CN100383695C - Safety turn-on method in visual range - Google Patents
Safety turn-on method in visual range Download PDFInfo
- Publication number
- CN100383695C CN100383695C CNB2005100702448A CN200510070244A CN100383695C CN 100383695 C CN100383695 C CN 100383695C CN B2005100702448 A CNB2005100702448 A CN B2005100702448A CN 200510070244 A CN200510070244 A CN 200510070244A CN 100383695 C CN100383695 C CN 100383695C
- Authority
- CN
- China
- Prior art keywords
- control equipment
- controlled device
- wireless device
- key
- safety opening
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The present invention discloses a safety turn-on method in a system which comprises a central control device, at least one wireless device and at least one controlled device. A user can safely turn on the machine within the visual range. The central control device can store an identifier of the radio device. The safety turn-on method comprises the following steps that firstly, the controlled device is started and is connected with the central control device; secondly, the controlled device can send an authentication request to the central control device by the connection, and the central control device can respond the authentication request, so that the central control device and the controlled device can mutually carry out the authentication; thirdly, the central control device can search and store the radio device corresponding to the identifier of the radio device by the short-distance radio communication; finally, if the radio device is searched, the central control device can send a signal allowing subsequent operation to the controlled device, and otherwise, the device is automatically stopped. The method can ensure that personnel relevant to the host machine can monitor the starting of the machine in the visual range of the machine, and simultaneously, the operation complexity of the turn-on process can not be enhanced.
Description
Technical field
The present invention relates to the safety technique of computing machine, be specifically related to a kind of customized computer start-up course and strategy of passing through, human eye can observe the method for carrying out safety opening terminal in the scope in working environment.
Background technology
Expansion firmware interface (EFI) is the firewire standard that extensively adopts in next generation PC, notebook, server and the various handheld device.It has structuring, standardization and is easy to performances such as maintenance, and can replace traditional Basic Input or Output System (BIOS) (BIOS) in future, becomes the main firmware of computer system.The outstanding feature of EFI be can customized computer start-up course, and possess the comparison powerful network function.
In addition,, especially be furnished with the popularizing of portable terminal of short-distance wireless functions such as bluetooth, become the indispensable with oneself personality kit of people as the mobile communication terminal of mobile phone and so on along with popularizing of the mobile communication terminal such as mobile phone.The mobile phone of the instrument of carrying as the individual can be used to provide individual's position.
The present invention is the basis in conjunction with the low coverage wireless technology of this firmware techniques of EFI and mobile communication terminal, realizes the safety opening terminal of computing machine in visual range, guarantees that start process is under the legal supervision.
The safety of start has a lot of behaves, and traditional technology has CMOS cryptoguard and operating system cryptoguard.But these safeguard measures are all leaky, think that the people of invasive system still has method can enter system.Such as, with the discharge of the CMOS on the computer motherboard, perhaps guide other operating system etc.Nearest power-on protection technology is mainly protected hard disk, increases the hard disk startup cryptographic function in firmware (firmware) lining of hard disk, and this function can be protected hard disc data effectively, even if make hard disk stolen, and can obliterated data yet.But the problem of this power-on protection technology maximum is after the user forgets Password, and hard disc data will be difficult to obtain again.Therefore, this power-on protection mode has bigger risk equally.
In the notebook as system manufacturer such as associations, extensively adopt the iKey technology, but, this power-on protection also is confined on the operating system, can't really protect host computer system not invaded.
Above-mentioned power-on protection pattern basically based on cryptoguard, mainly contains three problems:
1, the complicated operation degree increases, and the user must remember and the normal running of key feeding cipher ability;
In case 2 password loss then can bring very large trouble to the user, are irreversible loss sometimes;
3, only recognize password and do not recognize people, in logic, the people is not the dominant force of computing machine.
In fact; when safest start measure is start; the related personnel should be arranged in the visual range of computing machine; this start mode all leaks that technical solution brought to a great extent; guarantee in the visual range of machine, to monitor machine startup artificially with main frame related personnel (owner of main frame or assets manager); do not improve simultaneously the complicated operation degree of start process again, become power-on protection pattern around the people.
Summary of the invention
The present invention guarantees to have in the system boot process validated user can monitor whole start process by the wireless technology means, to guarantee the legal use of main frame.By the mode that validated user monitors in visual range, promote the degree of reliability of cryptoguard, perhaps replace the mode of password start with such Host Protection method.
