CN105426734A - Identity authentication method and device based on trusted computing - Google Patents
Identity authentication method and device based on trusted computing Download PDFInfo
- Publication number
- CN105426734A CN105426734A CN201510772275.1A CN201510772275A CN105426734A CN 105426734 A CN105426734 A CN 105426734A CN 201510772275 A CN201510772275 A CN 201510772275A CN 105426734 A CN105426734 A CN 105426734A
- Authority
- CN
- China
- Prior art keywords
- usbkey
- tcm
- stored
- described target
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 39
- 230000000052 comparative effect Effects 0.000 claims description 10
- 230000008569 process Effects 0.000 claims description 8
- 230000004044 response Effects 0.000 claims description 6
- 238000012545 processing Methods 0.000 claims description 3
- 108010001267 Protein Subunits Proteins 0.000 claims description 2
- 230000009977 dual effect Effects 0.000 abstract 1
- 238000007689 inspection Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000005314 correlation function Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000004807 localization Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003014 reinforcing effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/34—User authentication involving the use of external additional devices, e.g. dongles or smart cards
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides an identity authentication method and device based on trusted computing. The method comprises the following steps: binding a TCM (Trusted Cryptography Module) in a computer system with a USBKey (Universal Serial Bus) in advance, and storing the reference value of each component in the computer system into the USBKey; when a login request of a target USBKey is obtained, judging whether the target USBKey is bound with the TCM in the computer system, and comparing the metric value of each component with a corresponding reference value stored in the USBKey to realize the first authentication of the target USBKey; and when the metric values of all components are the same with the reference value, authenticating the identity information of the target USBKey, and responding to the login request of the target USBKey according to an identity information authentication result to realize the secondary authentication of the target USBkey. Through the dual authentication of the target USBKey, data in the computer system can be guaranteed to be safe and trustable.
Description
Technical field
The present invention relates to computer realm, particularly a kind of identity identifying method based on trust computing and device.
Background technology
Under the prospect that national localization substitutes, domestic firmware, domestic operating system are progressively developed.Reliable computing technology, as a kind of novel computer information security technology, gives full play to its secure and trusted function, for the foundation of information security support platform provides infrastructural support in authentic authentication, credible tolerance, trusted storage etc. under production domesticization platform.
At present, reliable computing technology is by calling TCM (TrustedCryptographyModule, credible password module) internal algorithm carries out credible tolerance step by step to all parts in computer system power-on start-up course, to determine whether computer system is attacked or destroy, thus the credible reinforcing of computer system can be realized.
But, under guarantee computer system security believable prerequisite, when the log-on message of user suffer hacker or Malware attack and by leakage time, may impact the security of computerized information.
Summary of the invention
In view of this, the invention provides a kind of identity identifying method based on trust computing and device, the secure and trusted of data in computer system can be ensured.
In order to achieve the above object, the present invention is achieved through the following technical solutions:
On the one hand, the invention provides a kind of identity identifying method based on trust computing, the method comprises: bound by TCM and the USBKey in computer system in advance, and the reference value of all parts in computer system is stored in the USBKey that inner TCM phase is bound with it, also comprises:
The metric of all parts in the current computer systems stored in the inner PCR of S1: when getting the logging request of target USBKey, acquisition TCM, and obtain the reference value of all parts stored in described target USBKey;
S2: one by one the reference value stored in the metric of each parts and described target USBKey is compared, the reference value homogeneous phase stored in comparative result is the metric of each parts and described target USBKey simultaneously, perform step S3, otherwise, refuse the logging request of described target USBKey;
S3: the identity information of target USBKey described in certification, and the logging request responding described target USBKey according to authentication result.
Further, described the reference value of all parts in computer system to be stored in the USBKey that inner TCM phase is bound with it, to comprise:
The reference value of all parts in computer system is calculated;
The reference value of all parts in the computer system of calculating gained is stored in the nonvolatile memory of TCM inside;
Read the reference value in the nonvolatile memory of TCM inside, be stored in the USBKey bound with TCM phase.
Further, describedly in advance TCM and the USBKey in computer system to be bound, comprising: the mark of USBKey and the USBKey PKI corresponding with its mark are stored in the nonvolatile memory of the TCM inside in computer system;
The identity information of target USBKey described in described certification, comprising:
Generate the first random number;
Read the USBKey private key of described target USBKey to described first random number encryption;
According to the mark of described target USBKey, read the USBKey PKI corresponding with the mark of described target USBKey stored in the nonvolatile memory of TCM inside, utilize this USBKey PKI read to described first random nnrber decryption after encryption, obtain the second random number;
Judge that whether described first random number is equal with described second random number, if so, show to pass through the identity information certification of described target USBKey, otherwise, then show not pass through the identity information certification of described target USBKey.
Further, also comprise: in advance user login code is stored in the nonvolatile memory of TCM inside;
The described logging request responding described target USBKey according to authentication result, comprise: described authentication result comprise the identity information certification of described target USBKey is passed through time, obtain the login password of user's input, the user login code prestored in nonvolatile memory according to TCM inside is verified the login password that user inputs, if be verified, then allow the logging request of described target USBKey, otherwise, refuse the logging request of described target USBKey; It is obstructed out-of-date to comprise the identity information certification of described target USBKey in described authentication result, then refuse the logging request of described target USBKey.
Further, all parts in described computer system, comprising: in hardware, firmware, hardware driving, system software and application software any one or multiple.
