Based on the untrusted terminal device management method of assets certificate
Technical field
The present invention relates to a kind of untrusted terminal device management method based on assets certificate, belong to field of information security technology.
Background technology
At present, the management method of terminal device is generally arrange a supervisory computer in a local network, management platform software for recording, managing all terminal device information in LAN (Local Area Network) is installed in this supervisory computer, by operational administrative platform software, can inquire about, add, revise, the attribute information of all terminal devices in delete database, as information such as equipment unique identifying number, equipment ownership people;
Above-mentioned terminal equipment managing method, although easy to operate, be convenient to management, but there is hidden danger in security of system, this is because: the attribute information of terminal device is only stored in the database of supervisory computer, once supervisory computer is subject to security violations, as virus, attack etc., information in its database is very likely stolen or distorts, and causes the attribute information of terminal device lose or be modified; Simultaneously, the attribute information of self is not backed up in terminal device, once terminal device refitting system, namely important information in its storer is wiped free of, attribute information is lost, and especially for the server apparatus in cloud computing platform, manages according to existing terminal equipment managing method, namely effective management of server is unfavorable for, also cannot the reliability of Deterministic service device information.
Summary of the invention
In view of above-mentioned purpose, the object of the present invention is to provide a kind of untrusted terminal device management method based on assets certificate, by storing assets certificate information in the credible chip of untrusted terminal device, confidentiality and the reliability of the attribute information of untrusted terminal device can be ensured, improve security of system.
For achieving the above object, the present invention is by the following technical solutions:
Based on a untrusted terminal device management method for assets certificate, this untrusted terminal device is the terminal device comprising credible chip, and this credible chip has nonvolatile memory,
Be stored in the nonvolatile memory of its credible chip by the assets certificate information of this untrusted terminal device, this assets certificate information is the attribute information of untrusted terminal device or the cryptographic attributes information after being encrypted attribute information.
Further,
The attribute information of described untrusted terminal device comprises equipment unique identifying number, ownership people information, brings into use time, user's information, life cycle, configuration information.
By inputting correct operator password, write operation is carried out to the assets certificate information in described credible chip.
Described untrusted terminal device, by network insertion one supervisory computer, preserves the attribute information of described untrusted terminal device in the database of this supervisory computer.
When described assets certificate information is described attribute information, attribute information in described database is consistent with the assets certificate information in described credible chip, when described assets certificate information is described cryptographic attributes information, the attribute information in described database is consistent with the assets certificate information in the credible chip after deciphering.
Assets certificate information in attribute information in described database and described credible chip is compared, judges whether the data in described supervisory computer are tampered.
The invention has the advantages that:
Untrusted terminal device management method based on assets certificate of the present invention, by the assets certificate information of untrusted terminal device is stored in the nonvolatile memory of credible chip, assets certificate information is not easily lost, just write operation can be carried out to assets certificate information by means of only the correct operator password of input, ensure that the complete reliability of assets certificate information, regularly utilize the attribute information preserved in assets certificate information inspection management computing machine whether to change, the Prevention-Security of system can be improved.
Accompanying drawing explanation
Fig. 1 is architecture principle figure of the present invention.
Fig. 2 is the composition structured flowchart of the untrusted terminal device of the present invention one specific embodiment.
Embodiment
Below in conjunction with drawings and Examples, the present invention is described in further detail.
Fig. 1 is architecture principle figure of the present invention, as shown in the figure, the untrusted terminal device of indication of the present invention can be the network equipment such as server, terminal, untrusted terminal device comprises credible chip (TPM:TrustedPlatformModule), this credible chip has nonvolatile memory, it is encrypted the information be stored in chip, the security of guarantee information;
Untrusted terminal device management method based on assets certificate disclosed by the invention, that the assets certificate information of untrusted terminal device is stored in the nonvolatile memory of credible chip, ensure that the assets certificate information of untrusted terminal device is not easily lost or is tampered, specifically
The assets certificate information of untrusted terminal device can be the attribute information of equipment, also can be the cryptographic attributes information that the attribute information of equipment is generated through encryption, the attribute information of equipment sets according to concrete business demand, includes but not limited to equipment unique identification (No. UUID), ownership people information, brings into use time, user's information, life cycle, configuration information etc.;
During first actuation credible chip, the ownership people of untrusted terminal device inputs the operator password (only having the correct operator password of input could perform write operation to credible chip) of credible chip, after input is correct, assets certificate information is preserved in the nonvolatile memory of credible chip, each untrusted terminal device is all by network insertion supervisory computer, keeper can read the assets certificate information in credible chip, and only have the ownership people of untrusted terminal device just can be added the assets certificate information in credible chip by the correct operator password of input, amendment, the write operations such as deletion, ensure that the complete reliability of attribute information,
Simultaneously, also the attribute information of untrusted terminal device can be preserved in the database of supervisory computer, for the situation that namely assets certificate information is attribute information, attribute information in database and the assets certificate information in credible chip are consistent, for the situation that assets certificate information is cryptographic attributes information, the attribute information in database with deciphering after credible chip in assets certificate information be consistent; Attribute information in database and the assets certificate information in credible chip can regularly be compared by keeper, judge whether the data in supervisory computer are tampered, to improve the Prevention-Security of system.
Described is encrypted attribute information to the attribute information of untrusted terminal device, and the attribute information after generating deciphering is decrypted to cryptographic attributes information, the encryption adopted, decipherment algorithm can be symmetric encipherment algorithms, or rivest, shamir, adelman, all belong to the common technology means of this area, the present invention is not described in detail to cryptographic algorithm.
Fig. 1 is the composition structured flowchart of the untrusted terminal device of the present invention one specific embodiment, as shown in the figure, untrusted terminal device comprises CPU processor, integrated South Bridge chip (PCH:PlatformControllerHub), credible chip, storer, Basic Input or Output System (BIOS) (BIOS), bus interface, SATA interface, USB interface etc., credible chip is connected with CPU processor by integrated South Bridge chip, CPU processor is connected with storer, integrated South Bridge chip and Basic Input or Output System (BIOS), bus interface, SATA interface is connected, in other embodiments, untrusted terminal device also can be other hardware structure forms comprising credible chip, the hardware configuration comprising credible chip belongs to prior art, the present invention is not described in detail its structure and principle.
Untrusted terminal device management method based on assets certificate of the present invention, that the assets certificate information of untrusted terminal device is stored in the nonvolatile memory of credible chip, even if untrusted terminal device is restarted or refitting system, assets certificate information also can not be lost, only people belonging to equipment has write operation authority, ensure that complete, the reliability of assets certificate information, regularly utilize the attribute information preserved in assets certificate information inspection management computing machine whether to change, the Prevention-Security of system can be improved.
The above know-why being preferred embodiment of the present invention and using; for a person skilled in the art; when not deviating from the spirit and scope of the present invention; any based on apparent changes such as the equivalent transformation on technical solution of the present invention basis, simple replacements, all belong within scope.