In one aspect of the invention, provide a kind of in comprising the initial setting up method in the system of control equipment, at least one wireless device and at least one controlled device, comprise step: start described controlled device, enter Basic Input or Output System (BIOS); Described controlled device and described in connect between the control equipment; Described controlled device sends assets registration request by described connection control equipment in described; The described assets registration of control device responds request produces the controlled device key in described, and sends it to described controlled device; Described controlled device is kept at described controlled device key in the private memory; And control equipment and is stored in the identifier of same group wireless device in the storer by short-distance wireless telecommunication search wireless device in described.
In another aspect of this invention, provide a kind of in comprising the safety opening terminal method in the system of control equipment, at least one wireless device and at least one controlled device, the control device storage has the identifier of described wireless device in described, and described safety opening terminal method comprises step: start described controlled device; Described controlled device and described in connect between the control equipment; Described controlled device sends authentication request by described connection control equipment in described; Control described authentication request of device responds and described controlled device authenticate mutually in described; Control equipment is by the wireless device identifier pairing wireless device of short-distance wireless telecommunication search with storage in described; And if search described wireless device, described in control equipment send the signal that allows to carry out subsequent operation to described controlled device, otherwise, the controlled device auto stop.
In the present invention, because can guarantee in the process of start, validated user is arranged, thereby avoided the problem that can not normally enter system that password loss brought in visual scope.In addition, the present invention guarantees can use this main frame equally under the situation that mobile phone is lost or other can't closely be visited by the mode of centralized management and registration.
Description of drawings
Fig. 1 is that the system of the method for one embodiment of the invention uses scene, the radio coverage of control equipment during circle is wherein represented;
Fig. 2 shows the process of controlled device to middle control device registration;
Fig. 3 shows the process of wireless device to middle control device registration;
Fig. 4 is the process flow diagram according to the safety opening terminal method of the embodiment of the invention.
Embodiment
The contrast accompanying drawing is described the specific embodiment of the present invention in detail below.
Fig. 1 is that the system of the method for one embodiment of the invention uses scene, the radio coverage of control equipment during circle is wherein represented.As shown in Figure 1, a plurality of controlled devices 11 in the visual Administrative Area of human eye and 12 link together by network 40, form a group, control equipment in one (Standard PC, server or task equipment) 20 is set, should have short-distance wireless (as bluetooth) and network connection abilities such as (Ethernet or WiFi) by middle control equipment 20, and have certain information processing capability, in the following description, with the prototype of a Standard PC as control equipment 20 in being somebody's turn to do.In Fig. 1, controlled device 11 and 12, for example computing machine is connected with middle control equipment 20 by Local Area Network 40. Controlled device 11 and 12 firmware support expansion firmware interface standard.The lawful owner 30 of controlled device 12 carries a wireless device (not shown) with short-distance wireless communication ability.
Fig. 2 shows the process flow diagram according to the initial set-up procedure of the embodiment of the invention.For a controlled device such as computing machine, at first to it be set to mode of operation of the present invention.As shown in Figure 2, after starting controlled device, just enter the PEI process, just pre-EFI initialization procedure.Afterwards, the user for example makes flow process enter Basic Input or Output System (BIOS) (BIOS) by the keyboard operation of pressing DEL key and so on, is provided with.
Next, call network driver, with set up with middle control equipment between be connected.If can controlled device 11 and 12 and middle control equipment 20 between connect, whether control equipment 20 is subjected to the protection of Key in then also will further judging, whether is inserted with USB Key on the control equipment 20 in for example.If can not connect, perhaps in control equipment 20 be not subjected to the protection of Key, then think the registration failure of controlled device.If be inserted with USB Key on the control equipment 20 in this moment, just middle control equipment 20 is subjected to cryptographic key protection, and then controlled device 11 and 12 is by being connected to middle control equipment 20 transmission assets registration requests of setting up.Middle control equipment 20 is received after the assets registration request of controlled device 11 and 12, is produced the key at this control equipment 11 and 12, and key is sent back to controlled device 11 and 12 respectively.
Then, key that controlled device 11 and 12 is relatively received and the key of storing in advance, perhaps the user judges whether this key is legal, if it is illegal, then think registration failure, otherwise, the key of receiving is kept in the private memory such as OptionROM or HPA, enrollment process finishes.
