Embodiment
In order to make purpose of the present invention, technical scheme and advantage clearer, below in conjunction with drawings and Examples, the present invention is further elaborated.Should be appreciated that specific embodiment described herein only in order to explaining the present invention, and be not used in restriction the present invention.
The embodiment of the invention is by mating the user login information of current display operation system and the user login information that is stored in this current display system in the same TCM chip in advance, the match is successful then authenticating user identification pass through, realized when different operating system, using corresponding user login information, and the purpose of carrying out authentication, make the security of the data in many hard disks of unit multiple operating system environment be improved.
Below in conjunction with specific embodiment specific implementation of the present invention is described in detail:
In embodiments of the present invention; the method for authenticating user identity of this many hard disks of unit multiple operating system and system finish subscriber authentication and data storage encryption by using the creditable calculation password support platform; the user can start the corresponding data defencive function of application program after by authentication, realizes the credible protection of data under this operating system.Credible password module TCM (Trust Cryptography Module) and credible cryptographic service module TSM (Trust Cryptography Service Module) are two big major parts of credible password support platform; credible password support platform is trusted root with the credible password module; realize key management, platform data safety protection function, corresponding cryptographic service is provided.Same computing machine can have a plurality of operating systems and user, in different operating system users, must realize that the credible protection of data could really accomplish the data security protecting of computing machine.
Embodiment one:
Fig. 1 shows the realization flow of the method for authenticating user identity of many hard disks of unit multiple operating system that first embodiment of the invention provides, and details are as follows:
In step S101, when a system in detecting this multiple operating system is current display operation system, obtain the user login information of this current display operation system.
As shown in Figure 2, the step of obtaining the user login information of this current display operation system among this step S101 is specially:
In step S201, obtain the user login name of current operation system, judge in the user login information that is stored in advance in the TCM chip whether have this user login name.
In step S202, when having this user login name, receive the user by the user login code of login interface input.
Wherein, this user login information comprises user login name and the user login code corresponding with this user login name, and an operating system correspondence in this multiple operating system is installed in the hard disk in these many hard disks, and the user login information of each operating system all is stored in this same TCM chip in this multiple operating system; This is stored in the NV (Non-Volatile that user login information in the TCM chip can be stored in the TCM chip in advance in advance; non-volatile) in the storer; credible password module TCM is the hardware module of credible calculating platform; for credible calculating platform provides the crypto-operation function, has shielded storage space.
S101 is further comprising the steps of for this step:
When not having this user login name in the user login information in being stored in the TCM chip in advance, the correspondence position of the cryptographic hash of creating and storing this user login name and the user login code corresponding with this user login name to this TCM chip.
The method for authenticating user identity of many hard disks of unit multiple operating system that the embodiment of the invention provides; by storing into hardware module shielded NV storage space such as the user account information of operating system correspondence and key; under the situation of no more than 8 of the operating system user on the same computer (considering memory capacity and the structure of credible password module chip); make a plurality of operating systems of many hard disks that share same TCM chip all can normally use chip encryption and defencive function; carry out authenticating user identification and data storage encryption; normally enable the data protection function of terminal Secure Application, guarantee system data safety.Particularly, a plurality of operating systems on this multiple operating system computing machine share same credible password module chip, consider the capacity of existing credible password module chip non-volatile storage space (NV storer), can support user account information and the key storage of 8 operating systems at most.Store the encryption of the user login information under the different system into TCM chip different memory address by adopting, and the mode that adopts corresponding function to read the corresponding user profile of different addresses storage when different operating system is logined realizes the multisystem application of credible password module.
In specific implementation process, when a system in detecting same many hard disks of computing machine multiple operating system is current display operation system, obtain the user login name of current operation system, in the NV of TCM chip storer, search this user login name, and lookup result returned, if do not find this user login name, then this user does not create this user login information of this system in the TCM chip, users' interfaces is created in output, the prompting user creates the chip password, the user login name of password and system is complementary, by service management module and the chip communication of TCM chip, the cryptographic hash of the login password of this user login name of creating and input is deposited in the NV space of TCM chip.If find this user login name, then exist with the system user that current operation system is complementary, user's login interface appears, and the prompting user imports login password, receives to obtain the user by the user login code of login interface input.
