CN104636655A - Credibility verifying method of hot plug device - Google Patents
Credibility verifying method of hot plug device Download PDFInfo
- Publication number
- CN104636655A CN104636655A CN201510063560.6A CN201510063560A CN104636655A CN 104636655 A CN104636655 A CN 104636655A CN 201510063560 A CN201510063560 A CN 201510063560A CN 104636655 A CN104636655 A CN 104636655A
- Authority
- CN
- China
- Prior art keywords
- equipment
- hot
- plug equipment
- plug
- identification code
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a credibility verifying method of a hot plug device. After an embedded type system is turned on and powered on and a local encrypted device database is decrypted, recognizing codes of the inserted hot plug device are obtained to be matched with a device database to be verified, if the recognizing codes pass verification, the system login operation is executed and the inserted hot plug device is allowed to be automatically mounted after the device database is encrypted, and otherwise the system login operation is refused to be executed; after login is successful, when a hardware replacement credibility verifying module monitors that the hot plug device is inserted at the moment in real time, the local encrypted device database is decrypted, the recognizing codes of the currently-inserted hot plug device are obtained to be matched with the device database to be verified, if the recognizing codes pass verification, the currently-inserted hot plug device is allowed to be automatically mounted after the device database is encrypted, and otherwise the currently-inserted hot plug device is refused to be mounted. By means of the method, the embedded type system can be effectively protected, and a hardware device is prevented from being illegally replaced.
Description
Technical field
The present invention relates to the data security arts of hot-plug equipment in embedded system, be specifically related to a kind of in embedded system the replacing trust authentication method to hot-plug equipment.
Background technology
Embedded device provides the interface mutual with the external world such as such as usb, so on the equipment that some security requirement is higher, how to ensure that these peripherals are not changed by people's malice.In the system of such as some concerning security matters, must back up its significant data, when the data in system are destroyed, just need to use alternate device to recover significant data, if these are replaced by people's malice for the equipment backed up, so likely data have been maliciously tampered and have not still known, or unauthorized person uses the equipment such as usb system to be carried out to the malicious attacks such as viral wooden horse, causes the serious consequences such as systemic breakdown.
Advanced Encryption Standard AES (The Advanced Encryption Standard) is the specification of encrypted electronic data used for American National Standard and technical research.AES is the password of an iteration, symmetric key grouping, and it can use 128,192 and 256 keys, and with 128 block encryptions and data decryption.
Summary of the invention
Technical matters to be solved by this invention is, provides a kind of trust authentication method changed for hot-plug equipment in embedded system.
The present invention is that a kind of trust authentication method of hot-plug equipment, comprises the following steps for solving the problems of the technologies described above adopted technical scheme:
Login step: after embedded system start powers on, after hardware trust authentication module is decrypted the device databases that this locality has been encrypted, obtain the identification code of hot-plug equipment inserted to carry out mating with the credible equipment identification code recording in device databases and verify, the hot-plug equipment inserted as all is all by verifying, executive system register after encryption device database also allows the hot-plug equipment that automatic carry has inserted, otherwise refusal executive system register also refuses carry not by the hot-plug equipment of coupling checking;
Real-Time Monitoring step: after logining successfully, heat is had to intercut equipment insertion when hardware replacement trust authentication module real-time monitors current time, after the device databases then encrypted this locality is decrypted, obtain the identification code of the hot-plug equipment of current insertion to carry out mating with the credible equipment identification code recording in device databases and verify, if the hot-plug equipment of current insertion is by verifying, after encryption device database, allow the hot-plug equipment of the current insertion of automatic carry, otherwise, the hot-plug equipment of the current insertion of refusal carry.
The invention has the beneficial effects as follows, effectively can implement protection to embedded system, prevent hardware device from illegally being changed.
Accompanying drawing explanation
Fig. 1 is the trust authentication method flow diagram of the present embodiment hot-plug equipment;
Fig. 2 is the present embodiment login step process flow diagram;
Fig. 3 is this Real-Time Monitoring flow chart of steps.
Embodiment
The believable equipment of following empirical tests is called credible equipment, and the incredible equipment of empirical tests is called untrusted devices.In order to each equipment of uniquely tagged, supplier's identification code of equipment and product ID is used to distinguish distinct device, because each hardware device dispatches from the factory have unique supplier's identification code and product ID.User, when performing logging program, by above-mentioned unique identification code character, verifies all devices of current insertion, ensures that all devices of current insertion is all credible equipment, otherwise the logging request of refusal user, in order to avoid untrusted devices works the mischief to system; When system inserts hardware device in operational process, by above-mentioned unique identification code character, verify whether this equipment is credible equipment, if after equipment empirical tests be untrusted devices, should process it in time, prevent this untrusted devices from working the mischief to system.
User is when using the method, and its operation steps is as follows:
Step a: start powers on, perform logging program, verify all hot-plug equipments of current insertion, if armamentarium is verified, namely current all devices is credible equipment, then enter step b; If checking is not passed through, refusal logs in, and re-executes logging program;
Step b: login successfully, runs a backstage finger daemon, and this process is used for the insertion of Real-Time Monitoring hot-plug equipment, and carries out trust authentication to it;
Step c: when finger daemon has listened to equipment insertion, the facility information in this process access device databases carries out trust authentication to it, if verify credible, allows this equipment carry; If verify insincere, then refuse this equipment of carry.
Logging program in the present invention is on the basis of the logging program of former embedded system order line, it is encapsulated, add hardware trust authentication module, in actual log process, first run hardware trust authentication module, after being verified, just perform the register of former embedded system, if have untrusted devices in proof procedure, then refuse user and perform register.
Leave in unified for the identification code character of credible equipment in a device databases of specifying in system in the present invention.In order to protect the content in this database, prevent the identification code group information of credible equipment from illegally being read, aes algorithm CBC pattern is used to be encrypted safeguard measure to device databases, when verifying, first should be decrypted operation to database, then obtain the identification code character of current insertion equipment, this identification code character is mated with the content (the believable equipment of system verification) of devices in system database, if the match is successful, then illustrate that this insertion device authentication is credible; Otherwise, if insert the identification code character of equipment not mate with the arbitrary record in device databases, then illustrate that current insertion equipment is untrusted devices, finally after verification operation completes, operation should be encrypted to database, prevent the content of database from illegally being read.
In the system of domestic consumer, the conveniently use of user, strengthens Consumer's Experience, and the hot-plug equipments such as USB flash disk, when insertion system, generally can select to allow equipment automatic hanging be downloaded to assigned catalogue in system.But in the present invention; in order to implement protection to system and data thereof, carry will be refused to the equipment not carrying out trust authentication, cancelling the function of its automatic carry; but in proof procedure optionally carry equipment; if be verified as credible equipment, then automatic this equipment of carry, on the contrary; if be verified as untrusted devices; then refuse this equipment of carry, in order to avoid this equipment works the mischief to system, namely system will not respond this untrusted devices.
Below in conjunction with accompanying drawing with for (SuSE) Linux OS, the present invention is further illustrated:
The monitoring of the backstage finger daemon in the present embodiment uses NETLINK as optimized integration.Whether NETLINK is specifically designed to linux kernel with the asynchronous communication between user's space, by this built-in mechanism of Linux, set up special socket, monitor and have data to pass over from kernel.When there being new equipment to insert, first kernel detects the insertion of equipment, and utilize NETLINK that this message is sent to special socket, program is reading of content from socket, thus learns currently have new equipment to insert.
In this method, point two parts are verified equipment, are respectively the hardware replacement trust authentication of login process and the hardware replacement trust authentication of system operation.The basis completing authentication function is one and stores all device databases for the identification code character that current system is credible equipment through what encrypt, because each equipment is by a unique identification code character by going out manufacturer ID and product ID and forming, therefore with the identification code character of each equipment for major key building database, thus unique identify each credible equipment.On this basis, when carrying out hardware replacement trust authentication, the content of readout equipment database is mated with the identification code character of the equipment of insertion, judges that insertion equipment is as credible equipment or untrusted devices by the result of coupling.As Fig. 1, the operation steps of user when using the method is:
Step 101: after user's start powers on, first perform logging program, this logging program encapsulates the log on command of former Linux order line, and the function of hardware being carried out to trust authentication is added before execution register.In order to ensure that system is entered in the login of user security, before performing concrete register, must verify to only have when demonstrating all devices and being credible equipment to all hot-plug equipments of current insertion, just allow this user to log in, and perform step 102;
As the process flow diagram that Fig. 2 is the logging program encapsulating hardware trust authentication module, after user enters logging program, first run hardware trust authentication module, first program should be decrypted operation to encrypted device databases, then circulation obtains the identification code character of the hot-plug equipment of current insertion, the identification code character of acquisition is mated with the record in above-mentioned device databases, if the match is successful for this equipment, then automatic this equipment of carry is to assigned catalogue, and then coupling checking is carried out to next equipment, when being all credible equipment after all devices empirical tests, then perform the register of former linux system, otherwise, if this equipment empirical tests is untrusted devices, then refuse this equipment of automatic carry, and refusal performs register, no longer proceed the checking coupling of surplus equipment, only have when user pulls out all untrusted devices, just allow it to perform register, finally, after executing verification operation, before performing register, operation should be encrypted to device databases, prevent the content of device databases from illegally being read.
Step 102: after user logins successfully, operation one is used for the backstage finger daemon of hardware replacement trust authentication, this process is by the insertion event of Real-Time Monitoring hot-plug equipment in system operation, and trust authentication is carried out to the equipment inserted, finally according to the result, equipment is handled it.This process uses NETLINK mechanism to carry out the insertion of audiomonitor.Due to the build-in function that NETLINK is Linux, so comparatively convenient and simple when programming use.First the special file descriptor (socket) of NETLINK_KOBJECT_UEVENT type under an AF_NETLINK protocol suite is created, then setsocketopt function is utilized to allow this filec descriptor (socket) other ports multiplexing, own process is tied to this special file descriptor (socket) by recycling band function, and last calling process recv receives the data that linux system kernel passes over.When there being equipment to insert, message is sent to above-mentioned special file descriptor (socket) by kernel, namely, when finger daemon receives the data passed over from kernel, just showing to detect currently has equipment to insert event to occur, now perform step 103.
Step 103: the insertion of the finger daemon Real-Time Monitoring hardware device in step 102, when this process reads the data that kernel passes over from special socket, just shows currently have new hot-plug equipment to insert.Now this process carries out trust authentication to the new equipment inserted, if equipment empirical tests is credible equipment, then allows the automatic carry of this equipment; If empirical tests is untrusted devices, then refuse this equipment of carry.
As the process flow diagram that Fig. 3 is the backstage finger daemon carrying out hardware replacement trust authentication, as shown in the figure, when finger daemon has listened to new equipment insertion, first operation is decrypted to device databases, then obtain the identification code character of insertion equipment, carry out mating with the record in the said equipment database and verify, if an energy successful match record, then illustrate that this equipment is credible equipment for system, allow this equipment of automatic carry; On the contrary, if can not find any record to match in device databases, then illustrate that this equipment is untrusted devices, refuse this equipment of automatic carry, it is last after verification operation completes, cryptographic operation must be performed to device databases, prevent the information in database from illegally being read, could again operate database until next finger daemon monitors when new equipment inserts.