On the other hand, the invention provides a kind of identification authentication system based on trust computing, this device comprises:
Binding unit, for binding TCM and the USBKey in computer system;
First transmitting element, for being stored in the USBKey that inner TCM phase is bound with it by the reference value of all parts in computer system;
Acquiring unit, for when getting the logging request of target USBKey, the metric of all parts in the current computer systems stored in the inner PCR of acquisition TCM, and obtain the reference value of all parts stored in described target USBKey;
Processing unit, for comparing the reference value stored in the metric of each parts and described target USBKey one by one, the reference value homogeneous phase stored in comparative result is the metric of each parts and described target USBKey simultaneously, notice authentication ' unit, otherwise, refuse the logging request of described target USBKey;
Authentication ' unit, for the identity information of target USBKey described in certification;
Response unit, for responding the logging request of described target USBKey according to the authentication result of described authentication ' unit.
Further, described first transmitting element, comprising:
Computation subunit, for calculating the reference value of all parts in computer system;
First sends subelement, for being stored in the nonvolatile memory of TCM inside by the reference value of all parts in the computer system of calculating gained;
Second sends subelement, for reading the reference value in the nonvolatile memory of TCM inside, is stored in the USBKey bound with TCM phase.
Further, described binding unit, for being stored in the nonvolatile memory of the TCM inside in computer system by the mark of USBKey and the USBKey PKI corresponding with its mark;
Described authentication ' unit, comprising:
Generating random number subelement, for generating the first random number;
Encryption sub-unit operable, for reading the USBKey private key of described target USBKey to described first random number encryption;
Deciphering subelement, for the mark according to described target USBKey, read the USBKey PKI corresponding with the mark of described target USBKey stored in the nonvolatile memory of TCM inside, utilize this USBKey PKI read to described first random nnrber decryption after encryption, obtain the second random number;
Judgment sub-unit, for judging that whether described first random number is equal with described second random number, if so, shows to pass through the identity information certification of described target USBKey, otherwise, then show not pass through the identity information certification of described target USBKey.
Further, also comprise:
Second transmitting element, for being stored in the nonvolatile memory of TCM inside by user login code;
Described response unit, when the identity information certification of described target USBKey being passed through for comprising in described authentication result, obtain the login password of user's input, the user login code prestored in nonvolatile memory according to TCM inside is verified the login password that user inputs, if be verified, then allow the logging request of described target USBKey, otherwise, refuse the logging request of described target USBKey; It is obstructed out-of-date to comprise the identity information certification of described target USBKey in described authentication result, then refuse the logging request of described target USBKey.
Further, all parts in described computer system, comprise in hardware, firmware, hardware driving, system software and application software any one or multiple.
The invention provides a kind of identity identifying method based on trust computing and device, in advance TCM and the USBKey in computer system is bound, and the reference value of all parts in computer system is stored in the USBKey that inner TCM phase is bound with it; When getting the logging request of target USBKey, need to judge whether this target USBKey bound with the TCM in this computer system, by comparing the reference value stored in the metric of each parts and this target USBKey, to carry out the first re-authentication to this target USBKey one by one; Simultaneously, then the first re-authentication passes through the reference value homogeneous phase only stored in comparative result is the metric of each parts and this target USBKey; And continue the identity information of this target USBKey of certification, respond the logging request of this target USBKey according to this identity information authentication result, to realize the second re-authentication to this target USBKey.By the double authentication to target USBKey, the secure and trusted of data in computer system can be ensured.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is the process flow diagram of a kind of identity identifying method based on trust computing that one embodiment of the invention provides;
Fig. 2 is the process flow diagram of the another kind that provides of one embodiment of the invention based on the identity identifying method of trust computing;
Fig. 3 is the schematic diagram of a kind of identification authentication system based on trust computing that one embodiment of the invention provides;
Fig. 4 is the schematic diagram of the another kind that provides of one embodiment of the invention based on the identification authentication system of trust computing.
Embodiment
For making the object of the embodiment of the present invention, technical scheme and advantage clearly; below in conjunction with the accompanying drawing in the embodiment of the present invention; technical scheme in the embodiment of the present invention is clearly and completely described; obviously; described embodiment is the present invention's part embodiment, instead of whole embodiments, based on the embodiment in the present invention; the every other embodiment that those of ordinary skill in the art obtain under the prerequisite not making creative work, all belongs to the scope of protection of the invention.
As shown in Figure 1, embodiments provide a kind of identity identifying method based on trust computing, the method can comprise the following steps:
Step 101: in advance by the TCM (TrustedCryptographyModule in computer system, credible password module) bind with USBKey, and the reference value of all parts in computer system is stored in the USBKey that inner TCM phase is bound with it;
Step 102: when getting the logging request of target USBKey, obtain the inner PCR (programcontrolregister of TCM, programmed control working storage) in the metric of all parts in the current computer systems that stores, and obtain the reference value of all parts stored in described target USBKey;
Step 103: one by one the reference value stored in the metric of each parts and described target USBKey is compared, the reference value homogeneous phase stored in comparative result is the metric of each parts and described target USBKey simultaneously, perform step 104, otherwise, refuse the logging request of described target USBKey;
Step 104: the identity information of target USBKey described in certification, and the logging request responding described target USBKey according to authentication result.
The invention provides a kind of identity identifying method based on trust computing, in advance TCM and the USBKey in computer system is bound, and the reference value of all parts in computer system is stored in the USBKey that inner TCM phase is bound with it; When getting the logging request of target USBKey, need to judge whether this target USBKey bound with the TCM in this computer system, by comparing the reference value stored in the metric of each parts and this target USBKey, to carry out the first re-authentication to this target USBKey one by one; Simultaneously, then the first re-authentication passes through the reference value homogeneous phase only stored in comparative result is the metric of each parts and this target USBKey; And continue the identity information of this target USBKey of certification, respond the logging request of this target USBKey according to this identity information authentication result, to realize the second re-authentication to this target USBKey.By the double authentication to target USBKey, the secure and trusted of data in computer system can be ensured.
In a kind of possible implementation, in order to whether the reference value of all parts stored in the metric that compares all parts in the current computer systems that stores in the inner PCR of TCM and described target USBKey is identical, thus the integrality of authenticating computer system trust chain information transmission and the credibility of target USBKey, need in advance the reference value of all parts in computer system to be stored in the USBKey that inner TCM phase is bound with it, so, described the reference value of all parts in computer system is stored in the USBKey that inner TCM phase is bound with it, comprise:
The reference value of all parts in computer system is calculated;
The reference value of all parts in the computer system of calculating gained is stored in the nonvolatile memory of TCM inside;
Read the reference value in the nonvolatile memory of TCM inside, be stored in the USBKey bound with TCM phase.
In a kind of possible implementation, in order to the identity information of target USBKey described in certification, so, comprising:
In advance TCM and the USBKey in computer system is bound, be stored in the nonvolatile memory of the TCM inside in computer system by the mark of USBKey and the USBKey PKI corresponding with its mark;
The identity information of target USBKey described in described certification, comprising:
Generate the first random number;
Read the USBKey private key of described target USBKey to described first random number encryption;
According to the mark of described target USBKey, read the USBKey PKI corresponding with the mark of described target USBKey stored in the nonvolatile memory of TCM inside, utilize this USBKey PKI read to described first random nnrber decryption after encryption, obtain the second random number;
Judge that whether described first random number is equal with described second random number, if so, show to pass through the identity information certification of described target USBKey, otherwise, then show not pass through the identity information certification of described target USBKey.
By this implementation, can on the guarantee believable basis of described target USBKey, the identity information of target USBKey described in further certification, when only having the identity information certification of described target USBKey to pass through, just can enter the Qualify Phase of user login code correctness, otherwise computer system directly refuses the logging request of described target USBKey.
In a kind of possible implementation, in order to whether authentication of users log-on message is correct, comprising:
In advance user login code is stored in the nonvolatile memory of TCM inside;
The described logging request responding described target USBKey according to authentication result, comprise: described authentication result comprise the identity information certification of described target USBKey is passed through time, obtain the login password of user's input, the user login code prestored in nonvolatile memory according to TCM inside is verified the login password that user inputs, if be verified, then allow the logging request of described target USBKey, otherwise, refuse the logging request of described target USBKey; It is obstructed out-of-date to comprise the identity information certification of described target USBKey in described authentication result, then refuse the logging request of described target USBKey.
In a kind of possible implementation, in order to ensure the secure and trusted of computer system, first need to carry out trust computing to all parts in computer system, so, all parts in described computer system, comprise in hardware, firmware, hardware driving, system software and application software any one or multiple.
For making the object, technical solutions and advantages of the present invention clearly, below in conjunction with drawings and the specific embodiments, the present invention is described in further detail.
As shown in Figure 2, embodiments provide the another kind of identity identifying method based on trust computing, the method can comprise the following steps:
Step 201: the reference value of all parts in computer system is stored in the nonvolatile memory of TCM inside.
Particularly, all parts in described computer system, comprise in hardware, firmware, hardware driving, system software and application software any one or multiple.
For example, an existing computer A, computer A is started shooting first and is powered up, BIOS (BasicInputOutputSystem, Basic Input or Output System (BIOS)) initialization, to all parts in computer A system, as hardware, firmware, hardware driving, system software, application software calculates its metric respectively successively, such as, Hash Value, obtain the hardware metric A1 of computer A, firmware metric A2, hardware driving metric A3, system software metric A4, application software metric A5, and the TCM be stored in computer A as reference value by these metrics is inner, be denoted as the hardware reference value A1 of computer A, firmware reference value A2, hardware driving reference value A3, system software reference value A4, application software reference value A5.
In the present embodiment, after ensureing that data are stored into TCM inside, after computer system is restarted, the data of this storage are not wiped free of, and the data that hope retains can be stored in NV (non-volatilememory, nonvolatile memory).Such as, these metrics are stored in the NV of TCM inside in computer A as reference value.
In the present embodiment, in computer A system, the metric of all parts can be calculated by TCM internal algorithm.Such as, BIOS initialization, calls the hash algorithm of TCM inside, to all parts in computer A system, as hardware, firmware, hardware driving, system software, application software calculate its Hash Value respectively successively.
In detail, in computer system, the calculating of all parts metric and storage comprise: BIOS opens system file to be operated, by the hash algorithm of TCM_HASH_INIT_ORD order initialization TCM inside, then by TCM_HASH_UPDATE_ORD order, system file to be operated is sent to TCM chip internal, call TCM_HASH_FINI_ORD order again and terminate hash algorithm, obtain Hash Value, finally, the metric each walked by TCM_PCR_EXTEND order is stored with TCM.
Step 202: TCM and the USBKey in computer system is bound, and the reference value of all parts in computer system is stored in the USBKey that inner TCM phase is bound with it.
Suppose existing a collection of USBKey I, USBKey II, USBKey III, USBKey IV, USBKey V ...For USBKey I, by USB, computer A is connected with USBKey I, make the TCM in computer system therewith USBKey I bind.Wherein, BIOS is driven and TCM chip communication by USB, by sending TCM command operation TCM correlation function.The mark I of USBKey I and the USBKey PKI I corresponding with its mark I are stored to TCM inside after binding by TCM and USBKey I.Meanwhile, read all parts reference value stored in the NV of TCM inside in computer A, i.e. hardware reference value A1, firmware reference value A2, hardware driving reference value A3, system software reference value A4, application software reference value A5, and be stored in USBkey I.Equally, use identical method, the binding one by one of computer A and this crowd of USBKey can be realized.
