Summary of the invention
The purpose of this invention is to provide a kind of computer security apparatus that can address the above problem.
Another object of the present invention provides a kind of method of utilizing aforementioned calculation machine safety device to carry out computer security.
According to first aspect, computer security apparatus of the present invention comprises:
The mainboard interface that connects computer motherboard;
The hard-disk interface that connects hard disc of computer;
Be connected the hard disk data protection module between described mainboard interface and the described hard-disk interface.
Hard disk data protection module of the present invention is carried out the physics interception to hard disc data; script is changed into via after the hard disk data protection module from the IDE data line that computer motherboard is connected to hard disk; be connected to hard disk, thereby realized protection processing all hard disc datas that comprise computer operating system.
Wherein said hard disk data protection module receives data from computer motherboard by mainboard interface, with its encryption after store hard disc of computer into by described hard-disk interface; And described hard disk data protection module reads the encrypted data that is stored in the described hard disk via described hard-disk interface, with its deciphering after deliver to computer motherboard by mainboard interface.
Computer security apparatus of the present invention also comprises safety protection module and pci interface, and described safety protection module and described hard disk data protection module are connected the pci bus of computing machine via described pci interface.
Wherein, described pci interface inserts in the PCI slot of computer motherboard by corresponding plug.
Wherein, described safety protection module carries out the computer starting checking and/or starts the medium selection function with computing machine.
Wherein, described safety protection module comprises the storer of storage security guard process, in the computer starting process, the Basic Input or Output System (BIOS) of computing machine (BIOS) is read the described security protection program of storing in the described storer in the described calculator memory, so that the described security protection program of computer run.
Computer security apparatus of the present invention also comprises key device, and described key device is authorized file via cipher key interface for described hard disk data protection module provides, and provides authentication password for described safety protection module.
Wherein, described storer connects described pci interface via pci interface chip.
Wherein, described key device is the memory device that is suitable for USB interface of being authorized file that has authentication password and hard disk data protection module, and described cipher key interface is a USB interface; Wherein, described USB interface is via selecting chip to connect described hard disk data protection module and pci interface chip respectively.
According to second aspect, the method for utilizing aforementioned calculation machine safety device to carry out computer security of the present invention may further comprise the steps:
The interception computing machine will write all data of hard disc of computer;
The data of being tackled are carried out encryption;
Data through encryption are write hard disc of computer; And
During computing machine reads hard disc of computer, the encrypted data of storing in the hard disc of computer is decrypted processing.
Said method of the present invention is further comprising the steps of:
In the computer starting process, the Basic Input or Output System (BIOS) of computing machine (BIOS) is read the security protection program of the memory stores in the computer security apparatus in the described calculator memory, move described security protection program, so that object computer starts authentication function and starts the medium selection function.
The present invention has considered compatibility and ease for use emphatically, simultaneously can be for the computing machine significant data provide the physical security protection, thereby realize to computing machine comprehensively, security protection completely.
Below in conjunction with accompanying drawing device of the present invention, method are elaborated.
Embodiment
Computer security apparatus of the present invention is to be the hardware card of carrier with the PCI adapter, the subsidiary key device that has authentication password and authority.The invention provides the password authentification of computer starting, the safeguard measure of the startup computer hardware of the bottom is provided at the BIOS layer, and provide dual authentication mechanism in conjunction with the overall data protection of hard disk checking, guarantee to have only authorized user can use a computer hardware device and hard disc data, provide the computer system confidentiality and integrity to detect; The overall protection of hard disc data has realized the real-time guard to hard disc data, and transparent fully to the user; Configurable computer starting medium selection function has realized the pressure hard disk startup or has set sequence starting, the potential safety hazard of having avoided optical disk start-up to bring according to BIOS.This product can be accomplished the i.e. usefulness of plug-in card, and with operating system independent, the hardware environment compatibility is good, need not to install any software or driving, more can not lose efficacy because reinstalling operating system, has really realized the comprehensive security protection to computing machine.
Fig. 1 has shown computer security apparatus theory structure of the present invention, and as shown in Figure 1, computer security apparatus of the present invention mainly comprises: the mainboard interface 1 that connects computer motherboard; The hard-disk interface 2 that connects hard disc of computer; Be connected the hard disk data protection module 4 between described mainboard interface 1 and the described hard-disk interface 2.
Hard disk data protection module 4 can be a data signal processor (DSP); it carries out the physics interception to hard disc data; that is to say script is changed into via after the hard disk data protection module 4 from the IDE data line that computer motherboard is connected to hard disk; be connected to hard disk, thereby realized protection processing all hard disc datas that comprise computer operating system.