As the device databases on basis completing authentication function, the data security of this database must be ensured, because what deposit in database is the identification code character that is credible equipment for current system.Therefore in order to prevent these data to be illegally used, use aes algorithm cipher block chaining CBC pattern to be encrypted safeguard measure to device databases in the present embodiment, security is good to adopt the advantage of this kind of pattern to be, is not easy active attack.Security is good to adopt the advantage of this kind of pattern to be, is not easy active attack.AES is packet key, and algorithm divides into groups to device databases according to the block length of 128, then adopts the key length of 128 to be encrypted all integrated datas, finally forms encryption device database.Because the encryption and decryption operation of database is all encapsulated in verification operation, namely at logging program and carry out in the backstage finger daemon of hardware replacement trust authentication, therefore concerning the user of user's space, the just database after encryption seen, cannot get the content in device databases.
Claims (3)
1. a trust authentication method for hot-plug equipment, is characterized in that, comprise the following steps:
Login step: after embedded system start powers on, after hardware trust authentication module is decrypted the device databases that this locality has been encrypted, obtain the identification code of hot-plug equipment inserted to carry out mating with the credible equipment identification code recording in device databases and verify, the hot-plug equipment inserted as all is all by verifying, executive system register after encryption device database also allows the hot-plug equipment that automatic carry has inserted, otherwise refusal executive system register also refuses carry not by the hot-plug equipment of coupling checking;
Real-Time Monitoring step: after logining successfully, heat is had to intercut equipment insertion when hardware replacement trust authentication module real-time monitors current time, after the device databases then encrypted this locality is decrypted, obtain the identification code of the hot-plug equipment of current insertion to carry out mating with the credible equipment identification code recording in device databases and verify, if the hot-plug equipment of current insertion is by verifying, after encryption device database, allow the hot-plug equipment of the current insertion of automatic carry, otherwise, the hot-plug equipment of the current insertion of refusal carry.
2. the trust authentication method of a kind of hot-plug equipment as claimed in claim 1, is characterized in that, described encryption adopts Advanced Encryption Standard aes algorithm cipher block chaining CBC pattern.
3. the trust authentication method of a kind of hot-plug equipment as claimed in claim 1, it is characterized in that, the operating system of described embedded system is Linux.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510063560.6A CN104636655A (en) | 2015-02-06 | 2015-02-06 | Credibility verifying method of hot plug device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510063560.6A CN104636655A (en) | 2015-02-06 | 2015-02-06 | Credibility verifying method of hot plug device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104636655A true CN104636655A (en) | 2015-05-20 |
Family
ID=53215395
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510063560.6A Pending CN104636655A (en) | 2015-02-06 | 2015-02-06 | Credibility verifying method of hot plug device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104636655A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106095413A (en) * | 2016-05-31 | 2016-11-09 | 青岛海信电器股份有限公司 | The collocation method of a kind of bluetooth driver and device |
| CN109726079A (en) * | 2018-12-29 | 2019-05-07 | 深圳市科陆电子科技股份有限公司 | A kind of USB device hot plug monitoring method and system |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1834977A (en) * | 2006-03-23 | 2006-09-20 | 李岳 | Authentication protection method based on USB device |
| CN101256608A (en) * | 2008-03-25 | 2008-09-03 | 北京飞天诚信科技有限公司 | Safe operation method and system |
| CN101770386A (en) * | 2010-03-08 | 2010-07-07 | 北京飞天诚信科技有限公司 | Safe startup method for Linux embedded system |
| CN102289622A (en) * | 2011-09-01 | 2011-12-21 | 西安电子科技大学 | Trusted startup method based on authentication policy file and hardware information collection |
| CN102314574A (en) * | 2011-07-07 | 2012-01-11 | 曙光信息产业股份有限公司 | HID (human interface device)-based method for setting access rights of host machine |