This implementation can make any USBKey being pre-existing in binding relationship with computer A all can carry out the secure and trusted certification of user identity in computer A.
In the present embodiment, when the operation of the log-on message of follow-up execution certification USBKeyX, need to read the user login code prestored in computer A, whether the login password carrying out authentication of users input is correct, therefore, need in advance user login code be stored in computer A.Such as, can after TCM and USBKey I in computer A bind, the mark I of USBKey I and the USBKey PKI I corresponding with its mark I and user login code I are stored to TCM inside simultaneously.
In the present embodiment, identical, in order to ensure that the data being stored into TCM inside are not wiped free of after computing machine power down or system reboot, the data that hope retains can be stored in NV.Such as, the mark I of USBKey I and the USBKey PKI I corresponding with its mark I and user login code I are stored in NV.
Step 203: when getting the logging request of USBKeyX, the metric of all parts in the current computer systems stored in the inner PCR of acquisition TCM, and obtain the reference value of all parts stored in described target USBKey.
Suppose that existing user B needs to log in software systems C in computer A, for ensureing the secure and trusted of user B identity, the USBKeyX needing user B to utilize it to hold carries out authentication to himself.
In the present embodiment, computer A, in start process, can carry out authentic authentication by each or multiple parts namely will opened to start process, to realize the process of self-test to computer A, ensures the security of computer A.This process can comprise: computer A start powers up, BIOS initialization, call the hash algorithm of TCM inside, its current metric is calculated successively to the hardware of computer A, system software and application software, obtain metric A1 ', metric A4 ' and metric A5 ', and current metric is stored in the PCR of TCM inside.Read the respective reference value of the hardware of the computer A stored in the NV of TCM inside, system software and application software, for reference value A1, reference value A4, reference value A5, reading the corresponding current metric value stored in the PCR of TCM inside, is metric A1 ', metric A4 ' and metric A5 '.
Then, whether the hardware, the system software that compare computer A be all identical with reference value with the current metric value of application software, namely whether meet A1=A1 ', A4=A4 ', A5=A5 ' simultaneously, if so, illustrate that the system environments of computer A is good, thus complete the self-inspection of computer A operating system based on trust computing, allow the logging request of user, otherwise, illustrate that the system of computer A has been attacked or destroyed, the logging request of refusal user.Through comparing, find that the hardware of computer A, system software are all identical with reference value with the current metric value of application software, computer A self-inspection completes.
First this computer self-test mode based on trust computing, by checking whether computer system is attacked or destroy, before user logs in, can ensure the secure and trusted of computer system.
After computer A self-inspection completes, USBKeyX is connected with computer A by USB.When computer A gets the logging request of USBKeyX, read the metric that the hardware of the computer A stored in the inner PCR of TCM, system software and application software are current, and read the corresponding reference value stored in USBKeyX.If the corresponding reference value stored in USBKeyX cannot be obtained, illustrate that USBKeyX did not bind with computer A before this logs in, incredible for computer A, or USBKeyX may be destroyed, therefore the binding relationship of computer A and USBKeyX is false, the logging request of refusal user B.
Same, if USBKeyX did not bind with computer A before this logs in, when ensureing that USBKeyX is destroyed, the operation identical with above-mentioned USBKey I can also be carried out when this logs in, set up the binding relationship of computer A and USBKeyX, make USBKeyX credible to computer A, then can also carry out the authentic authentication of user identity after USBKeyX in computer A.When guarantee USBKey is destroyed and computer system is not attacked, this implementation can make USBKey and any computing machine set up binding relationship, thus user can carry out the secure and trusted certification of user identity on any computing machine according to USBKey.
Because same computing machine can carry out authentic authentication to different USBKey, same USBKey also can carry out secure and trusted login on different computing machine, therefore effectively improves convenience and the practicality of the credible login of user profile.
Step 204: one by one the reference value stored in the metric of each parts and USBKeyX is compared, the reference value homogeneous phase stored in comparative result is the metric of each parts and USBKeyX simultaneously, performs step 205, otherwise, perform step 207.
Now, computer A has got the hardware of the computer A stored in the inner PCR of TCM, the current metric value of system software and application software, i.e. metric A1 ', metric A4 ' and metric A5 ', also get the corresponding reference value stored in USBKeyX simultaneously, i.e. reference value A1, during reference value A4 and reference value A5, then hardware is contrasted one by one, whether system software is all identical with corresponding reference value with the current metric value of application software, if, i.e. A1=A1 ', A4=A4 ', A5=A5 ' time, perform the certification of follow-up USBKeyX identity information, otherwise, perform step 207, the binding relationship of computer A and USBKeyX is false, the logging request of refusal USBKeyX.Through contrast, find that the current metric value stored in the inner PCR of TCM in computer A is all identical with the corresponding reference value stored in the USBKeyX that user B holds, i.e. A1=A1 ', A4=A4 ', A5=A5 '.
Step 205: the identity information of certification USBKeyX, certification is passed through, and perform step 206, otherwise certification is not passed through, and performs step 207.
In the present embodiment, the mode can deciphered by random number encryption carries out the certification of identity information to this USBKeyX, this process can comprise: generate a random number Y; The private key X reading USBKeyX, to random number Y encryption, obtains encryption number Y '; Read the PKI X corresponding with the mark X of USBKeyX stored in the NV of TCM inside, and utilize PKI X to encryption number Y ' deciphering, obtain random number Y 〞; Judge that whether random number Y and random number Y 〞 is equal, if so, show to pass through the identity information certification of USBKeyX, otherwise, then show not pass through the identity information certification of described target USBKey, the logging request of refusal USBKeyX.Through judging, the identity information certification of random number Y=random number Y 〞, USBKeyX is passed through.
Wherein, this random number Y can be the random numerical value given, and also can be the random number algorithm generation of being called TCM inside by BIOS.
Step 206: the log-on message of certification USBKeyX, certification is passed through, login system, otherwise certification is not passed through, and performs step 207.
In addition, if the log-on message certification of USBKeyX is not passed through, except refusing the logging request of USBKeyX, user also can be pointed out to re-enter login password, certification again.
After the identity information certification of USBKeyX is passed through, in the present embodiment, can user's dialog boxes for login of software for display system C, obtain the login password M ' of user's input with this, and judge that whether M and M ' be equal by reading the user login code M prestored in the NV of TCM inside.If M=M ', the login password M ' characterizing this user input is correct, and software systems C allows this user B to log in; If M ≠ M ', the login password of characterizing consumer input is wrong, the logging request of refusal USBKeyX, or user re-enters login password.Through judging, the login password that user B inputs equals the user login code prestored in the NV of TCM inside, i.e. M=M ', user B identity is credible, successfully opens software systems C.
Step 207: the logging request of refusal USBKeyX.
In the present embodiment, can work as the binding relationship running into computer A and USBKeyX is false, or the identity information certification of USBKeyX is not passed through, or the log-on message certification of USBKeyX do not pass through in arbitrary may situation time, all refuse the logging request of USBKeyX.
The present embodiment by department of computer science unify USBKey information binding and trust authentication, achieve on the basis determining user login code correctness, require the authentic authentication to user USBKey identity information simultaneously, thus when the log-on message of user suffer hacker or Malware attack and by leakage time, to a certain extent effective guarantee is provided to the information security of user.
The present embodiment is first by computer system self-inspection, effectively ensure that the secure and trusted of computer system self, a safe and reliable information registration environment is created to user, and pass through the binding relationship of computer-internal TCM and USBKey, achieve the integrality transmission of trust chain between computing machine and user USBKey, certification is carried out to the identity information of user USBKey simultaneously, demonstrate the security credibility of user USBKey further, again according to the judgement of user login code correctness, the secure and trusted finally realizing user logs in.
As shown in Figure 3, embodiments provide a kind of identification authentication system based on trust computing, comprising:
Binding unit 301, for binding TCM and the USBKey in computer system;
First transmitting element 302, for being stored in the USBKey that inner TCM phase is bound with it by the reference value of all parts in computer system;
Acquiring unit 303, for when getting the logging request of target USBKey, the metric of all parts in the current computer systems stored in the inner PCR of acquisition TCM, and obtain the reference value of all parts stored in described target USBKey;
Processing unit 304, for comparing the reference value stored in the metric of each parts and described target USBKey one by one, the reference value homogeneous phase stored in comparative result is the metric of each parts and described target USBKey simultaneously, notice authentication ' unit 305, otherwise, refuse the logging request of described target USBKey;
Authentication ' unit 305, for the identity information of target USBKey described in certification;
Response unit 306, for responding the logging request of described target USBKey according to the authentication result of described authentication ' unit 305.
In a kind of possible implementation, please refer to Fig. 4, described first transmitting element 302, comprising:
Computation subunit 3021, for calculating the reference value of all parts in computer system;
First sends subelement 3022, for being stored in the nonvolatile memory of TCM inside by the reference value of all parts in the computer system of calculating gained;
Second sends subelement 3023, for reading the reference value in the nonvolatile memory of TCM inside, is stored in the USBKey bound with TCM phase.
In a kind of possible implementation, please refer to Fig. 4, described binding unit 301, for being stored in the nonvolatile memory of the TCM inside in computer system by the mark of USBKey and the USBKey PKI corresponding with its mark;
Described authentication ' unit 305, comprising:
Generating random number subelement 3051, for generating the first random number;
Encryption sub-unit operable 3052, for reading the USBKey private key of described target USBKey to described first random number encryption;
Deciphering subelement 3053, for the mark according to described target USBKey, read the USBKey PKI corresponding with the mark of described target USBKey stored in the nonvolatile memory of TCM inside, utilize this USBKey PKI read to described first random nnrber decryption after encryption, obtain the second random number;
Judgment sub-unit 3054, for judging that whether described first random number is equal with described second random number, if so, shows to pass through the identity information certification of described target USBKey, otherwise, then show not pass through the identity information certification of described target USBKey.
In a kind of possible implementation, also comprise:
Second transmitting element 307, for being stored in the nonvolatile memory of TCM inside by user login code;
Described response unit 306, when the identity information certification of described target USBKey being passed through for comprising in described authentication result, obtain the login password of user's input, the user login code prestored in nonvolatile memory according to TCM inside is verified the login password that user inputs, if be verified, then allow the logging request of described target USBKey, otherwise, refuse the logging request of described target USBKey; It is obstructed out-of-date to comprise the identity information certification of described target USBKey in described authentication result, then refuse the logging request of described target USBKey.
In a kind of possible implementation, all parts in described computer system, comprise in hardware, firmware, hardware driving, system software and application software any one or multiple.
The content such as information interaction, implementation between each unit in said apparatus, due to the inventive method embodiment based on same design, particular content can see in the inventive method embodiment describe, repeat no more herein.
In sum, embodiments provide a kind of identity identifying method based on trust computing and device, the embodiment of the present invention can have following beneficial effect:
1. the invention provides a kind of identity identifying method based on trust computing and device, in advance TCM and the USBKey in computer system is bound, and the reference value of all parts in computer system is stored in the USBKey that inner TCM phase is bound with it; When getting the logging request of target USBKey, need to judge whether this target USBKey bound with the TCM in this computer system, by comparing the reference value stored in the metric of each parts and this target USBKey, to carry out the first re-authentication to this target USBKey one by one; Simultaneously, then the first re-authentication passes through the reference value homogeneous phase only stored in comparative result is the metric of each parts and this target USBKey; And continue the identity information of this target USBKey of certification, respond the logging request of this target USBKey according to this identity information authentication result, to realize the second re-authentication to this target USBKey.By the double authentication to target USBKey, the secure and trusted of data in computer system can be ensured.
2. embodiments provide a kind of identity identifying method based on trust computing and device, computer based carries out self-inspection in trust computing, verify whether current computer system is attacked or destroy by computer self-test program, thus before user logs in, can first ensure the secure and trusted of computer system.
3. embodiments provide a kind of identity identifying method based on trust computing and device, because same computing machine can carry out authentic authentication to different USBKey, same USBKey also can carry out secure and trusted login on different computing machine, therefore effectively improves convenience and the practicality of the credible login of user profile.
4. embodiments provide a kind of identity identifying method based on trust computing and device, by department of computer science unify USBKey information binding and trust authentication, achieve on the basis determining user login code correctness, require the authentic authentication to user USBKey identity information simultaneously, thus when the log-on message of user suffer hacker or Malware attack and by leakage time, to a certain extent effective guarantee is provided to the information security of user.
5. embodiments provide a kind of identity identifying method based on trust computing and device, first by computer system self-inspection, effectively ensure that the secure and trusted of computer system self, a safe and reliable information registration environment is created to user, and pass through the binding relationship of computer-internal TCM and USBKey, achieve the integrality transmission of trust chain between computing machine and user USBKey, certification is carried out to the identity information of user USBKey simultaneously, demonstrate the security credibility of user USBKey further, again according to the judgement of user login code correctness, the secure and trusted finally realizing user logs in.
Finally it should be noted that: the foregoing is only preferred embodiment of the present invention, only for illustration of technical scheme of the present invention, be not intended to limit protection scope of the present invention.All any amendments done within the spirit and principles in the present invention, equivalent replacement, improvement etc., be all included in protection scope of the present invention.
Claims (10)
1. the identity identifying method based on trust computing, it is characterized in that, bound by credible password module TCM and USBKey in computer system in advance, and the reference value of all parts in computer system be stored in the USBKey that inner TCM phase is bound with it, the method also comprises:
The metric of all parts in the current computer systems stored in S1: when getting the logging request of target USBKey, acquisition TCM internal processes control working storage PCR, and obtain the reference value of all parts stored in described target USBKey;
S2: one by one the reference value stored in the metric of each parts and described target USBKey is compared, the reference value homogeneous phase stored in comparative result is the metric of each parts and described target USBKey simultaneously, perform step S3, otherwise, refuse the logging request of described target USBKey;
S3: the identity information of target USBKey described in certification, and the logging request responding described target USBKey according to authentication result.
2. method according to claim 1, is characterized in that, describedly the reference value of all parts in computer system is stored in the USBKey that inner TCM phase is bound with it, comprising:
The reference value of all parts in computer system is calculated;
The reference value of all parts in the computer system of calculating gained is stored in the nonvolatile memory of TCM inside;
Read the reference value in the nonvolatile memory of TCM inside, be stored in the USBKey bound with TCM phase.
3. method according to claim 1, is characterized in that,
Describedly in advance TCM and the USBKey in computer system to be bound, comprising: the mark of USBKey and the USBKey PKI corresponding with its mark are stored in the nonvolatile memory of the TCM inside in computer system;
The identity information of target USBKey described in described certification, comprising:
Generate the first random number;
Read the USBKey private key of described target USBKey to described first random number encryption;
According to the mark of described target USBKey, read the USBKey PKI corresponding with the mark of described target USBKey stored in the nonvolatile memory of TCM inside, utilize this USBKey PKI read to described first random nnrber decryption after encryption, obtain the second random number;
Judge that whether described first random number is equal with described second random number, if so, show to pass through the identity information certification of described target USBKey, otherwise, then show not pass through the identity information certification of described target USBKey.
4. method according to claim 3, is characterized in that,
Comprise further: in advance user login code is stored in the nonvolatile memory of TCM inside;
The described logging request responding described target USBKey according to authentication result, comprise: described authentication result comprise the identity information certification of described target USBKey is passed through time, obtain the login password of user's input, the user login code prestored in nonvolatile memory according to TCM inside is verified the login password that user inputs, if be verified, then allow the logging request of described target USBKey, otherwise, refuse the logging request of described target USBKey; It is obstructed out-of-date to comprise the identity information certification of described target USBKey in described authentication result, then refuse the logging request of described target USBKey.
5., according to described method arbitrary in Claims 1-4, it is characterized in that, all parts in described computer system, comprising:
In hardware, firmware, hardware driving, system software and application software any one or multiple.
6. based on an identification authentication system for trust computing, it is characterized in that, comprising:
Binding unit, for binding TCM and the USBKey in computer system;
First transmitting element, for being stored in the USBKey that inner TCM phase is bound with it by the reference value of all parts in computer system;
Acquiring unit, for when getting the logging request of target USBKey, the metric of all parts in the current computer systems stored in the inner PCR of acquisition TCM, and obtain the reference value of all parts stored in described target USBKey;
Processing unit, for comparing the reference value stored in the metric of each parts and described target USBKey one by one, the reference value homogeneous phase stored in comparative result is the metric of each parts and described target USBKey simultaneously, notice authentication ' unit, otherwise, refuse the logging request of described target USBKey;
Authentication ' unit, for the identity information of target USBKey described in certification;
Response unit, for responding the logging request of described target USBKey according to the authentication result of described authentication ' unit.
7. the identification authentication system based on trust computing according to claim 6, is characterized in that, described first transmitting element, comprising:
Computation subunit, for calculating the reference value of all parts in computer system;
First sends subelement, for being stored in the nonvolatile memory of TCM inside by the reference value of all parts in the computer system of calculating gained;
Second sends subelement, for reading the reference value in the nonvolatile memory of TCM inside, is stored in the USBKey bound with TCM phase.
8. the identification authentication system based on trust computing according to claim 6, is characterized in that,
Described binding unit, for being stored in the nonvolatile memory of the TCM inside in computer system by the mark of USBKey and the USBKey PKI corresponding with its mark;
Described authentication ' unit, comprising:
Generating random number subelement, for generating the first random number;
Encryption sub-unit operable, for reading the USBKey private key of described target USBKey to described first random number encryption;
Deciphering subelement, for the mark according to described target USBKey, read the USBKey PKI corresponding with the mark of described target USBKey stored in the nonvolatile memory of TCM inside, utilize this USBKey PKI read to described first random nnrber decryption after encryption, obtain the second random number;
Judgment sub-unit, for judging that whether described first random number is equal with described second random number, if so, shows to pass through the identity information certification of described target USBKey, otherwise, then show not pass through the identity information certification of described target USBKey.
9. the identification authentication system based on trust computing according to claim 8, is characterized in that, comprising:
Second transmitting element, for being stored in the nonvolatile memory of TCM inside by user login code;
Described response unit, when the identity information certification of described target USBKey being passed through for comprising in described authentication result, obtain the login password of user's input, the user login code prestored in nonvolatile memory according to TCM inside is verified the login password that user inputs, if be verified, then allow the logging request of described target USBKey, otherwise, refuse the logging request of described target USBKey; It is obstructed out-of-date to comprise the identity information certification of described target USBKey in described authentication result, then refuse the logging request of described target USBKey.
10., according to the described identification authentication system based on trust computing arbitrary in claim 6 to 9, it is characterized in that,
All parts in described computer system, comprise in hardware, firmware, hardware driving, system software and application software any one or multiple.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510772275.1A CN105426734B (en) | 2015-11-12 | 2015-11-12 | A kind of identity identifying method and device based on trust computing |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510772275.1A CN105426734B (en) | 2015-11-12 | 2015-11-12 | A kind of identity identifying method and device based on trust computing |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105426734A true CN105426734A (en) | 2016-03-23 |
| CN105426734B CN105426734B (en) | 2018-04-13 |
Family
ID=55504939
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510772275.1A Active CN105426734B (en) | 2015-11-12 | 2015-11-12 | A kind of identity identifying method and device based on trust computing |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105426734B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106973054A (en) * | 2017-03-29 | 2017-07-21 | 山东超越数控电子有限公司 | A kind of operating system login authentication method and system based on credible platform |
| CN108243622A (en) * | 2016-10-27 | 2018-07-03 | 惠普发展公司,有限责任合伙企业 | Replaceable item certification |
| CN109002256A (en) * | 2018-05-04 | 2018-12-14 | 中国信息安全研究院有限公司 | A kind of storage system for trusted computation environment |
| CN110474911A (en) * | 2019-08-14 | 2019-11-19 | 深圳前海微众银行股份有限公司 | Trusted end-user recognition methods, device, equipment and computer readable storage medium |
| CN110781527A (en) * | 2019-09-29 | 2020-02-11 | 苏州浪潮智能科技有限公司 | Control register protection method and device |
| CN111600884A (en) * | 2020-05-15 | 2020-08-28 | 北京光润通科技发展有限公司 | Network authentication smart card and method |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2005025243A (en) * | 2003-06-30 | 2005-01-27 | Toshiba Corp | Authentication system for print network system, remote management server, and remote output device |
| CN1832403A (en) * | 2006-04-24 | 2006-09-13 | 北京易恒信认证科技有限公司 | CPK credibility authorization system |
| CN101674304A (en) * | 2009-10-15 | 2010-03-17 | 浙江师范大学 | Network identity authentication system and method |
| CN101853360A (en) * | 2009-04-02 | 2010-10-06 | 同方股份有限公司 | Authentication system for mobile memory device |
| CN102184357A (en) * | 2011-04-28 | 2011-09-14 | 郑州信大捷安信息技术有限公司 | Portable trustworthy private information processing system |
| CN103034797A (en) * | 2012-12-06 | 2013-04-10 | 大连奥林匹克电子城腾飞办公设备商行 | Computer login system based on USB (universal serial bus) interface |
| CN103200008A (en) * | 2013-02-28 | 2013-07-10 | 山东超越数控电子有限公司 | Linux identity authentication system and Linux identity authentication method |
-
2015
- 2015-11-12 CN CN201510772275.1A patent/CN105426734B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2005025243A (en) * | 2003-06-30 | 2005-01-27 | Toshiba Corp | Authentication system for print network system, remote management server, and remote output device |
| CN1832403A (en) * | 2006-04-24 | 2006-09-13 | 北京易恒信认证科技有限公司 | CPK credibility authorization system |
| CN101853360A (en) * | 2009-04-02 | 2010-10-06 | 同方股份有限公司 | Authentication system for mobile memory device |
| CN101674304A (en) * | 2009-10-15 | 2010-03-17 | 浙江师范大学 | Network identity authentication system and method |
| CN102184357A (en) * | 2011-04-28 | 2011-09-14 | 郑州信大捷安信息技术有限公司 | Portable trustworthy private information processing system |
| CN103034797A (en) * | 2012-12-06 | 2013-04-10 | 大连奥林匹克电子城腾飞办公设备商行 | Computer login system based on USB (universal serial bus) interface |
| CN103200008A (en) * | 2013-02-28 | 2013-07-10 | 山东超越数控电子有限公司 | Linux identity authentication system and Linux identity authentication method |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108243622A (en) * | 2016-10-27 | 2018-07-03 | 惠普发展公司,有限责任合伙企业 | Replaceable item certification |
| CN108243622B (en) * | 2016-10-27 | 2021-01-22 | 惠普发展公司,有限责任合伙企业 | Replaceable item authentication |
| CN106973054A (en) * | 2017-03-29 | 2017-07-21 | 山东超越数控电子有限公司 | A kind of operating system login authentication method and system based on credible platform |
| CN106973054B (en) * | 2017-03-29 | 2021-03-30 | 山东超越数控电子有限公司 | Trusted platform based operating system login authentication method and system |
| CN109002256A (en) * | 2018-05-04 | 2018-12-14 | 中国信息安全研究院有限公司 | A kind of storage system for trusted computation environment |
| CN109002256B (en) * | 2018-05-04 | 2022-12-06 | 中国信息安全研究院有限公司 | Storage system for trusted computing environment |
| CN110474911A (en) * | 2019-08-14 | 2019-11-19 | 深圳前海微众银行股份有限公司 | Trusted end-user recognition methods, device, equipment and computer readable storage medium |
| CN110474911B (en) * | 2019-08-14 | 2023-05-23 | 深圳前海微众银行股份有限公司 | Terminal credibility identification method, device, equipment and computer readable storage medium |
| CN110781527A (en) * | 2019-09-29 | 2020-02-11 | 苏州浪潮智能科技有限公司 | Control register protection method and device |
| CN111600884A (en) * | 2020-05-15 | 2020-08-28 | 北京光润通科技发展有限公司 | Network authentication smart card and method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105426734B (en) | 2018-04-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105426734A (en) | Identity authentication method and device based on trusted computing | |
| CN109313690B (en) | Self-contained encrypted boot policy verification | |
| US11258792B2 (en) | Method, device, system for authenticating an accessing terminal by server, server and computer readable storage medium | |
| CN110874494B (en) | Method, device and system for processing password operation and method for constructing measurement trust chain | |
| TW201732669A (en) | Controlled secure code authentication | |
| CN110688660B (en) | Method and device for safely starting terminal and storage medium | |
| CN110874478A (en) | Key processing method and device, storage medium and processor | |
| EP3206329B1 (en) | Security check method, device, terminal and server | |
| US9154480B1 (en) | Challenge-response authentication of a cryptographic device | |
| CN110875819B (en) | Password operation processing method, device and system | |
| CN110795774A (en) | Measurement method, device and system based on trusted high-speed encryption card | |
| CN103269271A (en) | Method and system for back-upping private key in electronic signature token | |
| CN103248491A (en) | Method and system for backing up electronic signed token private key | |
| CN110795742A (en) | Measurement processing method and device for high-speed cryptographic operation, storage medium and processor | |
| CN112784278A (en) | Trusted starting method, device and equipment of computer system | |
| KR20160081255A (en) | A mobile terminal for providing one time password and methed thereof | |
| CN111901304B (en) | Registration method and device of mobile security equipment, storage medium and electronic device | |
| CN107944234A (en) | A kind of brush machine control method of Android device | |
| CN104794394A (en) | Virtual machine starting verification method and device | |
| CN115664655A (en) | TEE credibility authentication method, device, equipment and medium | |
| US20200233947A1 (en) | System and method for facilitating authentication via a short-range wireless token | |
| CN111901303A (en) | Device authentication method and apparatus, storage medium, and electronic apparatus | |
| CN111095200A (en) | Method, device and equipment for safely upgrading embedded program and storage medium | |
| CN113703911B (en) | Virtual machine migration method, device, equipment and storage medium | |
| CN111628863B (en) | Data signature method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 250100 Ji'nan province hi tech Zone, Sun Village Branch Road, No. 2877 Applicant after: SHANDONG CHAOYUE DATA CONTROL ELECTRONICS Co.,Ltd. Address before: 250100 Ji'nan province hi tech Zone, Sun Village Branch Road, No. 2877 Applicant before: SHANDONG CHAOYUE NUMERICAL CONTROL ELECTRONIC Co.,Ltd. |
|
| CB02 | Change of applicant information | ||
| CB03 | Change of inventor or designer information | ||
| CB03 | Change of inventor or designer information |
Inventor after: Zhao Ruidong Inventor after: Guo Mengshan Inventor after: Feng Lei Inventor after: Zhu Shushan Inventor before: Guo Mengshan Inventor before: Feng Lei |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 250100 No. 2877 Kehang Road, Sun Village Town, Jinan High-tech District, Shandong Province Patentee after: Chaoyue Technology Co.,Ltd. Address before: 250100 No. 2877 Kehang Road, Sun Village Town, Jinan High-tech District, Shandong Province Patentee before: SHANDONG CHAOYUE DATA CONTROL ELECTRONICS Co.,Ltd. |
|
| CP01 | Change in the name or title of a patent holder | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: An identity authentication method and device based on Trusted Computing Effective date of registration: 20211104 Granted publication date: 20180413 Pledgee: China Merchants Bank Co.,Ltd. Jinan Branch Pledgor: Chaoyue Technology Co.,Ltd. Registration number: Y2021370000126 |
|
| PE01 | Entry into force of the registration of the contract for pledge of patent right | ||
| PC01 | Cancellation of the registration of the contract for pledge of patent right |
Date of cancellation: 20230413 Granted publication date: 20180413 Pledgee: China Merchants Bank Co.,Ltd. Jinan Branch Pledgor: Chaoyue Technology Co.,Ltd. Registration number: Y2021370000126 |
|
| PC01 | Cancellation of the registration of the contract for pledge of patent right |