Summary of the invention
In view of this, the invention provides a kind of identity identifying method based on trust computing and device, the secure and trusted of data in computer system can be ensured.
In order to achieve the above object, the present invention is achieved through the following technical solutions:
On the one hand, the invention provides a kind of identity identifying method based on trust computing, the method comprises: bound by TCM and the USBKey in computer system in advance, and the reference value of all parts in computer system is stored in the USBKey that inner TCM phase is bound with it, also comprises:
The metric of all parts in the current computer systems stored in the inner PCR of S1: when getting the logging request of target USBKey, acquisition TCM, and obtain the reference value of all parts stored in described target USBKey;
S2: one by one the reference value stored in the metric of each parts and described target USBKey is compared, the reference value homogeneous phase stored in comparative result is the metric of each parts and described target USBKey simultaneously, perform step S3, otherwise, refuse the logging request of described target USBKey;
S3: the identity information of target USBKey described in certification, and the logging request responding described target USBKey according to authentication result.
Further, described the reference value of all parts in computer system to be stored in the USBKey that inner TCM phase is bound with it, to comprise:
The reference value of all parts in computer system is calculated;
The reference value of all parts in the computer system of calculating gained is stored in the nonvolatile memory of TCM inside;
Read the reference value in the nonvolatile memory of TCM inside, be stored in the USBKey bound with TCM phase.
Further, describedly in advance TCM and the USBKey in computer system to be bound, comprising: the mark of USBKey and the USBKey PKI corresponding with its mark are stored in the nonvolatile memory of the TCM inside in computer system;
The identity information of target USBKey described in described certification, comprising:
Generate the first random number;
Read the USBKey private key of described target USBKey to described first random number encryption;
According to the mark of described target USBKey, read the USBKey PKI corresponding with the mark of described target USBKey stored in the nonvolatile memory of TCM inside, utilize this USBKey PKI read to described first random nnrber decryption after encryption, obtain the second random number;
Judge that whether described first random number is equal with described second random number, if so, show to pass through the identity information certification of described target USBKey, otherwise, then show not pass through the identity information certification of described target USBKey.
Further, also comprise: in advance user login code is stored in the nonvolatile memory of TCM inside;
The described logging request responding described target USBKey according to authentication result, comprise: described authentication result comprise the identity information certification of described target USBKey is passed through time, obtain the login password of user's input, the user login code prestored in nonvolatile memory according to TCM inside is verified the login password that user inputs, if be verified, then allow the logging request of described target USBKey, otherwise, refuse the logging request of described target USBKey; It is obstructed out-of-date to comprise the identity information certification of described target USBKey in described authentication result, then refuse the logging request of described target USBKey.
Further, all parts in described computer system, comprising: in hardware, firmware, hardware driving, system software and application software any one or multiple.
On the other hand, the invention provides a kind of identification authentication system based on trust computing, this device comprises:
Binding unit, for binding TCM and the USBKey in computer system;
First transmitting element, for being stored in the USBKey that inner TCM phase is bound with it by the reference value of all parts in computer system;
Acquiring unit, for when getting the logging request of target USBKey, the metric of all parts in the current computer systems stored in the inner PCR of acquisition TCM, and obtain the reference value of all parts stored in described target USBKey;
Processing unit, for comparing the reference value stored in the metric of each parts and described target USBKey one by one, the reference value homogeneous phase stored in comparative result is the metric of each parts and described target USBKey simultaneously, notice authentication ' unit, otherwise, refuse the logging request of described target USBKey;
Authentication ' unit, for the identity information of target USBKey described in certification;
Response unit, for responding the logging request of described target USBKey according to the authentication result of described authentication ' unit.
Further, described first transmitting element, comprising:
Computation subunit, for calculating the reference value of all parts in computer system;
First sends subelement, for being stored in the nonvolatile memory of TCM inside by the reference value of all parts in the computer system of calculating gained;
Second sends subelement, for reading the reference value in the nonvolatile memory of TCM inside, is stored in the USBKey bound with TCM phase.
Further, described binding unit, for being stored in the nonvolatile memory of the TCM inside in computer system by the mark of USBKey and the USBKey PKI corresponding with its mark;
Described authentication ' unit, comprising:
Generating random number subelement, for generating the first random number;
Encryption sub-unit operable, for reading the USBKey private key of described target USBKey to described first random number encryption;
Deciphering subelement, for the mark according to described target USBKey, read the USBKey PKI corresponding with the mark of described target USBKey stored in the nonvolatile memory of TCM inside, utilize this USBKey PKI read to described first random nnrber decryption after encryption, obtain the second random number;
Judgment sub-unit, for judging that whether described first random number is equal with described second random number, if so, shows to pass through the identity information certification of described target USBKey, otherwise, then show not pass through the identity information certification of described target USBKey.
Further, also comprise:
Second transmitting element, for being stored in the nonvolatile memory of TCM inside by user login code;
Described response unit, when the identity information certification of described target USBKey being passed through for comprising in described authentication result, obtain the login password of user's input, the user login code prestored in nonvolatile memory according to TCM inside is verified the login password that user inputs, if be verified, then allow the logging request of described target USBKey, otherwise, refuse the logging request of described target USBKey; It is obstructed out-of-date to comprise the identity information certification of described target USBKey in described authentication result, then refuse the logging request of described target USBKey.
Further, all parts in described computer system, comprise in hardware, firmware, hardware driving, system software and application software any one or multiple.
The invention provides a kind of identity identifying method based on trust computing and device, in advance TCM and the USBKey in computer system is bound, and the reference value of all parts in computer system is stored in the USBKey that inner TCM phase is bound with it; When getting the logging request of target USBKey, need to judge whether this target USBKey bound with the TCM in this computer system, by comparing the reference value stored in the metric of each parts and this target USBKey, to carry out the first re-authentication to this target USBKey one by one; Simultaneously, then the first re-authentication passes through the reference value homogeneous phase only stored in comparative result is the metric of each parts and this target USBKey; And continue the identity information of this target USBKey of certification, respond the logging request of this target USBKey according to this identity information authentication result, to realize the second re-authentication to this target USBKey.By the double authentication to target USBKey, the secure and trusted of data in computer system can be ensured.
Embodiment
For making the object of the embodiment of the present invention, technical scheme and advantage clearly; below in conjunction with the accompanying drawing in the embodiment of the present invention; technical scheme in the embodiment of the present invention is clearly and completely described; obviously; described embodiment is the present invention's part embodiment, instead of whole embodiments, based on the embodiment in the present invention; the every other embodiment that those of ordinary skill in the art obtain under the prerequisite not making creative work, all belongs to the scope of protection of the invention.
As shown in Figure 1, embodiments provide a kind of identity identifying method based on trust computing, the method can comprise the following steps:
Step 101: in advance by the TCM (TrustedCryptographyModule in computer system, credible password module) bind with USBKey, and the reference value of all parts in computer system is stored in the USBKey that inner TCM phase is bound with it;
Step 102: when getting the logging request of target USBKey, obtain the inner PCR (programcontrolregister of TCM, programmed control working storage) in the metric of all parts in the current computer systems that stores, and obtain the reference value of all parts stored in described target USBKey;
Step 103: one by one the reference value stored in the metric of each parts and described target USBKey is compared, the reference value homogeneous phase stored in comparative result is the metric of each parts and described target USBKey simultaneously, perform step 104, otherwise, refuse the logging request of described target USBKey;
Step 104: the identity information of target USBKey described in certification, and the logging request responding described target USBKey according to authentication result.
The invention provides a kind of identity identifying method based on trust computing, in advance TCM and the USBKey in computer system is bound, and the reference value of all parts in computer system is stored in the USBKey that inner TCM phase is bound with it; When getting the logging request of target USBKey, need to judge whether this target USBKey bound with the TCM in this computer system, by comparing the reference value stored in the metric of each parts and this target USBKey, to carry out the first re-authentication to this target USBKey one by one; Simultaneously, then the first re-authentication passes through the reference value homogeneous phase only stored in comparative result is the metric of each parts and this target USBKey; And continue the identity information of this target USBKey of certification, respond the logging request of this target USBKey according to this identity information authentication result, to realize the second re-authentication to this target USBKey.By the double authentication to target USBKey, the secure and trusted of data in computer system can be ensured.
In a kind of possible implementation, in order to whether the reference value of all parts stored in the metric that compares all parts in the current computer systems that stores in the inner PCR of TCM and described target USBKey is identical, thus the integrality of authenticating computer system trust chain information transmission and the credibility of target USBKey, need in advance the reference value of all parts in computer system to be stored in the USBKey that inner TCM phase is bound with it, so, described the reference value of all parts in computer system is stored in the USBKey that inner TCM phase is bound with it, comprise:
The reference value of all parts in computer system is calculated;
The reference value of all parts in the computer system of calculating gained is stored in the nonvolatile memory of TCM inside;
Read the reference value in the nonvolatile memory of TCM inside, be stored in the USBKey bound with TCM phase.
In a kind of possible implementation, in order to the identity information of target USBKey described in certification, so, comprising:
In advance TCM and the USBKey in computer system is bound, be stored in the nonvolatile memory of the TCM inside in computer system by the mark of USBKey and the USBKey PKI corresponding with its mark;
The identity information of target USBKey described in described certification, comprising:
Generate the first random number;
Read the USBKey private key of described target USBKey to described first random number encryption;
According to the mark of described target USBKey, read the USBKey PKI corresponding with the mark of described target USBKey stored in the nonvolatile memory of TCM inside, utilize this USBKey PKI read to described first random nnrber decryption after encryption, obtain the second random number;
Judge that whether described first random number is equal with described second random number, if so, show to pass through the identity information certification of described target USBKey, otherwise, then show not pass through the identity information certification of described target USBKey.
By this implementation, can on the guarantee believable basis of described target USBKey, the identity information of target USBKey described in further certification, when only having the identity information certification of described target USBKey to pass through, just can enter the Qualify Phase of user login code correctness, otherwise computer system directly refuses the logging request of described target USBKey.
In a kind of possible implementation, in order to whether authentication of users log-on message is correct, comprising:
In advance user login code is stored in the nonvolatile memory of TCM inside;
The described logging request responding described target USBKey according to authentication result, comprise: described authentication result comprise the identity information certification of described target USBKey is passed through time, obtain the login password of user's input, the user login code prestored in nonvolatile memory according to TCM inside is verified the login password that user inputs, if be verified, then allow the logging request of described target USBKey, otherwise, refuse the logging request of described target USBKey; It is obstructed out-of-date to comprise the identity information certification of described target USBKey in described authentication result, then refuse the logging request of described target USBKey.
In a kind of possible implementation, in order to ensure the secure and trusted of computer system, first need to carry out trust computing to all parts in computer system, so, all parts in described computer system, comprise in hardware, firmware, hardware driving, system software and application software any one or multiple.
For making the object, technical solutions and advantages of the present invention clearly, below in conjunction with drawings and the specific embodiments, the present invention is described in further detail.
As shown in Figure 2, embodiments provide the another kind of identity identifying method based on trust computing, the method can comprise the following steps:
Step 201: the reference value of all parts in computer system is stored in the nonvolatile memory of TCM inside.
Particularly, all parts in described computer system, comprise in hardware, firmware, hardware driving, system software and application software any one or multiple.
For example, an existing computer A, computer A is started shooting first and is powered up, BIOS (BasicInputOutputSystem, Basic Input or Output System (BIOS)) initialization, to all parts in computer A system, as hardware, firmware, hardware driving, system software, application software calculates its metric respectively successively, such as, Hash Value, obtain the hardware metric A1 of computer A, firmware metric A2, hardware driving metric A3, system software metric A4, application software metric A5, and the TCM be stored in computer A as reference value by these metrics is inner, be denoted as the hardware reference value A1 of computer A, firmware reference value A2, hardware driving reference value A3, system software reference value A4, application software reference value A5.
In the present embodiment, after ensureing that data are stored into TCM inside, after computer system is restarted, the data of this storage are not wiped free of, and the data that hope retains can be stored in NV (non-volatilememory, nonvolatile memory).Such as, these metrics are stored in the NV of TCM inside in computer A as reference value.
In the present embodiment, in computer A system, the metric of all parts can be calculated by TCM internal algorithm.Such as, BIOS initialization, calls the hash algorithm of TCM inside, to all parts in computer A system, as hardware, firmware, hardware driving, system software, application software calculate its Hash Value respectively successively.
In detail, in computer system, the calculating of all parts metric and storage comprise: BIOS opens system file to be operated, by the hash algorithm of TCM_HASH_INIT_ORD order initialization TCM inside, then by TCM_HASH_UPDATE_ORD order, system file to be operated is sent to TCM chip internal, call TCM_HASH_FINI_ORD order again and terminate hash algorithm, obtain Hash Value, finally, the metric each walked by TCM_PCR_EXTEND order is stored with TCM.
Step 202: TCM and the USBKey in computer system is bound, and the reference value of all parts in computer system is stored in the USBKey that inner TCM phase is bound with it.
Suppose existing a collection of USBKey I, USBKey II, USBKey III, USBKey IV, USBKey V ...For USBKey I, by USB, computer A is connected with USBKey I, make the TCM in computer system therewith USBKey I bind.Wherein, BIOS is driven and TCM chip communication by USB, by sending TCM command operation TCM correlation function.The mark I of USBKey I and the USBKey PKI I corresponding with its mark I are stored to TCM inside after binding by TCM and USBKey I.Meanwhile, read all parts reference value stored in the NV of TCM inside in computer A, i.e. hardware reference value A1, firmware reference value A2, hardware driving reference value A3, system software reference value A4, application software reference value A5, and be stored in USBkey I.Equally, use identical method, the binding one by one of computer A and this crowd of USBKey can be realized.
This implementation can make any USBKey being pre-existing in binding relationship with computer A all can carry out the secure and trusted certification of user identity in computer A.
In the present embodiment, when the operation of the log-on message of follow-up execution certification USBKeyX, need to read the user login code prestored in computer A, whether the login password carrying out authentication of users input is correct, therefore, need in advance user login code be stored in computer A.Such as, can after TCM and USBKey I in computer A bind, the mark I of USBKey I and the USBKey PKI I corresponding with its mark I and user login code I are stored to TCM inside simultaneously.
In the present embodiment, identical, in order to ensure that the data being stored into TCM inside are not wiped free of after computing machine power down or system reboot, the data that hope retains can be stored in NV.Such as, the mark I of USBKey I and the USBKey PKI I corresponding with its mark I and user login code I are stored in NV.
Step 203: when getting the logging request of USBKeyX, the metric of all parts in the current computer systems stored in the inner PCR of acquisition TCM, and obtain the reference value of all parts stored in described target USBKey.
Suppose that existing user B needs to log in software systems C in computer A, for ensureing the secure and trusted of user B identity, the USBKeyX needing user B to utilize it to hold carries out authentication to himself.
In the present embodiment, computer A, in start process, can carry out authentic authentication by each or multiple parts namely will opened to start process, to realize the process of self-test to computer A, ensures the security of computer A.This process can comprise: computer A start powers up, BIOS initialization, call the hash algorithm of TCM inside, its current metric is calculated successively to the hardware of computer A, system software and application software, obtain metric A1 ', metric A4 ' and metric A5 ', and current metric is stored in the PCR of TCM inside.Read the respective reference value of the hardware of the computer A stored in the NV of TCM inside, system software and application software, for reference value A1, reference value A4, reference value A5, reading the corresponding current metric value stored in the PCR of TCM inside, is metric A1 ', metric A4 ' and metric A5 '.