In step S102, judge the log-on message that whether exists in the user login information be stored in advance in the TCM chip with the user login information coupling of this current display operation system.
This step S102 specifically comprises:
By the user login name in the user login information of this current display operation system, obtain the storage index value of this user login name in the TCM chip;
According to this storage index value, obtain the cryptographic hash of the login password in the data message corresponding with this storage index value;
Whether the cryptographic hash of judging the login password in cryptographic hash and this data message of user login code of user login information coupling of this current display operation system is identical.
In specific implementation process, after the user imports user login code by login interface, user login name according to current operation system, search the storage index value that is complementary with this user login name in the non-volatile storage space in the TCM chip, by this storage index value, search the data of this index value correspondence, extract in these data corresponding cryptographic hash value part, thereby the cryptographic hash of the family login password that the cryptographic Hash that will obtain and user import by login interface compares from the non-volatile storage space of TCM chip.
In step S103, when exist with should be current during the log-on message of user login information coupling of display operation system, export authenticating user identification and pass through information.
In specific implementation process, when exist with should be current the user login information of display operation system mate log-on message the time, then the user passes through proof of identity, the output authenticating user identification passes through information, the user can normally use the computer data file of authorizing by credible password module TCM checking and chip data etc., otherwise can not use computer data file that the TCM checking authorizes and chip data etc.
In addition; operating system of in detecting these a plurality of operating systems other switches to current display operation system; and after the open operation system; the user of the current display operation system after this switching can be mutual by method for authenticating user identity and credible password module that the embodiment of the invention provides; from the NV space of credible password module, normally obtain user profile; carry out that the user logins authentication or for this user's create account user information etc.; because credible password module user login information etc. is stored in the non-volatile NV storer of credible password module in each operating system; when system was switched, each user's data is not switched by system in the chip influenced.
In embodiments of the present invention; the method for authenticating user identity of this many hard disks of unit multiple operating system is based on the creditable calculation password support platform; can store active user's log-on message in advance and comprise that the cryptographic hash etc. of password is to the TCM chip; when the user logins a certain operating system of multiple operating system in same the computing machine; from credible password module TCM, obtain the authentication information of active user's coupling by credible cryptographic service module TSM; realize process of user login checking and the backup of credible password module user profile etc.; and because the cryptographic hash of active user's login name and password can be stored in the full storage space such as credible password module TCM chip in advance; the TCM chip is sealed in data in the zone as safe as a house; and come defensive attack by trust chain; extraneous malicious operation is difficult to the change chip data; can prevent effectively that subscriber identity information from being changed by malice, protect the computer data file of authorizing by the credible password module checking to reach chip data security safely to a great extent.
One of ordinary skill in the art will appreciate that all or part of step that realizes in above-described embodiment method is to instruct relevant hardware to finish by program, described program can be stored in the computer read/write memory medium, described storage medium is as ROM/RAM, disk, CD etc.
Embodiment two:
Fig. 3 shows the structure of the authenticating user identification system of many hard disks of unit multiple operating system that second embodiment of the invention provides, and for convenience of explanation, only shows the part relevant with the embodiment of the invention.
The authenticating user identification system of this many hard disks of unit multiple operating system can be built in the existing computer operating system, the authenticating user identification system of this many hard disks of unit multiple operating system comprises that log-on message acquiring unit 31, log-on message matching unit 32 and authentication are by unit 33, wherein:
Log-on message acquiring unit 31 is used for when a system that detects this multiple operating system is current display operation system, obtains the user login information of this current display operation system.
Wherein, this user login information comprises user login name and the user login code corresponding with this user login name, and an operating system correspondence in this multiple operating system is installed in the hard disk in these many hard disks, and the user login information of each operating system all is stored in this same TCM chip in this multiple operating system.