When computing machine will be to the hard disc of computer write data, the data that hard disk data protection module 4 receives from computer motherboard by mainboard interface 1, with its encryption after store hard disc of computer into by described hard-disk interface 2.
When computing machine will be from the hard disk reading of data, hard disk data protection module 4 read the encrypted data that is stored in the described hard disk via described hard-disk interface 2, with its deciphering after deliver to computer motherboard by mainboard interface 1.
Above-mentioned data encryption process can be the process that the data of 4 pairs of hard disks to be written of hard disk data protection module are carried out format conversion; Described decrypting process can be the process of having changed and having resolved through the data of format conversion to reading from hard disk.
In an example, mainboard interface 1 of the present invention can be an ide interface 1, and hard-disk interface 2 can be an ide interface 2.When to the hard disk write data, hard disk data protection module 4 carries out all data of tackling to store hard disk again into after the format conversion, be equivalent to a kind of " ciphertext " through the data after the format conversion, have only by can correctly resolving after the proper authorization, thereby the computing machine user can these data of normal reading, that is to say that all be can not be by " mess code " of Direct Recognition through the hard disk data protection module stores to the data of hard disk; When data were read from hard disk, data were resolved by the hard disk data protection module earlier, deliver to then on the IDE bus.Data Format Transform wherein and resolving are finished automatically by hard disk data protection module 4, and 4 of hard disk data protection modules are responsible for resolving the IDE bus protocol, and finish format conversion and resolving to data.
Computer security apparatus of the present invention also comprises safety protection module 3 and pci interface 5.Safety protection module 3 and described hard disk data protection module 4 are connected the pci bus of computing machine via described pci interface 5, and wherein pci interface 5 inserts in the PCI slot of computer motherboard by corresponding plug.
Safety protection module 3 of the present invention carries out the computer starting checking and/or starts the medium selection function with computing machine.
In addition, safety protection module 3 has the authority that hardware data protection module 4 carries out data encryption/decryption, and when starting, computing machine will be verified the correctness of hard disk data protection functional module authority automatically.
Fig. 2 has shown an example of computer security apparatus of the present invention, as shown in Figure 2, safety protection module 3 comprises the storer 31 of storage security guard process, in the computer starting process, the Basic Input or Output System (BIOS) of computing machine (BIOS) is read the described security protection program of storage in the described storer 31 in the described calculator memory, so that the described security protection program of computer run.Storer 31 can be FLASHROM.
In addition, safety protection module 3 also comprises pci interface chip 32, is used for the parsing of pci data interface, finishes the work such as initialization of PCI equipment, and when the program module that from storer 31, reads function of safety protection after the PCI equipment disposition.As shown in Figure 2, storer (31) connects described pci interface (5) via pci interface chip (32).
The present invention comprises that is also selected a chip 8, and USB interface 7 connects described hard disk data protection module 4 and pci interface chip 32 respectively via this selection chip 8.
Hard disk data protection module 4 and function of safety protection module 5 (comprising FLASHROM 31 and pci interface chip 32) be provided with and select chip 8 reasons to be: because all will read the data among the USB Key; but the same time can only be operated USB Key by a module, so select chip 8 to be used for selecting by which functional module key K ey to be read and write.
Computer starting authentication function and startup medium selection function all are the parts of function of safety protection program module, the code of this part is kept among the FLASHROM 31, in the start-up course of computing machine, BIOS finishes detection and the initialization to computer security apparatus (being a PCI equipment in essence) shown in Figure 2 of the present invention, and distribute suitable computer resource, BIOS reads the program module of the function of safety protection among the FLASHROM 31 in calculator memory by pci interface chip 32 then, and move this module (just computer starting authentication function and startup medium selection function), thereby the function of safety protection module is achieved.
Key device (not shown) of the present invention is actually a storer, and this key device is authorized file via cipher key interface 7 for described hard disk data protection module 4 provides, and provides authentication password for described safety protection module.When key device is when being suitable for the memory device of USB interface, 7 of described cipher key interface are USB interface 7.
Preserve the hard disk data protection functional module in the key device and carry out the authority of data protection/parsing; and the used password password of the computer starting authentication function of function of safety protection module; so when the computer starting of " computer security apparatus " of the present invention has been installed; automatically verify the correctness (not needing the user to participate in) of the authority of hard disk data protection module; and the correctness of authentication password password (needing the user to input correct password); any checking that is to say and can only select to shut down computer not by all having no idea to start the hardware device of computing machine in the two.
In addition, the present invention can also utilize computer security apparatus to carry out the method for computer security, and this method may further comprise the steps:
The interception computing machine will write all data of hard disc of computer;
The data of being tackled are carried out encryption;
Data through encryption are write hard disc of computer; And
During computing machine reads hard disc of computer, the encrypted data of storing in the hard disc of computer is decrypted processing.Above-mentioned steps can be finished by hard disk data protection module 4 of the present invention.
In addition, said method of the present invention can also may further comprise the steps:
In the computer starting process, the Basic Input or Output System (BIOS) of computing machine (BIOS) is read the security protection program of the storer in the computer security apparatus (31) storage in the described calculator memory, and move described security protection program, so that object computer starts authentication function and starts the medium selection function.
In sum, the present invention has following technical characterstic:
1, computer security apparatus of the present invention is a PCI equipment in essence, when the BIOS of computing machine detects a PCI equipment of the present invention and has carried expansion ROM (storer 31), at first in expansion ROM, search suitable reflection, and copy to and carry out setup code among the RAM.After initialize routine finished, BIOS adjusted the storage space of distributing to the expansion ROM code, and had the main storage region of expansion ROM code to carry out write-protect to resident, prevented to rewrite this regional content after the operating system acquire the right of control.This moment, all computer standard hardware devices passed through to detect, thereby the security protection program almost can be utilized all computer resources.The security protection procedure stores just can be accomplished the i.e. usefulness of plug-in card in ROM, do not need any software or driving are installed, and is convenient for users to use; Secondly,, and which kind of operating system independent has been installed before booting operating system, has been broken through the restriction of platform because program is to move; The most important thing is that the safety prevention measure that utilizes this mechanism to realize does not exist because there is not any possibility that is bypassed in unloading or reinstall operating system and the possibility that lost efficacy yet.
2,, and generally all be kept on the harddisk memory at the important information of computing machine based on consideration to the computer physics security protection, thus to the overall resist technology of hard disk be guarantee responsive, that important information does not leak is basic.In addition for consideration to the speed aspect; it is to realize the most direct effective and efficient manner of protection totally that hard disc data is carried out physics interception; that is to say script is connected to earlier on the computer security apparatus of the present invention (being PCI Mezzanine Card) from the IDE data line that computer motherboard is connected to hard disk; through behind the data protection module 4; be connected to hard disk; be responsible for the parsing and the real-time format conversion processing of IDE data by data protection module 4: all write the data of hard disk and all pass through the protection module format conversion, and the data of reading are all passed through data protection module 4 and resolved.
Through the hard disk of protecting totally; only can be accessed under the situation that proper authorization information is provided; otherwise can not be from hard disk startup operating system, hard disc data can not cracked by any data reduction technology yet, thereby has realized the physical security protection of computer data.
The present invention can use in such a way:
At first, the mainboard ide interface with mainboard ide interface 1 connection computing machine of the present invention connects the hard disc of computer ide interfaces with hard disk ide interface 2;
Pci interface of the present invention is inserted in any one idle PCI slot of computer motherboard by the pci interface plug;
Key device is inserted on the USB interface 7 of the present invention; Installing operating system can normally use a computer after the successful installation then.After this each use is as long as insert shielding card to correct USB Key, and when each the startup the normal proof procedure of process, can normally use a computer.
In addition, the present invention opens a pilot lamp (LED) 6 that shows 4 operations of hard disk data protection module can be set.
The present invention has following technique effect:
1. startup password protection: start the password authentification of computer hardware equipment, proper password is kept in the key device.User interface prompt user by imitative Windows behind the computer starting inputs password, input error password number of times reaches limited number of times and then locks computing machine, locking computing machine number of times is above three times continuously, key device is with locked, this locking must be removed by the keeper, has guaranteed only can use a computer under the situation of proper authorization hardware device.After password authentification, the user can select directly to start computing machine, revise information such as password, shutdown or software for display version copyright by graphical interfaces, but password can not be sky.
2. start the medium configuration: by the selection of administrator configurations startup medium, the boot sequence startup that can select hard disk startup or be provided with according to BIOS.If the selection hard disk startup then no matter whether be provided with the CD-ROM drive startup in BIOS preferentially all can be forced from hard disk startup operating system.
3. data protection totally: the hard disk data protection of chip-scale, protection comprises all hard disc datas of operating system file, even if the hard disk obliterated data also can not be cracked by any data recovery technique, has realized the physical security of information; 128 hard disk protection key has guaranteed that impossible hardware by the modern times cracks, and key is kept among the USB Key, has strengthened security; The protection process is transparent fully to the user, does not influence computing power.
Although above the present invention is had been described in detail, the invention is not restricted to this, those skilled in the art of the present technique can carry out various modifications according to principle of the present invention.Therefore, all modifications of doing according to the principle of the invention all should be understood to fall into protection scope of the present invention.