CN1755572A - Computer security startup method - Google Patents
Computer security startup method Download PDFInfo
- Publication number
- CN1755572A CN1755572A CN 200410081163 CN200410081163A CN1755572A CN 1755572 A CN1755572 A CN 1755572A CN 200410081163 CN200410081163 CN 200410081163 CN 200410081163 A CN200410081163 A CN 200410081163A CN 1755572 A CN1755572 A CN 1755572A
- Authority
- CN
- China
- Prior art keywords
- computer
- hardware
- tpm
- key
- computing machine
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a computer safety starting method. The TPM chip stores the cryptogram information of the register hardware key; the hardware stores the introduction information matched the cryptogram information; the TPM chip does intact administration to the hardware of the computer system, if it does pass, it closes the computer, otherwise, it checks weather the communication interface of the computer is connected with the hardware starting key, if not, it closes the computer, otherwise, the TPM chip and / or the hardware starting key identify the user's ID, if it passes, starting the computer operating system, otherwise, closing the computer.
Description
Technical field
The present invention relates to a kind of method of computer safety start, particularly a kind of identification authentication mode that trusted computer based on the TPM chip is provided a kind of hardware start key, guarantee the method for computing machine this machine safety and computer user's identity safety, belong to the computer information safety technique field.
Background technology
Trusted computer (Trusted Computer) is a kind of trusted platform module chip (Trusted Platform Module that depends on, abbreviation TPM) computer system, its principal character is to embed a TPM chip in computer-internal, this TPM chip has CPU (central processing unit) (T-CPU, the TPM-CPU of intelligence computation; Wherein, T-CPU just is meant TPM-CPU, it is exactly cpu chip integrated in the TPM chip, specifically refer to the CPU (central processing unit) of TPM chip, be abbreviated as T-CPU) and storage unit T-memory, (T-memory just is meant TPM-memory, it is exactly storer integrated in the TPM chip, specifically refer to the storage unit of TPM chip, be abbreviated as T-memory), can carry out cryptographic calculation independently.Its principle of work is: the computing machine that possesses this chip, in start, by Basic Input or Output System (BIOS) (Basic Input Output System, abbreviation BIOS) setting, this TPM chip will be collected the information of critical piece (comprising CPU, chipset, embedded chip EC, display chip, network chip, storer etc.) in the computing machine, thereby carry out the cryptographic calculation of information by T-CPU, and enciphered message is stored among the T-memory.Content among the T-memory can not directly read artificially, decipher, and must be that decryption oprerations by T-CPU can read and analyze institute's canned data wherein, and the processing mode of T-CPU is encrypted by cipher random, therefore, the TPM chip that has comprised computerized information is very safe.If the user has lost the TPM password, perhaps changed some vitals of computing machine, the TPM chip will be not can operate as normal, and make that whole computing machine can not operate as normal, reach the purpose of protection computer body.
For the user that security requirements is arranged: use computing machine with TPM chip, can realize ideally that it carries out the purpose of security protection to computer system, even some files, loss of data, perhaps hard disk is lost, as long as the TPM password is not lost, do not worry that other people can utilize the file of TPM password encryption to divulge a secret yet.
Can see that from above-mentioned introduction the TPM technology is a kind of this machine of computing machine to be carried out the technology of safety encipher, the computing machine by this technology secrecy is called a trusted computer.But this computer encipher as safe as a house exists a very outstanding weakness, and the TPM chip that is exactly this computing machine can only verify computing machine itself, and can not carry out authentication to computed people.
The safety practice that adopts password is a kind of authentication to computed people, and still, the authentication measure of only adopting password also is extremely unsafe.Theoretically: any password all has the possibility that is cracked, especially the password that often uses of user, hell to pay be not easy memory, too simple just can be cracked easily, concerning modern user, only carrying out authentication with password is not a kind of good measure.
For portable computer (notebook computer) because the volume of this computing machine is little, be easy to carry about with one, its place that is different from desktop computer be exactly be easy to whole stolen.If this portable computer is the trusted computer with TPM chip, this computing machine integral body is stolen, though wherein contain the TPM chip, if but appropriator has been known the TPM password or use existing software to crack the TPM password, then the thief just can not use this computing machine with being affected, and obtaining a large amount of confidential information, this is all to be unacceptable for any user that security requirements arranged.
At present a lot of mechanisms often adopt the mode of Telnet to connect the internal network of our unit, and this identity that requires the user must be safe.But the login mode that generally adopts is " user name+password " at present, if username and password is stolen by the disabled user, and stolen above-mentioned trusted computer, then can have no the relevant website, inside of obstacle ground Telnet, its harmfulness and consequence will be very serious.
Summary of the invention
The method that the purpose of this invention is to provide a kind of computer safety start, TPM checking and authenticating user identification combination is legal with the user identity that guarantees computer information safe and Telnet, and then guarantee network security.
The present invention realizes above-mentioned purpose by the following technical solutions:
A kind of method of computer safety start has the encrypted message that stores in the TPM chip of computing machine of TPM chip through the hardware start key of registration, store in the hardware start key with the TPM chip in the key information that is complementary of the encrypted message stored; And, have CPU, communication control chip at least in the hardware start key and be used for the storer of stores key information; When computer starting, the TPM chip is verified the hardware integrality of described computer system according to the computer hardware information of its storage inside; If do not pass through, then shut down computer; If the verification passes, then detect whether be connected with hardware start key on the communication interface of described computing machine; If do not connect, then shut down computer; If be connected with hardware start key on the described computing machine; Then described TPM chip and/or hardware start key carry out subscriber authentication, and checking is passed through, and then starts computer operating system, otherwise shuts down computer.
The present invention has realized the pattern of " this machine safety+identity safety " with TPM technology and authentication combination, has guaranteed the unification of user's legal identity and computing machine legal identity.For unit uses, satisfied the credible wilfulness of unit, mode by authentication has guaranteed that computed people is the validated user of this computing machine, not only can guarantee the information security of stand-alone computer, and when being connected to described stand-alone computer in the network, even Telnet also can guarantee the safety of network.
The present invention is with the start shooting identification of key and carry out combination based on the trusted computer system of TPM technology of hardware, by hardware start key identification TPM information, by TPM identification hardware start key information, finish the mutual trust of user and computing machine, reach the mutual coupling of validated user and legal computing machine, guaranteed the identity safety of computer information safe and Telnet, system, online transaction, bank system of web for individual that security requirements is arranged or open Telnet have special significant meaning.
Description of drawings
Fig. 1 is the synoptic diagram of hardware start key of the present invention registration;
Fig. 2 is the process flow diagram of hardware start key registration process of the present invention;
The processing synoptic diagram that Fig. 3 starts shooting and verifies for the present invention;
The process flow diagram that Fig. 4 starts shooting and verifies for the present invention.
Embodiment
The present invention is described in further detail below in conjunction with accompanying drawing and specific embodiment:
Referring to table 1, it is the logical organization signal of TPM chip internal.Comprising arithmetic element (CPU or controller) and storage unit, be used for cryptographic calculation and storage encryption information.Based on the logical organization shown in the table 1; the TPM chip not only can be realized the detection to the computing machine integrality; simultaneously; by putting down in writing the hardware start key information that is mated; when this legal hardware start key is connected to this computing machine; described hardware start key is verified when finally realizing computerized information protected, realization is to the authentication of computing machine validated user.
Table 1
| TPM (trusted computer chip) | ||
| Storage unit | Password storage | Password |
| Hardware ID number | ||
| Enciphered message | The encipheror section | |
| Host hardware information | ||
| Operation program | ||
| Other enciphered messages | ||
| Control module | Based Intelligent Control | T-CPU |
| Communication | Control bus | |
Referring to table 2, it is the logical organization signal of hardware start key information inside.Comprising arithmetic element (CPU or controller) and storage unit, be used for cryptographic calculation and storage encryption information.Based on the logical organization shown in the table 2; when hardware start key information is connected to the communication interface of computing machine; USB (Universal Serial Bus for example; USB (universal serial bus)); not only can realize detection to the computing machine integrality; simultaneously; by putting down in writing the hardware start key information that is mated; when this legal hardware start key is connected to this computing machine; described hardware start key is verified; when finally realizing computerized information protected, realize authentication to the computing machine validated user.
Table 2
| Hardware start key | ||
| Storer | Password storage | Key |
| Sequence number | ||
| Enciphered message | The encipheror section | |
| Host registration information | ||
| Operation program | ||
| Other enciphered messages | ||
| Control chip | Intelligent control chip | CPU |
| The Communication Control chip | The USB control chip | |
| Information read device | The biological information recognition device | Fingerprint, pupil |
| The numerical information reading device | Radio frequency, IC-card etc. | |
After general opening computer mode is computer booting, behind BIOS startup and the detection computations machine, the pilot operationp system.
Referring to Fig. 1,2, the start mode of trusted computer that the TPM chip is installed is as follows:
Behind the computer booting, BIOS starts and the detection computations machine, and the TPM chip detects the computing machine integrality, if pass through then the pilot operationp system; Otherwise, shut down computer.Like this, TPM by property finished and legitimate verification to computer system, realizes guaranteeing this machine safety of computer system when start.
On the basis of trusted computer, add authentication, need carry out the registration of hardware start key earlier; Then, in normal use, the TPM chip is initiatively discerned the hardware start key information through registration, and whether decision starts the operating system then.Its registration process is: behind the normal boot-strap, computing machine enters operating system, operation registration software, insert under the situation of computing machine at hardware start key, registration software in the operating system, the encrypted message after registration software will be encrypted is sent in the hardware start key, thus the registration process of finishing.
Referring to Fig. 3,4; in the later use of registration; after the start; BIOS starts the TPM chip earlier; after the TPM chip checking computer system integrity; the legitimacy of checking hardware start key; if legal hardware start key has been connected on the computing machine; then after passing through checking; allow the user to enter operating system, even hardware start key is connected on the computing machine, but the encrypted message of storing among key information wherein and the TPM is not complementary; then shut down computer, reach the purpose of protection computerized information.In a single day computing machine fails then can be closed by checking in above-mentioned authentication process, therefore, just can not further be connected on the network, so, just realized that also the situation that prevents illegal Telnet takes place.Guaranteed the safety of network.
It should be noted that at last: above embodiment only in order to the explanation the present invention and and unrestricted technical scheme described in the invention; Therefore, although this instructions has been described in detail the present invention with reference to each above-mentioned embodiment,, those of ordinary skill in the art should be appreciated that still and can make amendment or be equal to replacement the present invention; And all do not break away from the technical scheme and the improvement thereof of the spirit and scope of the present invention, and it all should be encompassed in the middle of the claim scope of the present invention.
Claims (4)
1, a kind of method of computer safety start, it is characterized in that: have the encrypted message that stores in the TPM chip of computing machine of TPM chip through the hardware start key of registration, store in the described hardware start key with the TPM chip in the key information that is complementary of the encrypted message stored; At least have CPU, communication control chip in the described hardware start key and be used for the storer of stores key information; Described computing machine starts according to following step:
Step 1:TPM chip is verified the hardware integrality of described computer system according to the computer hardware information of its storage inside; If do not pass through, then shut down computer;
Step 2: if the verification passes, then detect whether be connected with hardware start key on the communication interface of described computing machine; If do not connect, then shut down computer;
Step 3: if be connected with hardware start key on the described computing machine; Then described TPM chip and/or hardware start key carry out subscriber authentication, and checking is passed through, and then starts computer operating system, otherwise shuts down computer.
2, the method for computer safety start according to claim 1 is characterized in that: the step that the TPM chip carries out subscriber authentication is:
The communication interface of step 301:TPM chip by computing machine reads the key information in the hardware start key, and with the TPM chip in the encrypted message stored carry out matching operation;
Step 302: if described key information and encrypted message are complementary, then checking is passed through; Otherwise checking is not passed through.
3, the method for computer safety start according to claim 1 is characterized in that: the step that the TPM chip carries out subscriber authentication is:
Step 311: hardware start key therefrom reads the encrypted message of storing in the TPM chip by the communication interface visit TPM chip of computing machine, carries out matching operation with the key information of storing in the hardware start key;
Step 312: if described encrypted message and key information are complementary, then checking is passed through; Otherwise checking is not passed through.
4, according to the method for claim 1,2 or 3 described computer safety starts, it is characterized in that: hardware start key exists, and the step of registering among the TPM comprises:
Steps A: computer booting, enter operating system, and the registration software in the operation system;
Step B: registration software reads the key information that the hardware that is connected by communication interface with computing machine is started shooting and stored in the key;
Step C: import chip into after described key information encrypted to TPM,
Key information after receive encrypting among the step D:TPM, and after this key information carried out computing according to the cryptographic algorithm of TPM itself once more, generation encrypted message are stored in the storer among the TPM, and send to the registration software in the operating system;
Step e: registration software sends the encrypted message of encrypting to hardware start key, and stores the memory block of hardware start key into.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100811633A CN1331015C (en) | 2004-09-30 | 2004-09-30 | Computer security startup method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100811633A CN1331015C (en) | 2004-09-30 | 2004-09-30 | Computer security startup method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1755572A true CN1755572A (en) | 2006-04-05 |
| CN1331015C CN1331015C (en) | 2007-08-08 |
Family
ID=36688876
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2004100811633A Expired - Fee Related CN1331015C (en) | 2004-09-30 | 2004-09-30 | Computer security startup method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1331015C (en) |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101201882B (en) * | 2006-12-14 | 2010-05-19 | 英业达股份有限公司 | Operating system protection method |
| CN101122939B (en) * | 2006-07-05 | 2011-06-08 | 三星电子株式会社 | Security apparatus for computer system and method thereof |
| CN103198247A (en) * | 2013-04-15 | 2013-07-10 | 加弘科技咨询(上海)有限公司 | Computer safety protection method and computer safety protection system |
| CN103530548A (en) * | 2013-10-22 | 2014-01-22 | 山东神思电子技术股份有限公司 | Embedded terminal dependable starting method based on mobile dependable computing module |
| CN103853947A (en) * | 2012-11-29 | 2014-06-11 | 鸿富锦精密工业(武汉)有限公司 | Pressure key and computer safety protection method |
| CN103853952A (en) * | 2012-11-29 | 2014-06-11 | 鸿富锦精密工业(武汉)有限公司 | Sound key and computer security protecting method |
| CN103853989A (en) * | 2012-11-29 | 2014-06-11 | 鸿富锦精密工业(武汉)有限公司 | Temperature key and computer security protection method |
| CN101529379B (en) * | 2006-10-18 | 2016-01-20 | 惠普开发有限公司 | trusted platform module management system and method |
| CN106789085A (en) * | 2017-01-12 | 2017-05-31 | 重庆工业职业技术学院 | Computer booting management system and method based on mobile phone cipher |
| CN108229179A (en) * | 2018-01-31 | 2018-06-29 | 郑州云海信息技术有限公司 | A kind of method, apparatus, equipment and storage medium for improving security of system |
| CN105528538B (en) * | 2014-09-28 | 2019-06-11 | 酷派软件技术(深圳)有限公司 | The starting method and starter of terminal system |
| CN112000956A (en) * | 2020-08-27 | 2020-11-27 | 山东超越数控电子股份有限公司 | Identity verification method and system based on trusted computer |
| CN112597504A (en) * | 2020-12-22 | 2021-04-02 | 中国兵器装备集团自动化研究所 | Two-stage safe starting system and method for domestic computer |
| WO2024036832A1 (en) * | 2022-08-18 | 2024-02-22 | 麒麟软件有限公司 | Method for realizing smart token cryptography application interface on basis of tpm |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5953502A (en) * | 1997-02-13 | 1999-09-14 | Helbig, Sr.; Walter A | Method and apparatus for enhancing computer system security |
| US6678833B1 (en) * | 2000-06-30 | 2004-01-13 | Intel Corporation | Protection of boot block data and accurate reporting of boot block contents |
| US7200758B2 (en) * | 2002-10-09 | 2007-04-03 | Intel Corporation | Encapsulation of a TCPA trusted platform module functionality within a server management coprocessor subsystem |
-
2004
- 2004-09-30 CN CNB2004100811633A patent/CN1331015C/en not_active Expired - Fee Related
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101122939B (en) * | 2006-07-05 | 2011-06-08 | 三星电子株式会社 | Security apparatus for computer system and method thereof |
| CN101529379B (en) * | 2006-10-18 | 2016-01-20 | 惠普开发有限公司 | trusted platform module management system and method |
| CN101201882B (en) * | 2006-12-14 | 2010-05-19 | 英业达股份有限公司 | Operating system protection method |