In starting-up method of the present invention, need legal user to be within the visual range, therefore need in advance legal user to be authenticated, authentication in advance just belongs to the ID of same group wireless device, and Fig. 3 shows the process flow diagram that wireless device is authenticated.
As shown in Figure 3, in the beginning of verification process, whether control equipment 20 is subjected to the protection of Key in will judging equally, just judges in middle control equipment 20 whether be inserted with USB Key.If middle control equipment 20 is not subjected to cryptographic key protection, then withdraw from verification process.If middle control equipment 20 is protected by Key, then middle control equipment 20 has judged whether that then wireless device adds this group, if do not have then authentification failure by the wireless device within the short-distance wireless communication search effective range A (see figure 1).If have wireless device will add this group this moment, judge further that then whether this wireless device is fit to add this group, if think and be not suitable for, then withdraw from verification process.
If add the wireless device of this group is suitable, and then middle control equipment 20 is kept at the ID of this wireless device in the storer, finishes verification process.
Fig. 4 shows the process flow diagram of safety opening terminal method of the present invention.As shown in Figure 4, after restarting controlled device 11 and 12, enter the PEI process, just pre-EFI initialization procedure.
Then, be written into the network driver such as ICP/IP protocol, with set up with middle control equipment 20 between network be connected.If control equipment 20 in can't connecting, controlled device auto stop then, if control equipment 20 in being connected to, whether control equipment 20 protected by Key in also will further judging, whether is inserted with USB Key in the control equipment 20 in for example.
Whether if middle control equipment 20 is subjected to cryptographic key protection, then controlled device 11 and 12 just can send authentication request to middle control equipment 20, for example carries out each other authentication by authentication methods such as Kerboros, legal to confirm the other side.
After authentication, whether middle control equipment 20 is within the effective range by the pairing wireless device of wireless device ID of short-distance wireless telecommunication search with storage, just can find the ID of the wireless device of storage once more.
If there is a wireless device to be within the effective range in the same group of wireless device, then middle control equipment 20 sends confirmation signals to controlled device 11 and 12, can carry out follow-up operation, for example enters operating system.If control equipment 20 does not find relevant wireless device in this moment, then controlled device 11 and 12 auto stops or prompting user wait for the arrival of validated user.
In above-mentioned method, with one can be by KEY protection desktop device as in control equipment 20, such equipment possesses bluetooth or other short-distance wireless communication ability and Ethernet interface.But the applied environment of the present invention is not limited to above-mentioned system, also can use special middle control equipment as controlled device 11 such as PC and 12 annex, attach on controlled device, directly link to each other with controlled device by USB interface, and should will possess independently Bluetooth function or other short-distance wireless telecommunication function equally by middle control equipment.
Under with the situation of middle control equipment as the annex of controlled device, the connection of controlled device between middle control equipment is not that above-mentioned network connects, but directly connects.
In addition, in above-mentioned method, need legal user carry wireless device at any time,, and when laying oneself open to outside the effective range, just have the risk of dangerous start if validated user places wireless device within the effective range of control equipment 20 unintentionally.So, if in the search procedure of middle control equipment 20, do not find suitable wireless device, then middle control equipment 20 all wireless devices in same group send request signal, at least one wireless device in one group returns confirmation signal, expression allows after the start, and middle control equipment 20 sends the signal that allows to carry out subsequent operation to controlled device 11 and 12 again.
In addition, the time of control equipment 20 search wireless devices if surpass the preset time threshold value, forbids that then controlled device 11 and 12 carries out follow-up operation or enters operating system in can also being provided with.
The above; only be the embodiment among the present invention, but protection scope of the present invention is not limited thereto, anyly is familiar with the people of this technology in the disclosed technical scope of the present invention; the conversion that can expect easily or replacement all should be encompassed in of the present invention comprising within the scope.Therefore, protection scope of the present invention should be as the criterion with the protection domain of claims.
Claims (20)
1. the initial setting up method in the system of a control equipment in comprising, at least one wireless device and at least one controlled device comprises step:
Start described controlled device, enter Basic Input or Output System (BIOS);
Described controlled device and described in connect between the control equipment;
Described controlled device sends assets registration request by described connection control equipment in described;
The described assets registration of control device responds request produces the controlled device key in described, and sends it to described controlled device;
Described controlled device is kept at described controlled device key in the private memory; And
Control equipment is by short-distance wireless telecommunication search wireless device in described, and the identifier of same group wireless device is stored in the storer.