As shown in Figure 3, this log-on message acquiring unit 31 specifically comprises:
Login name acquiring unit 311 is used for obtaining the user login name of current operation system when a system that detects this multiple operating system is current display operation system;
First judging unit 312 is used for judging in the user login information that is stored in the TCM chip in advance whether have this user login name;
Log-on message creating unit 313 be used for when the result of these first judging unit, 312 outputs for not the time, create and store the cryptographic hash that this user login name reaches the user login code corresponding with this user login name; And
Login password receiving element 314 be used for when the result of these first judging unit, 312 outputs when being, the user login code that the reception user imports by login interface.
In embodiments of the present invention, this user login information that is stored in advance in the TCM chip can be stored in the NV storer of TCM chip in advance.When a system in detecting same multiple operation systems of computer is current display operation system, log-on message acquiring unit 31 obtains the user login name of current operation system, in the NV of TCM chip storer, search this user login name, and lookup result returned, if do not find this user login name, then this user does not create this user login information of this system in the TCM chip, users' interfaces is created in output, the prompting user creates the chip password, the user login name of password and system is complementary, by service management module and the chip communication of TCM chip, the cryptographic hash of the login password of this user login name of creating and input is deposited in the NV space of TCM chip.If find this user login name, then exist with the system user that current operation system is complementary, user's login interface appears, and the prompting user imports login password, and log-on message acquiring unit 31 receives and obtains the user by the user login code of login interface input.
Log-on message matching unit 32 is used for judging the log-on message that whether exists in the user login information that is stored in the TCM chip in advance with the user login information coupling of this current display operation system.
As shown in Figure 4, this log-on message matching unit 32 specifically comprises:
Index value acquiring unit 41 is used for the user login name by the user login information of this current display operation system, obtains the storage index value of this user login name in the TCM chip;
Cryptographic hash acquiring unit 42 is used for obtaining the cryptographic hash of the login password in the data message corresponding with this storage index value according to this storage index value; And
Hash values match unit 43 is used for judging whether the cryptographic hash of the user login code that the user login information of this current display operation system mates is identical with the cryptographic hash of the login password of this data message.
In embodiments of the present invention, after the user imports user login code by login interface, according to the user login name in the user login information of current operation system, search the storage index value that is complementary with this user login name in the NV storage space in the TCM chip, by this storage index value, search the data of this index value correspondence, extract in these data corresponding cryptographic hash value part, thereby the cryptographic hash of the family login password in the user login information that the cryptographic Hash that will obtain and user import by login interface compares from the non-volatile storage space of TCM chip.
Authentication is used for when the result of these log-on message matching unit 32 outputs for depositing is by unit 33, and the output authenticating user identification passes through information.
In embodiments of the present invention, when the result of this log-on message matching unit 32 outputs when being, authentication is passed through information by unit 33 output authenticating user identifications, the user can normally use by the computer data file of credible password module TCM checking mandate and chip data etc., when the result of this log-on message matching unit 32 outputs for not the time, then point out the user to authenticate the information of not passing through.
In embodiments of the present invention; the authenticating user identification system of this many hard disks of unit multiple operating system is based on the creditable calculation password support platform; comprise that by storing active user's log-on message in advance the cryptographic hash etc. of password is to this TCM chip; when the user logins a certain operating system of multiple operating system in same the computing machine; by from canned data in advance, obtaining the authentication information of active user's coupling; realize process of user login checking etc., protected the safety of data message to a great extent.
The embodiment of the invention is by the method for authenticating user identity of this many hard disks of unit multiple operating system; obtain the user login information of current display operation system in this many hard disks of unit multiple operating system; and this user's log-on message and the user profile that is stored in the current display operation of in the TCM chip this system in advance mated; and when the user is switched current display operation system and is other system; still can repeat the log-on message that above-mentioned steps is obtained relative users; after the match is successful; could cross the data of visiting under the respective operations system; when having solved the authentication of in the environment of many hard disks of unit multiple operating system, carrying out the different system user identity; the lower problem of security protection of data message has realized the secure access of data message.
The above only is preferred embodiment of the present invention, not in order to limiting the present invention, all any modifications of doing within the spirit and principles in the present invention, is equal to and replaces and improvement etc., all should be included within protection scope of the present invention.