Then, whether the hardware, the system software that compare computer A be all identical with reference value with the current metric value of application software, namely whether meet A1=A1 ', A4=A4 ', A5=A5 ' simultaneously, if so, illustrate that the system environments of computer A is good, thus complete the self-inspection of computer A operating system based on trust computing, allow the logging request of user, otherwise, illustrate that the system of computer A has been attacked or destroyed, the logging request of refusal user.Through comparing, find that the hardware of computer A, system software are all identical with reference value with the current metric value of application software, computer A self-inspection completes.
First this computer self-test mode based on trust computing, by checking whether computer system is attacked or destroy, before user logs in, can ensure the secure and trusted of computer system.
After computer A self-inspection completes, USBKeyX is connected with computer A by USB.When computer A gets the logging request of USBKeyX, read the metric that the hardware of the computer A stored in the inner PCR of TCM, system software and application software are current, and read the corresponding reference value stored in USBKeyX.If the corresponding reference value stored in USBKeyX cannot be obtained, illustrate that USBKeyX did not bind with computer A before this logs in, incredible for computer A, or USBKeyX may be destroyed, therefore the binding relationship of computer A and USBKeyX is false, the logging request of refusal user B.
Same, if USBKeyX did not bind with computer A before this logs in, when ensureing that USBKeyX is destroyed, the operation identical with above-mentioned USBKey I can also be carried out when this logs in, set up the binding relationship of computer A and USBKeyX, make USBKeyX credible to computer A, then can also carry out the authentic authentication of user identity after USBKeyX in computer A.When guarantee USBKey is destroyed and computer system is not attacked, this implementation can make USBKey and any computing machine set up binding relationship, thus user can carry out the secure and trusted certification of user identity on any computing machine according to USBKey.
Because same computing machine can carry out authentic authentication to different USBKey, same USBKey also can carry out secure and trusted login on different computing machine, therefore effectively improves convenience and the practicality of the credible login of user profile.
Step 204: one by one the reference value stored in the metric of each parts and USBKeyX is compared, the reference value homogeneous phase stored in comparative result is the metric of each parts and USBKeyX simultaneously, performs step 205, otherwise, perform step 207.
Now, computer A has got the hardware of the computer A stored in the inner PCR of TCM, the current metric value of system software and application software, i.e. metric A1 ', metric A4 ' and metric A5 ', also get the corresponding reference value stored in USBKeyX simultaneously, i.e. reference value A1, during reference value A4 and reference value A5, then hardware is contrasted one by one, whether system software is all identical with corresponding reference value with the current metric value of application software, if, i.e. A1=A1 ', A4=A4 ', A5=A5 ' time, perform the certification of follow-up USBKeyX identity information, otherwise, perform step 207, the binding relationship of computer A and USBKeyX is false, the logging request of refusal USBKeyX.Through contrast, find that the current metric value stored in the inner PCR of TCM in computer A is all identical with the corresponding reference value stored in the USBKeyX that user B holds, i.e. A1=A1 ', A4=A4 ', A5=A5 '.
Step 205: the identity information of certification USBKeyX, certification is passed through, and perform step 206, otherwise certification is not passed through, and performs step 207.
In the present embodiment, the mode can deciphered by random number encryption carries out the certification of identity information to this USBKeyX, this process can comprise: generate a random number Y; The private key X reading USBKeyX, to random number Y encryption, obtains encryption number Y '; Read the PKI X corresponding with the mark X of USBKeyX stored in the NV of TCM inside, and utilize PKI X to encryption number Y ' deciphering, obtain random number Y 〞; Judge that whether random number Y and random number Y 〞 is equal, if so, show to pass through the identity information certification of USBKeyX, otherwise, then show not pass through the identity information certification of described target USBKey, the logging request of refusal USBKeyX.Through judging, the identity information certification of random number Y=random number Y 〞, USBKeyX is passed through.
Wherein, this random number Y can be the random numerical value given, and also can be the random number algorithm generation of being called TCM inside by BIOS.
Step 206: the log-on message of certification USBKeyX, certification is passed through, login system, otherwise certification is not passed through, and performs step 207.
In addition, if the log-on message certification of USBKeyX is not passed through, except refusing the logging request of USBKeyX, user also can be pointed out to re-enter login password, certification again.
After the identity information certification of USBKeyX is passed through, in the present embodiment, can user's dialog boxes for login of software for display system C, obtain the login password M ' of user's input with this, and judge that whether M and M ' be equal by reading the user login code M prestored in the NV of TCM inside.If M=M ', the login password M ' characterizing this user input is correct, and software systems C allows this user B to log in; If M ≠ M ', the login password of characterizing consumer input is wrong, the logging request of refusal USBKeyX, or user re-enters login password.Through judging, the login password that user B inputs equals the user login code prestored in the NV of TCM inside, i.e. M=M ', user B identity is credible, successfully opens software systems C.
Step 207: the logging request of refusal USBKeyX.
In the present embodiment, can work as the binding relationship running into computer A and USBKeyX is false, or the identity information certification of USBKeyX is not passed through, or the log-on message certification of USBKeyX do not pass through in arbitrary may situation time, all refuse the logging request of USBKeyX.
The present embodiment by department of computer science unify USBKey information binding and trust authentication, achieve on the basis determining user login code correctness, require the authentic authentication to user USBKey identity information simultaneously, thus when the log-on message of user suffer hacker or Malware attack and by leakage time, to a certain extent effective guarantee is provided to the information security of user.
The present embodiment is first by computer system self-inspection, effectively ensure that the secure and trusted of computer system self, a safe and reliable information registration environment is created to user, and pass through the binding relationship of computer-internal TCM and USBKey, achieve the integrality transmission of trust chain between computing machine and user USBKey, certification is carried out to the identity information of user USBKey simultaneously, demonstrate the security credibility of user USBKey further, again according to the judgement of user login code correctness, the secure and trusted finally realizing user logs in.
As shown in Figure 3, embodiments provide a kind of identification authentication system based on trust computing, comprising:
Binding unit 301, for binding TCM and the USBKey in computer system;
First transmitting element 302, for being stored in the USBKey that inner TCM phase is bound with it by the reference value of all parts in computer system;
Acquiring unit 303, for when getting the logging request of target USBKey, the metric of all parts in the current computer systems stored in the inner PCR of acquisition TCM, and obtain the reference value of all parts stored in described target USBKey;
Processing unit 304, for comparing the reference value stored in the metric of each parts and described target USBKey one by one, the reference value homogeneous phase stored in comparative result is the metric of each parts and described target USBKey simultaneously, notice authentication ' unit 305, otherwise, refuse the logging request of described target USBKey;
Authentication ' unit 305, for the identity information of target USBKey described in certification;
Response unit 306, for responding the logging request of described target USBKey according to the authentication result of described authentication ' unit 305.
In a kind of possible implementation, please refer to Fig. 4, described first transmitting element 302, comprising:
Computation subunit 3021, for calculating the reference value of all parts in computer system;
First sends subelement 3022, for being stored in the nonvolatile memory of TCM inside by the reference value of all parts in the computer system of calculating gained;
Second sends subelement 3023, for reading the reference value in the nonvolatile memory of TCM inside, is stored in the USBKey bound with TCM phase.
In a kind of possible implementation, please refer to Fig. 4, described binding unit 301, for being stored in the nonvolatile memory of the TCM inside in computer system by the mark of USBKey and the USBKey PKI corresponding with its mark;
Described authentication ' unit 305, comprising:
Generating random number subelement 3051, for generating the first random number;
Encryption sub-unit operable 3052, for reading the USBKey private key of described target USBKey to described first random number encryption;
Deciphering subelement 3053, for the mark according to described target USBKey, read the USBKey PKI corresponding with the mark of described target USBKey stored in the nonvolatile memory of TCM inside, utilize this USBKey PKI read to described first random nnrber decryption after encryption, obtain the second random number;
Judgment sub-unit 3054, for judging that whether described first random number is equal with described second random number, if so, shows to pass through the identity information certification of described target USBKey, otherwise, then show not pass through the identity information certification of described target USBKey.
In a kind of possible implementation, also comprise:
Second transmitting element 307, for being stored in the nonvolatile memory of TCM inside by user login code;
Described response unit 306, when the identity information certification of described target USBKey being passed through for comprising in described authentication result, obtain the login password of user's input, the user login code prestored in nonvolatile memory according to TCM inside is verified the login password that user inputs, if be verified, then allow the logging request of described target USBKey, otherwise, refuse the logging request of described target USBKey; It is obstructed out-of-date to comprise the identity information certification of described target USBKey in described authentication result, then refuse the logging request of described target USBKey.
In a kind of possible implementation, all parts in described computer system, comprise in hardware, firmware, hardware driving, system software and application software any one or multiple.
The content such as information interaction, implementation between each unit in said apparatus, due to the inventive method embodiment based on same design, particular content can see in the inventive method embodiment describe, repeat no more herein.
In sum, embodiments provide a kind of identity identifying method based on trust computing and device, the embodiment of the present invention can have following beneficial effect:
1. the invention provides a kind of identity identifying method based on trust computing and device, in advance TCM and the USBKey in computer system is bound, and the reference value of all parts in computer system is stored in the USBKey that inner TCM phase is bound with it; When getting the logging request of target USBKey, need to judge whether this target USBKey bound with the TCM in this computer system, by comparing the reference value stored in the metric of each parts and this target USBKey, to carry out the first re-authentication to this target USBKey one by one; Simultaneously, then the first re-authentication passes through the reference value homogeneous phase only stored in comparative result is the metric of each parts and this target USBKey; And continue the identity information of this target USBKey of certification, respond the logging request of this target USBKey according to this identity information authentication result, to realize the second re-authentication to this target USBKey.By the double authentication to target USBKey, the secure and trusted of data in computer system can be ensured.
2. embodiments provide a kind of identity identifying method based on trust computing and device, computer based carries out self-inspection in trust computing, verify whether current computer system is attacked or destroy by computer self-test program, thus before user logs in, can first ensure the secure and trusted of computer system.
3. embodiments provide a kind of identity identifying method based on trust computing and device, because same computing machine can carry out authentic authentication to different USBKey, same USBKey also can carry out secure and trusted login on different computing machine, therefore effectively improves convenience and the practicality of the credible login of user profile.
4. embodiments provide a kind of identity identifying method based on trust computing and device, by department of computer science unify USBKey information binding and trust authentication, achieve on the basis determining user login code correctness, require the authentic authentication to user USBKey identity information simultaneously, thus when the log-on message of user suffer hacker or Malware attack and by leakage time, to a certain extent effective guarantee is provided to the information security of user.
5. embodiments provide a kind of identity identifying method based on trust computing and device, first by computer system self-inspection, effectively ensure that the secure and trusted of computer system self, a safe and reliable information registration environment is created to user, and pass through the binding relationship of computer-internal TCM and USBKey, achieve the integrality transmission of trust chain between computing machine and user USBKey, certification is carried out to the identity information of user USBKey simultaneously, demonstrate the security credibility of user USBKey further, again according to the judgement of user login code correctness, the secure and trusted finally realizing user logs in.
Finally it should be noted that: the foregoing is only preferred embodiment of the present invention, only for illustration of technical scheme of the present invention, be not intended to limit protection scope of the present invention.All any amendments done within the spirit and principles in the present invention, equivalent replacement, improvement etc., be all included in protection scope of the present invention.