2. initial setting up method as claimed in claim 1 is characterized in that, also comprises step:
Before setting up described connection, judge described in control equipment whether be subjected to cryptographic key protection; And
If control equipment is subjected to cryptographic key protection in described, then connects, otherwise finish setting up procedure.
3. initial setting up method as claimed in claim 2 is characterized in that described key is a usb key.
4. initial setting up method as claimed in claim 1 or 2 is characterized in that, also comprises step:
Judge whether the described controlled device key that receives is legal; And
If described controlled device key is legal, then it is stored in the private memory, otherwise finishes setting up procedure.
5. initial setting up method as claimed in claim 4 is characterized in that, judges by the more described controlled device key and the key of storage in advance whether described controlled device key is legal.
6. initial setting up method as claimed in claim 5 is characterized in that, described private memory is OptionROM or hidden partition.
7. initial setting up method as claimed in claim 1 is characterized in that, described middle control equipment is searched for described wireless device by Bluetooth communication.
8. initial setting up method as claimed in claim 1 is characterized in that, described controlled device call network driver with described in set up network between the control equipment and be connected.
9. initial setting up method as claimed in claim 1 is characterized in that, described middle control equipment directly is connected with described middle control equipment by USB (universal serial bus).
10. initial setting up method as claimed in claim 1 is characterized in that, described controlled device support expansion firmware interface standard.
11. the safety opening terminal method in the system of a control equipment in comprising, at least one wireless device and at least one controlled device, described middle control device storage has the identifier of described wireless device, and described safety opening terminal method comprises step:
Start described controlled device;
Described controlled device and described in connect between the control equipment;
Described controlled device sends authentication request by described connection control equipment in described;
Control described authentication request of device responds and described controlled device authenticate mutually in described;
Control equipment is by the wireless device identifier pairing wireless device of short-distance wireless telecommunication search with storage in described; And
If search described wireless device, described middle control equipment sends the signal that allows to carry out subsequent operation to described controlled device, otherwise, the controlled device auto stop.
12. safety opening terminal method as claimed in claim 11 is characterized in that, also comprises step:
Before setting up described connection, judge described in control equipment whether be subjected to cryptographic key protection; And
If control equipment is subjected to cryptographic key protection in described, then connects, otherwise finish start process.
13. safety opening terminal method as claimed in claim 12 is characterized in that, described key is a usb key.
14. safety opening terminal method as claimed in claim 11 is characterized in that, described middle control equipment comprises by the step of short-distance wireless telecommunication search with the pairing wireless device of wireless device identifier of storage:
Control equipment sends request signal to described wireless device in described;
Described wireless device response described request signal control equipment in described returns confirmation signal.
15. as the described safety opening terminal method of one of claim 11-14, it is characterized in that,, forbid that then described controlled device carries out follow-up operation if the time of search wireless device surpasses the preset time threshold value.
16. safety opening terminal method as claimed in claim 11 is characterized in that, described controlled device and described in control equipment carry out each other authentication by the Kerboros authentication method.
17. safety opening terminal method as claimed in claim 11 is characterized in that, described controlled device call network driver with described in set up network between the control equipment and be connected.
18. safety opening terminal method as claimed in claim 11 is characterized in that, described middle control equipment directly is connected with described middle control equipment by USB (universal serial bus).
19. safety opening terminal method as claimed in claim 11 is characterized in that, described controlled device support expansion firmware interface standard.
