The Research Of Centralized Access Control Technology For Usb Storage Device Based On Trusted Kylin In Lan

With the development of computer technology ,USB storage devices are used more and more widely. They have many features such as easy to carry, large capacity and ease of use,etc. While they are important tools for exchanging data among computers, they are also becoming the main ways to leak or steal confidential information in LAN for internal workers. Existing technologies of USB storage devices access control in LAN have only addressed the problem on the level of operating system. And have not implemented centralized access control for all USB storage devices in LAN, thus their security and availability are reduced.To solve the access control issues existed in the USB storage devices in LAN, this paper first analyzes WDM filter driver for USB storage devices access control technology and other related work, and summarizes their advantages and disadvantages. By studying the Linux USB subsystem and SCSI controller simulation process, we propose a novel Trusted Kylin based USB filter driver technique. Combining with the RBA (Role Based Authorization), PMI (Privilege Management Infrastructure) and PKI (Public Key Infrastructure), a joint security authentication and authorization system, RBA-PP, is proposed. We then design and implement the Trusted Kylin based LAN USB Access Control System (USBACS) on the basis of bidirectional authentication between client and server.At the application layer, USBACS authenticates the identity twice to the users who need to write data by USB storage devices in LAN, while in the kernel layer, the USB access control is implemented through USB filter driver. USBACS is composed of Trusted Kylin based USB filter driver subsystem, RBA-PP and bidirectional authentication service between clients and servers. We also implement the one-way control of data transference between the system and devices. RBA-PP authenticates the identity of the client user and grants user authorization in LAN environment. Bidirectional authentication service guarantees the security and non-repudiation of all servers and clients.Base on the above design principles, we implement USBACS, test it and analysis it's security in LAN environment. Our evaluation shows that USBACS has very small impact on system performance while greatly guarantees the system security.