| CN103198037A (en) * | 2013-04-22 | 2013-07-10 | 广东电网公司电力科学研究院 | Reliable pipe control method and system for IO (input output) equipment |
| US20140283006A1 (en) * | 2013-03-13 | 2014-09-18 | Samsung Electronics Co., Ltd. | Application authentication method and electronic device supporting the same |
-
2015
- 2015-02-06 CN CN201510063560.6A patent/CN104636655A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1834977A (en) * | 2006-03-23 | 2006-09-20 | 李岳 | Authentication protection method based on USB device |
| CN101256608A (en) * | 2008-03-25 | 2008-09-03 | 北京飞天诚信科技有限公司 | Safe operation method and system |
| CN101770386A (en) * | 2010-03-08 | 2010-07-07 | 北京飞天诚信科技有限公司 | Safe startup method for Linux embedded system |
| CN102314574A (en) * | 2011-07-07 | 2012-01-11 | 曙光信息产业股份有限公司 | HID (human interface device)-based method for setting access rights of host machine |
| CN102289622A (en) * | 2011-09-01 | 2011-12-21 | 西安电子科技大学 | Trusted startup method based on authentication policy file and hardware information collection |
| US20140283006A1 (en) * | 2013-03-13 | 2014-09-18 | Samsung Electronics Co., Ltd. | Application authentication method and electronic device supporting the same |
| CN103198037A (en) * | 2013-04-22 | 2013-07-10 | 广东电网公司电力科学研究院 | Reliable pipe control method and system for IO (input output) equipment |
Non-Patent Citations (2)
| Title |
|---|
| 方巍等: "《Oracle数据库应用与实践》", 30 September 2014 * |
| 袁捷等: "《计算机操作系统原理与应用》", 31 May 2012 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106095413A (en) * | 2016-05-31 | 2016-11-09 | 青岛海信电器股份有限公司 | The collocation method of a kind of bluetooth driver and device |
| CN106095413B (en) * | 2016-05-31 | 2019-09-17 | 青岛海信电器股份有限公司 | A kind of configuration method and device of bluetooth driver |
| CN109726079A (en) * | 2018-12-29 | 2019-05-07 | 深圳市科陆电子科技股份有限公司 | A kind of USB device hot plug monitoring method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6275653B2 (en) | Data protection method and system | |
| CN101958892B (en) | Electronic data protection method, device and system based on face recognition | |
| CN105760764B (en) | Encryption and decryption method and device for embedded storage device file and terminal | |
| CN113032763A (en) | Privacy and data protection on intelligent edge devices | |
| CN103177223A (en) | System and method for temporary secure boot of an electronic device | |
| KR20140126787A (en) | Puf-based hardware device for providing one time password, and method for 2-factor authenticating using thereof | |
| CN101682628A (en) | Secure communications | |
| CN108323230B (en) | Method for transmitting key, receiving terminal and distributing terminal | |
| KR101078546B1 (en) | Apparatus for coding and decoding of security data file based on data storage unit idedtification, system for electronic signature using the same | |
| WO2013002833A2 (en) | Binding of cryptographic content using unique device characteristics with server heuristics | |
| CN101877702A (en) | Method and system for activating and authenticating an internet protocol television client | |
| CN104573549A (en) | Credible method and system for protecting confidentiality of database | |
| CN105099705A (en) | Safety communication method and system based on USB protocol | |
| CN111614467B (en) | System backdoor defense method and device, computer equipment and storage medium | |
| CN102255727B (en) | Improved anti-attacking intelligent card authentication method based on user defined algorithm environment | |
| CN100334519C (en) | Method for establishing credible input-output channels | |
| CN103200562A (en) | Communication terminal locking method and communication terminal | |
| CN112968774B (en) | Method, device storage medium and equipment for encrypting and decrypting configuration file | |
| CN105608775B (en) | A kind of method of authentication, terminal, access card and SAM card | |
| CN113722741A (en) | Data encryption method and device and data decryption method and device | |
| CN109194467A (en) | A kind of safe transmission method and system of encryption data | |
| CN113591109A (en) | Method and system for communication between trusted execution environment and cloud | |
| CN105933117A (en) | Data encryption and decryption device and method based on TPM (Trusted Platform Module) key security storage | |
| CN113014393A (en) | Password safe box system based on hardware encryption and application method | |
| CN104636655A (en) | Credibility verifying method of hot plug device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20150520 |
|
| RJ01 | Rejection of invention patent application after publication |