20. safety opening terminal method as claimed in claim 11 is characterized in that, if control equipment does not search described wireless device in described, then sends the prompting of waiting for that validated user arrives.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100702448A CN100383695C (en) | 2005-05-11 | 2005-05-11 | Safety turn-on method in visual range |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100702448A CN100383695C (en) | 2005-05-11 | 2005-05-11 | Safety turn-on method in visual range |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1862441A CN1862441A (en) | 2006-11-15 |
| CN100383695C true CN100383695C (en) | 2008-04-23 |
Family
ID=37389892
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005100702448A Active CN100383695C (en) | 2005-05-11 | 2005-05-11 | Safety turn-on method in visual range |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100383695C (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7837102B2 (en) * | 2006-06-15 | 2010-11-23 | Mstar Semiconductor, Inc. | Method and apparatus for computer login security using RFID technology |
| CN102200917B (en) * | 2010-03-25 | 2014-09-03 | 研祥智能科技股份有限公司 | Computing equipment and method for determining guiding equipment in startup process |
| CN105933291B (en) * | 2016-04-07 | 2019-04-05 | 合肥联宝信息技术有限公司 | A kind of method, smart machine and the server of smart machine safe handling |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP0661845A2 (en) * | 1993-12-29 | 1995-07-05 | International Business Machines Corporation | System and method for message authentication in a non-malleable public-key cryptosystem |
| CN1253320A (en) * | 1998-10-30 | 2000-05-17 | 联阳半导体股份有限公司 | Device for monitoring start process of personal computer system |
| WO2004004279A1 (en) * | 2002-06-26 | 2004-01-08 | Intel Corporation | Active key for wireless device configuration |
| CN1527600A (en) * | 2003-03-05 | 2004-09-08 | 华为技术有限公司 | Safe access method and device for digital broadcast television network |
| US20040190718A1 (en) * | 2003-03-25 | 2004-09-30 | Dacosta Behram Mario | Apparatus and method for location based wireless client authentication |
-
2005
- 2005-05-11 CN CNB2005100702448A patent/CN100383695C/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP0661845A2 (en) * | 1993-12-29 | 1995-07-05 | International Business Machines Corporation | System and method for message authentication in a non-malleable public-key cryptosystem |
| CN1253320A (en) * | 1998-10-30 | 2000-05-17 | 联阳半导体股份有限公司 | Device for monitoring start process of personal computer system |
| WO2004004279A1 (en) * | 2002-06-26 | 2004-01-08 | Intel Corporation | Active key for wireless device configuration |
| CN1527600A (en) * | 2003-03-05 | 2004-09-08 | 华为技术有限公司 | Safe access method and device for digital broadcast television network |
| US20040190718A1 (en) * | 2003-03-25 | 2004-09-30 | Dacosta Behram Mario | Apparatus and method for location based wireless client authentication |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1862441A (en) | 2006-11-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP7194847B2 (en) | A method for authenticating the identity of digital keys, terminal devices, and media | |
| EP2549678B1 (en) | Method and apparatus for protecting software of mobile terminal | |
| EP3238123B1 (en) | Methods, systems and apparatus to initialize a platform | |
| US20030199267A1 (en) | Security system for information processing apparatus | |
| CN102184352A (en) | Automatic protecting method for computer system based on Bluetooth device authentication | |
| US20040046638A1 (en) | Terminal lock system comprising key device carried by user and terminal-associated device incorporated in terminal device | |
| US11578984B2 (en) | Vehicle control device and program | |
| RU2556383C2 (en) | Method of preventing unauthorised use of vehicle equipment | |
| EP2895982B1 (en) | Hardware-enforced access protection | |
| CN100418033C (en) | Computer system of bottom identity identification and method therefor | |
| CN104820805A (en) | Method and device for burglary prevention of user identity identification card information | |
| CN106789085B (en) | Computer booting based on mobile phone cipher manages system and method | |
| CN109977039A (en) | HD encryption method for storing cipher key, device, equipment and readable storage medium storing program for executing | |
| CN100383695C (en) | Safety turn-on method in visual range | |
| WO2016072833A1 (en) | System and method to disable factory reset | |
| JP2007267006A (en) | Information protecting system, portable terminal, information medium, information protecting method, and information protecting program | |
| JP2012253424A (en) | Radio communication system and registrar device | |
| CN109955934A (en) | Electric vehicle identity authorization system and method | |
| US20190042758A1 (en) | A method of verifying the integrity of an electronic device, and a corresponding electronic device | |
| CN106506843A (en) | A kind of theft preventing method and mobile terminal | |
| CN107154999B (en) | Terminal and unlocking method and storage device based on environmental information | |
| JP4634924B2 (en) | Authentication method, authentication program, authentication system, and memory card | |
| WO2018099808A1 (en) | Method, first device and system for authenticating to a second device | |
| WO2016107820A1 (en) | A method for accessing a shared wireless device using a client wireless communications device, and devices for the same | |
| JP2003076551A (en) | Method and system for installing os using cellular telephone |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |