Patent Application
20090031009
This application claims the priority of Chinese Application No. 200710130019.8 filed on Jul. 23, 2007, titled Method and Device for Communication, which is incorporated herein by reference in its entirety.
The present invention relates to information security technology, and in particular to a communication method and a communication device.
Modern society is a society of network informationalization. People's daily activities and livelihoods are becoming more and more dependent upon the Internet. For example, an increasing amount of business (for example, e-banking, security exchange and on-line shopping, etc.) is being performed on the Internet. However, as Internet usage increases, the concomitant problem of network information security becomes more and more serious; for example, hackers may steal some key network information, such as account and password information, via various means (e.g., backdoor software, Trojan, virus and network fishing, etc.).
A conventional method for guaranteeing the security of the network information is herein described with reference to an e-banking example. For example, in order to prevent some key network information from being stolen by a hacker via various means (e.g., backdoor software, Trojan, virus and network fishing, etc.), the existing e-banking mainly employs utilizing the following technologies: security control, a digital certificate, a mobile certificate and so on when performing identity authentication.
Identity authentication may be performed during a log-on procedure via security control. Such security control makes an ordinary virus/Trojan program unable to capture the account and password information by preventing keyboard/message hook and COM port (i.e., a data interface for communicating with other objects) for filtering Internet Explorer (IE, a type of browser). However, because the security control and the virus/Trojan program are in the same operating system environment and are in the same level, the stealing behavior of user account and/or password information by some viruses/Trojans may not be prevented.
Identity authentication may also be performed during a log-on procedure via a digital certificate. Because a digital certificate is an ordinary file stored in the operating system and may be stolen in a system where the virus/Trojan exists, illegal behaviors may not be prevented when a user performs identity authentication using a digital certificate, account and/or password information after the user's account and/or password information is stolen.
Identity authentication may also be performed during a log-on procedure via a mobile certificate. Although the viruses/Trojans cannot steal the mobile certificate, if there is virus/Trojan in the system, there also exists a possibility that the account and/or password information may be stolen. After the account and/or password information is stolen, there may also be a great risk for the user.
An embodiment of the present invention provides a communication method that includes obtaining a network configuration in a user's operating system; loading a customized operating system and application; and communication, by the application, with other entities under the customized operating system according to the network configuration.
An embodiment of the present invention also provides a communication device that includes an installation unit, adapted to obtain a network configuration in a user's operating system, load a customized operating system, perform the network configuration in the customized operating system and load an application; and an application unit, adapted to communicate with other entities according to the network configuration, under the customized operating system.
The embodiments of the present invention are illustrated in conjunction with the drawings for those in the art to understand and implement the present invention.
In an embodiment of the present invention, when a user needs to use an application (e.g., e-banking and/or security exchange software), the current state of the original operating system on the user machine (e.g., personal computer and server, etc.) is stored, the hardware resource is released to load a customized operating system, and the application is loaded in the customized operating system. Thus, the application will run on the customized operating system, physically isolated from the original operating system and completely on the user machine. Therefore, the damage caused by means such as, but not limited to, the Trojan/virus in the original operating system may be completely avoided. The communication method and communication device according to the present invention are described below in detail in conjunction with more specific embodiments.
An embodiment of the present invention provides a communication method. Before establishing communication, an application installer needs to be obtained and the application installer is then run on a user machine. The application installer includes, for example, an installer, an application, a customized operating system and a restore program.
The installer is adapted to obtain the network configuration in a user's operating system and store all the states of the user's operating system, load a customized operating system, perform the network configuration obtained in the user's operating system in the customized operating system, and load an application (e.g., e-banking and/or security exchange software). After the user applies for a certain service, the user may obtain an application installer from the service provider. The application installer may be stored in a read-only storage medium (e.g., a compact disc).
The application is adapted to communicate with other entities (e.g., network side entities and/or other client ends); in other words, a user machine with the application installed communicates with other entities.
The customized operating system is adapted to provide a running environment for the application. The customized operating system may be any safe operating system that can provide a running environment for the application.
The restore program is adapted to exit from the application after the user finishes the usage of the application, shut down the customized operating system, start the user's operating system, and restore the stored system state.
As shown in
In block 101, the network configuration in a user's operating system is obtained.
The current network configuration of the system is obtained by reading the system configuration file in the user's operating system or examining the system state, and the obtained network configuration is stored.
In block 102, the site is protected; in other words, all the states of the user's operating system are stored.
To store all the states of the user's operating system, the information about the whole memory of the current system may be stored, for example, in a form of a file.
In block 103, a customized operating system is loaded and the customized operating system may be stored in a mobile storage medium such as a compact disc or a U-disk, etc.
In block 104, the network configuration obtained in the user's operating system is performed in the customized operating system.
In block 105, the application (e.g., e-banking and/or security exchange software) is loaded under the customized operating system. In other words, the application is loaded after the customized operating system is loaded.
In block 106, the application communicates with other entities (e.g., network side entities or other client ends) under the customized operating system; in other words, a user machine with the application installed communicates with other entities.
In block 107, the user exits from the application after using the application.
In block 108, the customized operating system is shut down.
In block 109, the user's operating system is started up.
In block 110, the site is restored; in other words, all the stored states of the user's operating system are restored. Restoring the stored system state means restoring the backup memory data to the memory to restore the state of the operating system before switching.
In the above flow, block 102 may be omitted, along with omitting blocks 108 to 110; in addition, block 107 and block 108 may also be omitted.
When a user needs to use some application (e.g., e-banking and/or security exchange software) on a user machine, the user stores the state of the user's operating system and then releases the hardware resource to load a customized operating system. Thus, the application will run on the customized operating system, completely isolated from the user's operating system. As a result, the security threat to the application due to the virus, Trojan, spy software, loophole of the user's operating system and so on existing on the user's operating system may be avoided.
As shown in
The installation unit 21 is adapted to obtain the network configuration in a user's operating system, store all the states of the user's operating system, load a customized operating system, perform the network configuration obtained in the user's operating system in the customized operating system, and load an application (e.g., e-banking and/or security exchange software) under the customized operating system. The customized operating system is adapted to provide a running environment for the application unit. The customized operating system may be any safe operating system capable of providing a running environment for the application.
The installation unit 21 includes an obtaining module 211, a first loading module 213, a configuration module 214 and a second loading module 215. The obtaining module 211 is adapted to obtain the network configuration in a user's operating system; the first loading module 213 is adapted to load a customized operating system; the configuration module 214 is adapted to perform the network configuration obtained in the user's operating system in the customized operating system; and the second loading module 215 is adapted to load an application (e.g., e-banking and/or security exchange software) under the customized operating system.
The application unit 22 is adapted to communicate with other entities (e.g., network side entities or other client ends) under the customized operating system; the customized operating system is shut down after the application unit finishes the communication.
The restoration unit 23 is adapted to start the user's operating system, and restore the state of the user's operating system according to all the states of the user's operating system stored by the storage module.
As shown in
It should be noted that, the obtaining module 211 may also store the obtained network configuration in the user's operating system to the storage module 22. The configuration module 214 obtains the network configuration from the storage module 22 and performs the network configuration in the customized operating system.
The restoration unit 23 includes a starting module 231, adapted to start the user's operating system; a restoration module 232, adapted to restore the state of the user's operating system on the user's operating system according to all the states of the user's operating system stored in the storage module 212.
According to embodiments of the present invention, by running an application on a customized operating system, the running environment of the application may be completely isolated from the user's original operating system, and security threat to the application due to the virus, Trojan, spy software, loophole of the user's operating system and so on existing on the user's original system may be avoided. When the user needs to use the application, the state of the user's operating system is stored and then the hardware resource is released to load a customized operating system. Thus, the application will run on the customized operating system, being isolated from the user's operating system. As a result, the security threat to the application due to the virus, Trojan, spy software, loophole of the user's operating system and so on existing on the user's operating system may be avoided.
A “computer-readable medium” provided by embodiments of the present invention may include any medium that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, system or device. The computer readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, system, device, propagation medium, or computer memory.
Though the present invention has been described with reference to some exemplary embodiments, as known by those skilled in the art, there are many modifications and changes to the present invention without departing from the spirit and essential of the present invention. The scope of the present invention is defined by the appended claims.
| Number | Date | Country | Kind |
|---|---|---|---|
| 200710130019.8 | Jul 2007 | CN | national |
| PCT/CN2008/070515 | Mar 2008 | CN | national |