| CN103853989A (en) * | 2012-11-29 | 2014-06-11 | 鸿富锦精密工业(武汉)有限公司 | Temperature key and computer security protection method |
| CN103853947A (en) * | 2012-11-29 | 2014-06-11 | 鸿富锦精密工业(武汉)有限公司 | Pressure key and computer safety protection method |
| CN103853952A (en) * | 2012-11-29 | 2014-06-11 | 鸿富锦精密工业(武汉)有限公司 | Sound key and computer security protecting method |
| CN103198247B (en) * | 2013-04-15 | 2016-05-25 | 加弘科技咨询(上海)有限公司 | A kind of computer safety protective method and system |
| CN103198247A (en) * | 2013-04-15 | 2013-07-10 | 加弘科技咨询(上海)有限公司 | Computer safety protection method and computer safety protection system |
| CN103530548A (en) * | 2013-10-22 | 2014-01-22 | 山东神思电子技术股份有限公司 | Embedded terminal dependable starting method based on mobile dependable computing module |
| CN103530548B (en) * | 2013-10-22 | 2016-08-17 | 神思电子技术股份有限公司 | Startup method that built-in terminal based on mobile trustable computation module is credible |
| CN105528538B (en) * | 2014-09-28 | 2019-06-11 | 酷派软件技术(深圳)有限公司 | The starting method and starter of terminal system |
| CN106789085A (en) * | 2017-01-12 | 2017-05-31 | 重庆工业职业技术学院 | Computer booting management system and method based on mobile phone cipher |
| CN106789085B (en) * | 2017-01-12 | 2018-07-17 | 重庆工业职业技术学院 | Computer booting based on mobile phone cipher manages system and method |
| CN108229179A (en) * | 2018-01-31 | 2018-06-29 | 郑州云海信息技术有限公司 | A kind of method, apparatus, equipment and storage medium for improving security of system |
| CN112000956A (en) * | 2020-08-27 | 2020-11-27 | 山东超越数控电子股份有限公司 | Identity verification method and system based on trusted computer |
| CN112597504A (en) * | 2020-12-22 | 2021-04-02 | 中国兵器装备集团自动化研究所 | Two-stage safe starting system and method for domestic computer |
| CN112597504B (en) * | 2020-12-22 | 2024-04-30 | 中国兵器装备集团自动化研究所有限公司 | Two-stage safe starting system and method for domestic computer |
| WO2024036832A1 (en) * | 2022-08-18 | 2024-02-22 | 麒麟软件有限公司 | Method for realizing smart token cryptography application interface on basis of tpm |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1331015C (en) | 2007-08-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Schneier | Cryptographic design vulnerabilities | |
| CN101340281B (en) | Method and system for safe login input on network | |
| US6557104B2 (en) | Method and apparatus for secure processing of cryptographic keys | |
| US5960084A (en) | Secure method for enabling/disabling power to a computer system following two-piece user verification | |
| CN108055133B (en) | Key security signature method based on block chain technology | |
| US8495374B2 (en) | Integrity protected smart card transaction | |
| US6400823B1 (en) | Securely generating a computer system password by utilizing an external encryption algorithm | |
| US7752445B2 (en) | System and method for authentication of a hardware token | |
| US20030009687A1 (en) | Method and apparatus for validating integrity of software | |
| US20050228993A1 (en) | Method and apparatus for authenticating a user of an electronic system | |
| CN107908574B (en) | Safety protection method for solid-state disk data storage | |
| CN107563213B (en) | Safety secrecy control device for preventing data extraction of storage equipment | |
| CN1331015C (en) | Computer security startup method | |
| US20140258718A1 (en) | Method and system for secure transmission of biometric data | |
| CN102024115B (en) | Computer with user security subsystem | |
| US20030172265A1 (en) | Method and apparatus for secure processing of cryptographic keys | |
| CN104751042A (en) | Credibility detection method based on password hash and biometric feature recognition | |
| CN1381787A (en) | Method and system for protecting hard disk of computer | |
| WO2006093238A1 (en) | Authentication assisting device, authentication main device, integrated circuit, and authenticating method | |
| CN201845340U (en) | Safety computer provided with user safety subsystem | |
| US20080120510A1 (en) | System and method for permitting end user to decide what algorithm should be used to archive secure applications | |
| CN112968774B (en) | Method, device storage medium and equipment for encrypting and decrypting configuration file | |
| CN107423627A (en) | The time slot scrambling and electronic equipment of a kind of electronic equipment | |
| CN1271525C (en) | Computer system landing method | |
| CN2927185Y (en) | Data safety transmission equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20070808 Termination date: 20200930 |