22 广东视腾电子科技有限公司 KVM switch with mobile APP control and video preview for multiple computers
US20240422132A1 (en) * 2021-12-29 2024-12-19 Beijing National New Energy Vehicle Technology Innovation Center Co. , Ltd. Security Architecture and System for Central Gateway, and Storage Medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112073375A (en) * 2020-08-07 2020-12-11 中国电力科学研究院有限公司 Isolation device and isolation method suitable for power Internet of things client side
CN113190489A (en) * 2021-05-19 2021-07-30 郑州信大捷安信息技术股份有限公司 Double-host event sharing switching device and method
US20240422132A1 (en) * 2021-12-29 2024-12-19 Beijing National New Energy Vehicle Technology Innovation Center Co. , Ltd. Security Architecture and System for Central Gateway, and Storage Medium
CN115801452A (en) * 2023-01-30 2023-03-14 北京万维盈创科技发展有限公司 Data acquisition instrument with network security isolation function
CN117749962A (en) * 2023-11-29 2024-03-22 广东视腾电子科技有限公司 KVM switch with mobile APP control and video preview for multiple computers

Similar Documents

Publication Publication Date Title
JP5628831B2 (en) Digital video guard
US6845450B1 (en) Display unit storing and using a cryptography key
EP2119075B1 (en) Encryption- and decryption-enabled interfaces
US9684794B2 (en) System and architecture for secure computer devices
US8868927B1 (en) Method and apparatus for secure data input and output
CN108681677B (en) Method, device and system for safely isolating dual-network computer based on USB interface
US10019605B2 (en) Systems, methods and apparatus for secure peripheral communication
TW200929985A (en) Secure information storage system and method
US9111123B2 (en) Firmware for protecting data from software threats
US20110202772A1 (en) Networked computer identity encryption and verification
CN108667820B (en) Shared electronic whiteboard encryption method, system, electronic equipment and storage medium
US20240338464A1 (en) Secure communication between a client computer and a remote computer
CN113190489B (en) Double-host event sharing switching device and method
EP1286242A1 (en) System and method for protected data input of security data
CN115277192A (en) Information encryption method and device and electronic equipment
CN120342714A (en) A secure sharing system for external devices between internal and external network devices
CN102360407A (en) Communication method for mobile phone and computer
KR100379675B1 (en) Adapter Having Secure Function and Computer Secure System Using It
CN113193956A (en) Account information processing method and device
US20250175278A1 (en) Securing keyboard input
WO2023069111A1 (en) Encrypted graphics data
KR101368772B1 (en) Method and Device for Protecting Key Input
CN115906199A (en) A password security input system and method based on Android system
CN120335750A (en) A secure encrypted display system and display method
AU2023352705A1 (en) Secure hardware cryptowallets for smartphones

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination